Analysis

  • max time kernel
    128s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-02-2024 19:20

General

  • Target

    Aurora/Aurora.exe

  • Size

    1.2MB

  • MD5

    2a3095d23b66a5a0aaec5dff558ec72a

  • SHA1

    95a40abeae9627d654427f06db91d6f810dd1aa2

  • SHA256

    fa80871e2a0b0384f09f41d1a0a6715b7d32b915e70516152b10c32da4151556

  • SHA512

    a418244838831624d33f7bc48966e4b0eb189e8c8452b74c0a15ea7f0f4f8a9e0c3e6ef070f77e6a65c76e802f7b563a21cdd2e7543ceb09a5538a2e59370335

  • SSDEEP

    24576:mzb5WDTsmIGcpFlLCattwf1iSAgIllnvcURFuW/xkWSoyFfboYIQ99S6O0VgC:mhU+7LCabwf1JAgIvbjuAxYogblrS6OY

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3308
      • C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe
        "C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4476
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Painful Painful.bat & Painful.bat & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3920
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:3776
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4648
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:3940
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 17846
                4⤵
                  PID:4652
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Getting + Incentive + Thread + Collectibles + Informed 17846\Some.pif
                  4⤵
                    PID:1552
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Depends 17846\o
                    4⤵
                      PID:4680
                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif
                      17846\Some.pif 17846\o
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:772
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:1556
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe
                  2⤵
                  • Drops startup file
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1828
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:3392

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\RegAsm.exe

                Filesize

                63KB

                MD5

                b58b926c3574d28d5b7fdd2ca3ec30d5

                SHA1

                d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                SHA256

                6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                SHA512

                b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17846\Some.pif

                Filesize

                924KB

                MD5

                848164d084384c49937f99d5b894253e

                SHA1

                3055ef803eeec4f175ebf120f94125717ee12444

                SHA256

                f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                SHA512

                aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Collectibles

                Filesize

                185KB

                MD5

                e60e6b719a7a34dcccb2d6bcd97424de

                SHA1

                28056594a2d3155197dbf5bce5cff51dbf331b4a

                SHA256

                ac9e30fbe5fc06ffe55fb3edd3c5252380e49c01b25379d7f10567cc5f37acfe

                SHA512

                30ed4c5f1b4c690987d02ae38e4c7ea4acff53394a116960de225d0ac6a0f1d5ab3ae84224b8a0b204791424d2195fba8de4c2a616aa0627c098590285bb0e61

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Depends

                Filesize

                1.1MB

                MD5

                37e6bda5dbc39d1e0ba02532c4bafb72

                SHA1

                194703009f09bb2d3013165da74c23fc67ba1100

                SHA256

                36afba9d783a0bcd819b34dacb0f0beb2d167711b42501320244f7bcab9190e7

                SHA512

                92485efb80a8a28cc2a5bf6702fa212aa2072679918c1bb410f78405d0c65ccaee05fe0b95527e92f89f75af72468e0085e2bacb5f24c46062c1abd9b4b7f200

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Getting

                Filesize

                238KB

                MD5

                f0b0088291bd53c8a8ccdde80b27c1ea

                SHA1

                edc14809a25bacd6a8d573519430c5a0b7bdabf3

                SHA256

                854f3d4e76e9895fbb4db34ffc03447f3c6849bb7886f956ef005ae38225df96

                SHA512

                df85d8e2250a57ec1ac419b1ed8356c3b04b6578eea5c1f2fe4245a4ecb55516bcf7a08eba0b38b7447ef5472c6e1d4db7f89d28bdf0d3f978875a2ebfc05436

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Incentive

                Filesize

                220KB

                MD5

                3df26aad973ee35ce3246f6f2fb1b40a

                SHA1

                039a6e581df432f317ac6e57fcee3a8533fb1c5f

                SHA256

                69afbe257da18de11385c7c113ded1cd1d6a5b9312d49c53d348829322fc2689

                SHA512

                0cdbb773ac59ad535ee8c08540db00515c1e9728e39e2224d6772efb4ce97b87abc4787491e96e190bf3f2b0229a76d91da49ae959a0e666d7366ac109d45205

