Analysis
-
max time kernel
1734s -
max time network
1482s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-02-2024 02:03
Behavioral task
behavioral1
Sample
AuroraV2/Aurora X.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AuroraV2/Aurora X.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
AuroraV2/scripts/scripts.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
AuroraV2/scripts/scripts.dll
Resource
win10v2004-20240226-en
General
-
Target
AuroraV2/Aurora X.exe
-
Size
1.2MB
-
MD5
e05be86ba63e832615a317b86835a5b7
-
SHA1
b49041b0fa9ac8befc69656488223b39175df8e9
-
SHA256
3ca80cbf5989832dab19b1ad3ade16acfc6accecc0cc2a02bf94d39aedcc1e8d
-
SHA512
886bb8eefbaf8b050455cdc032e57e47c8c96ebfd73fc05e68b6235b33fd666d75d666a5a8f36df44668d8fb5ae85f795a90b375faa690184003f496ca1c0b94
-
SSDEEP
24576:ezb5WDTsy3Hi4lalYItHmy53anD6XWvLXzcnQveFWCe1v6Ltnq:ehUtClljK6mLzcnUeq6Ltq
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Expressions.pifdescription pid process target process PID 2928 created 3440 2928 Expressions.pif Explorer.EXE -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Aurora X.exeRegAsm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation Aurora X.exe Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation RegAsm.exe -
Drops startup file 1 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe -
Executes dropped EXE 3 IoCs
Processes:
Expressions.pifRegAsm.exeqemu-ga.exepid process 2928 Expressions.pif 3696 RegAsm.exe 5044 qemu-ga.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 5092 tasklist.exe 5032 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Expressions.pifRegAsm.exepid process 2928 Expressions.pif 2928 Expressions.pif 2928 Expressions.pif 2928 Expressions.pif 2928 Expressions.pif 2928 Expressions.pif 2928 Expressions.pif 2928 Expressions.pif 3696 RegAsm.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Expressions.pifpid process 2928 Expressions.pif -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
tasklist.exetasklist.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 5092 tasklist.exe Token: SeDebugPrivilege 5032 tasklist.exe Token: SeDebugPrivilege 3696 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Expressions.pifpid process 2928 Expressions.pif 2928 Expressions.pif 2928 Expressions.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Expressions.pifpid process 2928 Expressions.pif 2928 Expressions.pif 2928 Expressions.pif -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
Aurora X.execmd.exeExpressions.pifRegAsm.exedescription pid process target process PID 1640 wrote to memory of 1840 1640 Aurora X.exe cmd.exe PID 1640 wrote to memory of 1840 1640 Aurora X.exe cmd.exe PID 1640 wrote to memory of 1840 1640 Aurora X.exe cmd.exe PID 1840 wrote to memory of 5092 1840 cmd.exe tasklist.exe PID 1840 wrote to memory of 5092 1840 cmd.exe tasklist.exe PID 1840 wrote to memory of 5092 1840 cmd.exe tasklist.exe PID 1840 wrote to memory of 5000 1840 cmd.exe findstr.exe PID 1840 wrote to memory of 5000 1840 cmd.exe findstr.exe PID 1840 wrote to memory of 5000 1840 cmd.exe findstr.exe PID 1840 wrote to memory of 5032 1840 cmd.exe tasklist.exe PID 1840 wrote to memory of 5032 1840 cmd.exe tasklist.exe PID 1840 wrote to memory of 5032 1840 cmd.exe tasklist.exe PID 1840 wrote to memory of 732 1840 cmd.exe findstr.exe PID 1840 wrote to memory of 732 1840 cmd.exe findstr.exe PID 1840 wrote to memory of 732 1840 cmd.exe findstr.exe PID 1840 wrote to memory of 4508 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 4508 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 4508 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 1096 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 1096 