Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-02-2024 19:20

General

  • Target

    Aurora/Aurora.exe

  • Size

    1.2MB

  • MD5

    2a3095d23b66a5a0aaec5dff558ec72a

  • SHA1

    95a40abeae9627d654427f06db91d6f810dd1aa2

  • SHA256

    fa80871e2a0b0384f09f41d1a0a6715b7d32b915e70516152b10c32da4151556

  • SHA512

    a418244838831624d33f7bc48966e4b0eb189e8c8452b74c0a15ea7f0f4f8a9e0c3e6ef070f77e6a65c76e802f7b563a21cdd2e7543ceb09a5538a2e59370335

  • SSDEEP

    24576:mzb5WDTsmIGcpFlLCattwf1iSAgIllnvcURFuW/xkWSoyFfboYIQ99S6O0VgC:mhU+7LCabwf1JAgIvbjuAxYogblrS6OY

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3484
      • C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe
        "C:\Users\Admin\AppData\Local\Temp\Aurora\Aurora.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Painful Painful.bat & Painful.bat & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3712
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:4980
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4744
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2524
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:3400
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 17839
                4⤵
                  PID:2196
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Getting + Incentive + Thread + Collectibles + Informed 17839\Some.pif
                  4⤵
                    PID:1892
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Depends 17839\o
                    4⤵
                      PID:3188
                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif
                      17839\Some.pif 17839\o
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:4420
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:1744
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe
                  2⤵
                  • Checks computer location settings
                  • Drops startup file
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:3628
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:4828

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\RegAsm.exe

                Filesize

                63KB

                MD5

                0d5df43af2916f47d00c1573797c1a13

                SHA1

                230ab5559e806574d26b4c20847c368ed55483b0

                SHA256

                c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

                SHA512

                f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\17839\Some.pif

                Filesize

                924KB

                MD5

                848164d084384c49937f99d5b894253e

                SHA1

                3055ef803eeec4f175ebf120f94125717ee12444

                SHA256

                f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                SHA512

                aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Collectibles

                Filesize

                185KB

                MD5

                e60e6b719a7a34dcccb2d6bcd97424de

                SHA1

                28056594a2d3155197dbf5bce5cff51dbf331b4a

                SHA256

                ac9e30fbe5fc06ffe55fb3edd3c5252380e49c01b25379d7f10567cc5f37acfe

                SHA512

                30ed4c5f1b4c690987d02ae38e4c7ea4acff53394a116960de225d0ac6a0f1d5ab3ae84224b8a0b204791424d2195fba8de4c2a616aa0627c098590285bb0e61

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Depends

                Filesize

                1.1MB

                MD5

                37e6bda5dbc39d1e0ba02532c4bafb72

                SHA1

                194703009f09bb2d3013165da74c23fc67ba1100

                SHA256

                36afba9d783a0bcd819b34dacb0f0beb2d167711b42501320244f7bcab9190e7

                SHA512

                92485efb80a8a28cc2a5bf6702fa212aa2072679918c1bb410f78405d0c65ccaee05fe0b95527e92f89f75af72468e0085e2bacb5f24c46062c1abd9b4b7f200

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Getting

                Filesize

                238KB

                MD5

                f0b0088291bd53c8a8ccdde80b27c1ea

                SHA1

                edc14809a25bacd6a8d573519430c5a0b7bdabf3

                SHA256

                854f3d4e76e9895fbb4db34ffc03447f3c6849bb7886f956ef005ae38225df96

                SHA512

                df85d8e2250a57ec1ac419b1ed8356c3b04b6578eea5c1f2fe4245a4ecb55516bcf7a08eba0b38b7447ef5472c6e1d4db7f89d28bdf0d3f978875a2ebfc05436

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Incentive

                Filesize

                220KB

                MD5

                3df26aad973ee35ce3246f6f2fb1b40a

                SHA1

                039a6e581df432f317ac6e57fcee3a8533fb1c5f

                SHA256

                69afbe257da18de11385c7c113ded1cd1d6a5b9312d49c53d348829322fc2689

                SHA512

                0cdbb773ac59ad535ee8c08540db00515c1e9728e39e2224d6772efb4ce97b87abc4787491e96e190bf3f2b0229a76d91da49ae959a0e666d7366ac109d45205