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Informed

                Filesize

                145KB

                MD5

                1d1c99b1dd572318731358c8a01baa4d

                SHA1

                efe3d84eb1f3644277093f059aab9248dcbbb958

                SHA256

                708c2d2e15e3f7af01d121ef5284cda947eb180aa38c193495f46424870acee6

                SHA512

                6c7e8c4399bba46045343195b52b51c1a85d67fea533a09b4b4a76419ff33721014af7b5f893e711593d0b0b2d8d76c1097c72efc9a9980b21bf78560b14d601

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Painful

                Filesize

                11KB

                MD5

                14f0143671aa234d550f8236779661f1

                SHA1

                703d124e6ab5c6febec3d382ac013c73d5296804

                SHA256

                a15f1384ef47d3192b087bfaf5cc669391b7999fe09b9b15703d76c4c9b4a510

                SHA512

                7562c866a4501e007d125f1341d4324bd4b0af01089e619e85ffb70c9cc47d9bf2b6ce3a6bc9c4e132f5bdfe6801b4e8c6581656483fd2a5ec35e0fdf17dd5f4

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Thread

                Filesize

                136KB

                MD5

                de20c902975bd3a0a74349e2802ddee9

                SHA1

                a69c64a294e3e4fc98b11088e48d347237e23099

                SHA256

                2fd852e4560b10fb8887bbb5423a3152050306976abde039889c28b0eb216274

                SHA512

                347d6def344010a0a69151775a6b2a0ac4917ce2a2adcae0f87457cd7b9a8a4afc33bc013a4397c4db092afd8c8b872e0de6abdfbc852b9d2d0602d6f0d29485

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

                Filesize

                4KB

                MD5

                a5ce3aba68bdb438e98b1d0c70a3d95c

                SHA1

                013f5aa9057bf0b3c0c24824de9d075434501354

                SHA256

                9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

                SHA512

                7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

              • memory/772-27-0x0000000077641000-0x0000000077754000-memory.dmp

                Filesize

                1.1MB

              • memory/772-30-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

                Filesize

                4KB

              • memory/1828-37-0x0000000006DB0000-0x00000000073B6000-memory.dmp

                Filesize

                6.0MB

              • memory/1828-44-0x00000000067A0000-0x0000000006816000-memory.dmp

                Filesize

                472KB

              • memory/1828-35-0x00000000732B0000-0x000000007399E000-memory.dmp

                Filesize

                6.9MB

              • memory/1828-38-0x0000000005F90000-0x000000000609A000-memory.dmp

                Filesize

                1.0MB

              • memory/1828-39-0x0000000005EC0000-0x0000000005ED2000-memory.dmp

                Filesize

                72KB

              • memory/1828-40-0x0000000005F20000-0x0000000005F5E000-memory.dmp

                Filesize

                248KB

              • memory/1828-41-0x00000000060A0000-0x00000000060EB000-memory.dmp

                Filesize

                300KB

              • memory/1828-42-0x00000000061A0000-0x0000000006206000-memory.dmp

                Filesize

                408KB

              • memory/1828-43-0x0000000006940000-0x00000000069D2000-memory.dmp

                Filesize

                584KB

              • memory/1828-36-0x00000000062A0000-0x000000000679E000-memory.dmp

                Filesize

                5.0MB

              • memory/1828-45-0x0000000006920000-0x000000000693E000-memory.dmp

                Filesize

                120KB

              • memory/1828-46-0x0000000007850000-0x00000000078A0000-memory.dmp

                Filesize

                320KB

              • memory/1828-47-0x00000000081A0000-0x0000000008362000-memory.dmp

                Filesize

                1.8MB

              • memory/1828-48-0x00000000088A0000-0x0000000008DCC000-memory.dmp

                Filesize

                5.2MB

              • memory/1828-32-0x0000000001120000-0x00000000011B8000-memory.dmp

                Filesize

                608KB

              • memory/1828-56-0x00000000732B0000-0x000000007399E000-memory.dmp

                Filesize

                6.9MB

              • memory/3392-55-0x00000000003A0000-0x00000000003A8000-memory.dmp

                Filesize

                32KB

              • memory/3392-57-0x00007FFB15780000-0x00007FFB1616C000-memory.dmp

                Filesize

                9.9MB

              • memory/3392-58-0x00007FFB15780000-0x00007FFB1616C000-memory.dmp

                Filesize

                9.9MB