Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 16:28
Behavioral task
behavioral1
Sample
Aurora/Aurora.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Aurora/Aurora.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Aurora/scripts/scripts.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Aurora/scripts/scripts.dll
Resource
win10v2004-20240226-en
General
-
Target
Aurora/Aurora.exe
-
Size
1.2MB
-
MD5
2a3095d23b66a5a0aaec5dff558ec72a
-
SHA1
95a40abeae9627d654427f06db91d6f810dd1aa2
-
SHA256
fa80871e2a0b0384f09f41d1a0a6715b7d32b915e70516152b10c32da4151556
-
SHA512
a418244838831624d33f7bc48966e4b0eb189e8c8452b74c0a15ea7f0f4f8a9e0c3e6ef070f77e6a65c76e802f7b563a21cdd2e7543ceb09a5538a2e59370335
-
SSDEEP
24576:mzb5WDTsmIGcpFlLCattwf1iSAgIllnvcURFuW/xkWSoyFfboYIQ99S6O0VgC:mhU+7LCabwf1JAgIvbjuAxYogblrS6OY
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Some.pifdescription pid process target process PID 328 created 1216 328 Some.pif Explorer.EXE -
Drops startup file 1 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe -
Executes dropped EXE 3 IoCs
Processes:
Some.pifRegAsm.exeqemu-ga.exepid process 328 Some.pif 1692 RegAsm.exe 2156 qemu-ga.exe -
Loads dropped DLL 4 IoCs
Processes:
cmd.exeSome.pifRegAsm.exepid process 2640 cmd.exe 328 Some.pif 1692 RegAsm.exe 1692 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 3040 tasklist.exe 2440 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Some.pifRegAsm.exepid process 328 Some.pif 328 Some.pif 328 Some.pif 328 Some.pif 1692 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Some.pifpid process 328 Some.pif -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tasklist.exetasklist.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3040 tasklist.exe Token: SeDebugPrivilege 2440 tasklist.exe Token: SeDebugPrivilege 1692 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Some.pifpid process 328 Some.pif 328 Some.pif 328 Some.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Some.pifpid process 328 Some.pif 328 Some.pif 328 Some.pif -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
Aurora.execmd.exeSome.pifRegAsm.exedescription pid process target process PID 3012 wrote to memory of 2640 3012 Aurora.exe cmd.exe PID 3012 wrote to memory of 2640 3012 Aurora.exe cmd.exe PID 3012 wrote to memory of 2640 3012 Aurora.exe cmd.exe PID 3012 wrote to memory of 2640 3012 Aurora.exe cmd.exe PID 2640 wrote to memory of 3040 2640 cmd.exe tasklist.exe PID 2640 wrote to memory of 3040 2640 cmd.exe tasklist.exe PID 2640 wrote to memory of 3040 2640 cmd.exe tasklist.exe PID 2640 wrote to memory of 3040 2640 cmd.exe tasklist.exe PID 2640 wrote to memory of 2688 2640 cmd.exe findstr.exe PID 2640 wrote to memory of 2688 2640 cmd.exe findstr.exe PID 2640 wrote to memory of 2688 2640 cmd.exe findstr.exe PID 2640 wrote to memory of 2688 2640 cmd.exe findstr.exe PID 2640 wrote to memory of 2440 2640 cmd.exe tasklist.exe PID 2640 wrote to memory of 2440 2640 cmd.exe tasklist.exe PID 2640 wrote to memory of 2440 2640 cmd.exe tasklist.exe PID 2640 wrote to memory of 2440 2640 cmd.exe tasklist.exe PID 2640 wrote to memory of 2464 2640 cmd.exe findstr.exe PID 2640 wrote to memory of 2464 2640 cmd.exe findstr.exe PID 2640 wrote to memory of 2464 2640 cmd.exe findstr.exe PID 2640 wrote to memory of 2464 2640 cmd.exe findstr.exe PID 2640 wrote to memory of 1276 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 1276 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 1276 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 1276 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 2356 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 2356 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 2356 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 2356 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 568 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 568 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 568 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 568 2640 cmd.exe cmd.exe PID 2640 wrote to memory of 328 2640 cmd.exe Some.pif PID 2640 wrote to memory of 328 2640 cmd.exe Some.pif PID 2640 wrote to memory of 328 2640 cmd.exe Some.pif PID 2640 wrote to memory of 328 2640 cmd.exe Some.pif PID 2640 