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Informed

                Filesize

                145KB

                MD5

                1d1c99b1dd572318731358c8a01baa4d

                SHA1

                efe3d84eb1f3644277093f059aab9248dcbbb958

                SHA256

                708c2d2e15e3f7af01d121ef5284cda947eb180aa38c193495f46424870acee6

                SHA512

                6c7e8c4399bba46045343195b52b51c1a85d67fea533a09b4b4a76419ff33721014af7b5f893e711593d0b0b2d8d76c1097c72efc9a9980b21bf78560b14d601

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Painful

                Filesize

                11KB

                MD5

                14f0143671aa234d550f8236779661f1

                SHA1

                703d124e6ab5c6febec3d382ac013c73d5296804

                SHA256

                a15f1384ef47d3192b087bfaf5cc669391b7999fe09b9b15703d76c4c9b4a510

                SHA512

                7562c866a4501e007d125f1341d4324bd4b0af01089e619e85ffb70c9cc47d9bf2b6ce3a6bc9c4e132f5bdfe6801b4e8c6581656483fd2a5ec35e0fdf17dd5f4

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Thread

                Filesize

                136KB

                MD5

                de20c902975bd3a0a74349e2802ddee9

                SHA1

                a69c64a294e3e4fc98b11088e48d347237e23099

                SHA256

                2fd852e4560b10fb8887bbb5423a3152050306976abde039889c28b0eb216274

                SHA512

                347d6def344010a0a69151775a6b2a0ac4917ce2a2adcae0f87457cd7b9a8a4afc33bc013a4397c4db092afd8c8b872e0de6abdfbc852b9d2d0602d6f0d29485

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

                Filesize

                4KB

                MD5

                a5ce3aba68bdb438e98b1d0c70a3d95c

                SHA1

                013f5aa9057bf0b3c0c24824de9d075434501354

                SHA256

                9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

                SHA512

                7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

              • memory/3628-47-0x00000000071D0000-0x0000000007220000-memory.dmp

                Filesize

                320KB

              • memory/3628-44-0x0000000006380000-0x00000000063F6000-memory.dmp

                Filesize

                472KB

              • memory/3628-35-0x0000000072CA0000-0x0000000073450000-memory.dmp

                Filesize

                7.7MB

              • memory/3628-36-0x0000000005180000-0x0000000005190000-memory.dmp

                Filesize

                64KB

              • memory/3628-37-0x0000000005D50000-0x00000000062F4000-memory.dmp

                Filesize

                5.6MB

              • memory/3628-38-0x0000000006920000-0x0000000006F38000-memory.dmp

                Filesize

                6.1MB

              • memory/3628-39-0x0000000005990000-0x0000000005A9A000-memory.dmp

                Filesize

                1.0MB

              • memory/3628-40-0x00000000058C0000-0x00000000058D2000-memory.dmp

                Filesize

                72KB

              • memory/3628-41-0x0000000005920000-0x000000000595C000-memory.dmp

                Filesize

                240KB

              • memory/3628-42-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

                Filesize

                304KB

              • memory/3628-43-0x0000000005CB0000-0x0000000005D16000-memory.dmp

                Filesize

                408KB

              • memory/3628-32-0x0000000000BB0000-0x0000000000C48000-memory.dmp

                Filesize

                608KB

              • memory/3628-45-0x00000000064A0000-0x0000000006532000-memory.dmp

                Filesize

                584KB

              • memory/3628-46-0x0000000006440000-0x000000000645E000-memory.dmp

                Filesize

                120KB

              • memory/3628-63-0x0000000072CA0000-0x0000000073450000-memory.dmp

                Filesize

                7.7MB

              • memory/3628-48-0x0000000007D90000-0x0000000007F52000-memory.dmp

                Filesize

                1.8MB

              • memory/3628-49-0x0000000008490000-0x00000000089BC000-memory.dmp

                Filesize

                5.2MB

              • memory/4420-27-0x00000000771C1000-0x00000000772E1000-memory.dmp

                Filesize

                1.1MB

              • memory/4420-30-0x0000000000B10000-0x0000000000B11000-memory.dmp

                Filesize

                4KB

              • memory/4828-62-0x0000000000C90000-0x0000000000C98000-memory.dmp

                Filesize

                32KB

              • memory/4828-64-0x00007FFAC34E0000-0x00007FFAC3FA1000-memory.dmp

                Filesize

                10.8MB

              • memory/4828-65-0x00007FFAC34E0000-0x00007FFAC3FA1000-memory.dmp

                Filesize

                10.8MB