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 1096 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 552 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 552 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 552 1840 cmd.exe cmd.exe PID 1840 wrote to memory of 2928 1840 cmd.exe Expressions.pif PID 1840 wrote to memory of 2928 1840 cmd.exe Expressions.pif PID 1840 wrote to memory of 2928 1840 cmd.exe Expressions.pif PID 1840 wrote to memory of 2976 1840 cmd.exe PING.EXE PID 1840 wrote to memory of 2976 1840 cmd.exe PING.EXE PID 1840 wrote to memory of 2976 1840 cmd.exe PING.EXE PID 2928 wrote to memory of 3696 2928 Expressions.pif RegAsm.exe PID 2928 wrote to memory of 3696 2928 Expressions.pif RegAsm.exe PID 2928 wrote to memory of 3696 2928 Expressions.pif RegAsm.exe PID 2928 wrote to memory of 3696 2928 Expressions.pif RegAsm.exe PID 2928 wrote to memory of 3696 2928 Expressions.pif RegAsm.exe PID 3696 wrote to memory of 5044 3696 RegAsm.exe qemu-ga.exe PID 3696 wrote to memory of 5044 3696 RegAsm.exe qemu-ga.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5092 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:5000
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5032 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:732
-
C:\Windows\SysWOW64\cmd.execmd /c md 312164⤵PID:4508
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Nuclear + Plasma + Proper + Merger 31216\Expressions.pif4⤵PID:1096
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Practice 31216\z4⤵PID:552
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\Expressions.pif31216\Expressions.pif 31216\z4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\31216\RegAsm.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"3⤵
- Executes dropped EXE
PID:5044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a
-
Filesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
Filesize
11KB
MD54849b374e88e174f9b35b5e5e9269ae6
SHA16199bff5bad3b5088685aeb08686ad303f4f6c29
SHA2561deef19e64390b8d41481acd973405e9ce23cfabdcac203f684532de244ac073
SHA5121c079cb1d8f78e1833945967fc0daf3bd8250196fe430bea1db8522385e0b193e1ee488b821c760e1f12f4c8d61b653871df4675e73c115964857ed3d2cc0ff9
-
Filesize
191KB
MD57196d7109e4b363cd13654db907ffea4
SHA121f016d6c8e5bde1c23e48e9cb811dce3227eb7b
SHA2569eacfcb6381b4e19513707811960b233337460e57a798e053d6cd0b4e1c3a7e4
SHA51241ab7e0411dcb7b378a2068756a403f0092b19dac52f244f871e871abee10b78d29b54a89b411a9b841777a5e4d47def9c60f40cdbbd60bc2f3690c739fd4b02
-
Filesize
188KB
MD562a7e75d1df779e6169adb0cfa905694
SHA13f855dc814432bd0cd6e793c5a5bb2776b838602
SHA2567fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db
SHA5121f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698
-
Filesize
253KB
MD565b274e03e99948cbb03a0464e66ba89
SHA1129196df7c9cc04f868f66e0f8fad494a6c4e379
SHA2564bfaa5267e22645c0cdacc3154902d9ca2ea3559f47d6acf6813aa20ee1bb75d
SHA5122fcb83966b7c9d1709124c9efc5bd24aa1135e91a74d2c92e344465de1ab4b42811a8f2e264e801acbe4f3080e575a0730a38e87564c9f5c74a9d5f71b7a8bc4
-
Filesize
1.2MB
MD502c12a95e4fcbadc9cd8c35c8a6b5b45
SHA13f9f0e5680497727ff7f6a3a3a245087ec668a79
SHA256d3cd709f6751e6f167b3e04706f45542528088af51454a6cfde05041523b0e72
SHA5125cb441debcb4a68dbe2ad07576452bb7bbdc2630b711a9ef2a2d9068216c48d00e9a063d52fce2bdb274b7872d842c91e84318da31d6d7c8d2d41a4e72204a2c
-
Filesize
292KB
MD55047c62efa1d3a7319f3495137cb8224
SHA10d0d3d840d2d484d8e4db23fd72aff6a0c514aed
SHA25676c8d934bd2c8abae1b4cc482c45cf910935411ab643f8c0e54be92c2f63849a
SHA51266cfc6656cd6f18fea5fba95d0403664b188acf21a53d76eda5f6692d41950f69ccf2b0ae8e7aeefb0e50c068acf4f61357109983ff2c6db8e1efc076bd9ecfc
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79