wrote to memory of 1596 2640 cmd.exe PING.EXE PID 2640 wrote to memory of 1596 2640 cmd.exe PING.EXE PID 2640 wrote to memory of 1596 2640 cmd.exe PING.EXE PID 2640 wrote to memory of 1596 2640 cmd.exe PING.EXE PID 328 wrote to memory of 1692 328 Some.pif RegAsm.exe PID 328 wrote to memory of 1692 328 Some.pif RegAsm.exe PID 328 wrote to memory of 1692 328 Some.pif RegAsm.exe PID 328 wrote to memory of 1692 328 Some.pif RegAsm.exe PID 328 wrote to memory of 1692 328 Some.pif RegAsm.exe PID 328 wrote to memory of 1692 328 Some.pif RegAsm.exe PID 328 wrote to memory of 1692 328 Some.pif RegAsm.exe PID 328 wrote to memory of 1692 328 Some.pif RegAsm.exe PID 328 wrote to memory of 1692 328 Some.pif RegAsm.exe PID 1692 wrote to memory of 2156 1692 RegAsm.exe qemu-ga.exe PID 1692 wrote to memory of 2156 1692 RegAsm.exe qemu-ga.exe PID 1692 wrote to memory of 2156 1692 RegAsm.exe qemu-ga.exe PID 1692 wrote to memory of 2156 1692 RegAsm.exe qemu-ga.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Painful Painful.bat & Painful.bat & exit3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:2688
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:2464
-
C:\Windows\SysWOW64\cmd.execmd /c md 296634⤵PID:1276
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Getting + Incentive + Thread + Collectibles + Informed 29663\Some.pif4⤵PID:2356
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Depends 29663\o4⤵PID:568
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\Some.pif29663\Some.pif 29663\o4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:1596 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29663\RegAsm.exe2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"3⤵
- Executes dropped EXE
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
1.1MB
MD537e6bda5dbc39d1e0ba02532c4bafb72
SHA1194703009f09bb2d3013165da74c23fc67ba1100
SHA25636afba9d783a0bcd819b34dacb0f0beb2d167711b42501320244f7bcab9190e7
SHA51292485efb80a8a28cc2a5bf6702fa212aa2072679918c1bb410f78405d0c65ccaee05fe0b95527e92f89f75af72468e0085e2bacb5f24c46062c1abd9b4b7f200
-
Filesize
185KB
MD5e60e6b719a7a34dcccb2d6bcd97424de
SHA128056594a2d3155197dbf5bce5cff51dbf331b4a
SHA256ac9e30fbe5fc06ffe55fb3edd3c5252380e49c01b25379d7f10567cc5f37acfe
SHA51230ed4c5f1b4c690987d02ae38e4c7ea4acff53394a116960de225d0ac6a0f1d5ab3ae84224b8a0b204791424d2195fba8de4c2a616aa0627c098590285bb0e61
-
Filesize
1022KB
MD5ce52ef26608066638a08073742291811
SHA10c17e90a16708e32eb5f0d2a7a12dd1e7064ba8d
SHA2562faed6d927ceb4c7515415500e1f8f5618e4fdcda3bc741a2d075db08a7a3bc8
SHA51237932d682d0a93ad93d8c8aad7f7e4af1af77344b0ffd709fd0c6c1a7b24c04562c33e30ae5bea1b57223940905c65e837948ec6da4630854a200d10b107c14e
-
Filesize
238KB
MD5f0b0088291bd53c8a8ccdde80b27c1ea
SHA1edc14809a25bacd6a8d573519430c5a0b7bdabf3
SHA256854f3d4e76e9895fbb4db34ffc03447f3c6849bb7886f956ef005ae38225df96
SHA512df85d8e2250a57ec1ac419b1ed8356c3b04b6578eea5c1f2fe4245a4ecb55516bcf7a08eba0b38b7447ef5472c6e1d4db7f89d28bdf0d3f978875a2ebfc05436
-
Filesize
220KB
MD53df26aad973ee35ce3246f6f2fb1b40a
SHA1039a6e581df432f317ac6e57fcee3a8533fb1c5f
SHA25669afbe257da18de11385c7c113ded1cd1d6a5b9312d49c53d348829322fc2689
SHA5120cdbb773ac59ad535ee8c08540db00515c1e9728e39e2224d6772efb4ce97b87abc4787491e96e190bf3f2b0229a76d91da49ae959a0e666d7366ac109d45205
-
Filesize
145KB
MD51d1c99b1dd572318731358c8a01baa4d
SHA1efe3d84eb1f3644277093f059aab9248dcbbb958
SHA256708c2d2e15e3f7af01d121ef5284cda947eb180aa38c193495f46424870acee6
SHA5126c7e8c4399bba46045343195b52b51c1a85d67fea533a09b4b4a76419ff33721014af7b5f893e711593d0b0b2d8d76c1097c72efc9a9980b21bf78560b14d601
-
Filesize
11KB
MD514f0143671aa234d550f8236779661f1
SHA1703d124e6ab5c6febec3d382ac013c73d5296804
SHA256a15f1384ef47d3192b087bfaf5cc669391b7999fe09b9b15703d76c4c9b4a510
SHA5127562c866a4501e007d125f1341d4324bd4b0af01089e619e85ffb70c9cc47d9bf2b6ce3a6bc9c4e132f5bdfe6801b4e8c6581656483fd2a5ec35e0fdf17dd5f4
-
Filesize
136KB
MD5de20c902975bd3a0a74349e2802ddee9
SHA1a69c64a294e3e4fc98b11088e48d347237e23099
SHA2562fd852e4560b10fb8887bbb5423a3152050306976abde039889c28b0eb216274
SHA512347d6def344010a0a69151775a6b2a0ac4917ce2a2adcae0f87457cd7b9a8a4afc33bc013a4397c4db092afd8c8b872e0de6abdfbc852b9d2d0602d6f0d29485
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab