3ca80cbf5989832dab19b1ad3ade16acfc6accecc0cc2a02bf94d39aedcc1e8d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora X.exe
Size

1.2MB
MD5

e05be86ba63e832615a317b86835a5b7
SHA1

b49041b0fa9ac8befc69656488223b39175df8e9
SHA256

3ca80cbf5989832dab19b1ad3ade16acfc6accecc0cc2a02bf94d39aedcc1e8d
SHA512

886bb8eefbaf8b050455cdc032e57e47c8c96ebfd73fc05e68b6235b33fd666d75d666a5a8f36df44668d8fb5ae85f795a90b375faa690184003f496ca1c0b94
SSDEEP

24576:ezb5WDTsy3Hi4lalYItHmy53anD6XWvLXzcnQveFWCe1v6Ltnq:ehUtClljK6mLzcnUeq6Ltq

Score

10^/10

discovery spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2876 created 3552	2876	Expressions.pif	38
PID 2876 created 3552	2876	Expressions.pif	38

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	Aurora X.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	RegAsm.exe

Executes dropped EXE 4 IoCs

pid	Process
2876	Expressions.pif
4696	RegAsm.exe
1484	RegAsm.exe
4028	qemu-ga.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
224	tasklist.exe
4960	tasklist.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5080	PING.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif
1484	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	Expressions.pif

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	224	tasklist.exe
Token: SeDebugPrivilege	4960	tasklist.exe
Token: SeDebugPrivilege	1484	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2876	Expressions.pif
2876	Expressions.pif
2876	Expressions.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 3560	1432	Aurora X.exe	91
PID 1432 wrote to memory of 3560	1432	Aurora X.exe	91
PID 1432 wrote to memory of 3560	1432	Aurora X.exe	91
PID 3560 wrote to memory of 224	3560	cmd.exe	93
PID 3560 wrote to memory of 224	3560	cmd.exe	93
PID 3560 wrote to memory of 224	3560	cmd.exe	93
PID 3560 wrote to memory of 3132	3560	cmd.exe	94
PID 3560 wrote to memory of 3132	3560	cmd.exe	94
PID 3560 wrote to memory of 3132	3560	cmd.exe	94
PID 3560 wrote to memory of 4960	3560	cmd.exe	96
PID 3560 wrote to memory of 4960	3560	cmd.exe	96
PID 3560 wrote to memory of 4960	3560	cmd.exe	96
PID 3560 wrote to memory of 1820	3560	cmd.exe	97
PID 3560 wrote to memory of 1820	3560	cmd.exe	97
PID 3560 wrote to memory of 1820	3560	cmd.exe	97
PID 3560 wrote to memory of 1436	3560	cmd.exe	98
PID 3560 wrote to memory of 1436	3560	cmd.exe	98
PID 3560 wrote to memory of 1436	3560	cmd.exe	98
PID 3560 wrote to memory of 1092	3560	cmd.exe	99
PID 3560 wrote to memory of 1092	3560	cmd.exe	99
PID 3560 wrote to memory of 1092	3560	cmd.exe	99
PID 3560 wrote to memory of 4780	3560	cmd.exe	100
PID 3560 wrote to memory of 4780	3560	cmd.exe	100
PID 3560 wrote to memory of 4780	3560	cmd.exe	100
PID 3560 wrote to memory of 2876	3560	cmd.exe	101
PID 3560 wrote to memory of 2876	3560	cmd.exe	101
PID 3560 wrote to memory of 2876	3560	cmd.exe	101
PID 3560 wrote to memory of 5080	3560	cmd.exe	102
PID 3560 wrote to memory of 5080	3560	cmd.exe	102
PID 3560 wrote to memory of 5080	3560	cmd.exe	102
PID 2876 wrote to memory of 4696	2876	Expressions.pif	105
PID 2876 wrote to memory of 4696	2876	Expressions.pif	105
PID 2876 wrote to memory of 4696	2876	Expressions.pif	105
PID 2876 wrote to memory of 1484	2876	Expressions.pif	106
PID 2876 wrote to memory of 1484	2876	Expressions.pif	106
PID 2876 wrote to memory of 1484	2876	Expressions.pif	106
PID 2876 wrote to memory of 1484	2876	Expressions.pif	106
PID 2876 wrote to memory of 1484	2876	Expressions.pif	106
PID 1484 wrote to memory of 4028	1484	RegAsm.exe	107
PID 1484 wrote to memory of 4028	1484	RegAsm.exe	107

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\Aurora X.exe
  "C:\Users\Admin\AppData\Local\Temp\Aurora X.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:224
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:3132
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4960
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 24241
      4⤵
      PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Nuclear + Plasma + Proper + Merger 24241\Expressions.pif
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Practice 24241\z
      4⤵
      PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24241\Expressions.pif
      24241\Expressions.pif 24241\z
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2876
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:5080
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24241\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24241\RegAsm.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24241\RegAsm.exe
  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24241\RegAsm.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
    3⤵
    - Executes dropped EXE
    PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24241\Expressions.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\24241\RegAsm.exe

Filesize
63KB

MD5
0d5df43af2916f47d00c1573797c1a13

SHA1
230ab5559e806574d26b4c20847c368ed55483b0

SHA256
c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

SHA512
f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Approve

Filesize
11KB

MD5
4849b374e88e174f9b35b5e5e9269ae6

SHA1
6199bff5bad3b5088685aeb08686ad303f4f6c29

SHA256
1deef19e64390b8d41481acd973405e9ce23cfabdcac203f684532de244ac073

SHA512
1c079cb1d8f78e1833945967fc0daf3bd8250196fe430bea1db8522385e0b193e1ee488b821c760e1f12f4c8d61b653871df4675e73c115964857ed3d2cc0ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Merger

Filesize
191KB

MD5
7196d7109e4b363cd13654db907ffea4

SHA1
21f016d6c8e5bde1c23e48e9cb811dce3227eb7b

SHA256
9eacfcb6381b4e19513707811960b233337460e57a798e053d6cd0b4e1c3a7e4

SHA512
41ab7e0411dcb7b378a2068756a403f0092b19dac52f244f871e871abee10b78d29b54a89b411a9b841777a5e4d47def9c60f40cdbbd60bc2f3690c739fd4b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nuclear

Filesize
188KB

MD5
62a7e75d1df779e6169adb0cfa905694

SHA1
3f855dc814432bd0cd6e793c5a5bb2776b838602

SHA256
7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db

SHA512
1f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plasma

Filesize
253KB

MD5
65b274e03e99948cbb03a0464e66ba89

SHA1
129196df7c9cc04f868f66e0f8fad494a6c4e379

SHA256
4bfaa5267e22645c0cdacc3154902d9ca2ea3559f47d6acf6813aa20ee1bb75d

SHA512
2fcb83966b7c9d1709124c9efc5bd24aa1135e91a74d2c92e344465de1ab4b42811a8f2e264e801acbe4f3080e575a0730a38e87564c9f5c74a9d5f71b7a8bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Practice

Filesize
1.2MB

MD5
02c12a95e4fcbadc9cd8c35c8a6b5b45

SHA1
3f9f0e5680497727ff7f6a3a3a245087ec668a79

SHA256
d3cd709f6751e6f167b3e04706f45542528088af51454a6cfde05041523b0e72

SHA512
5cb441debcb4a68dbe2ad07576452bb7bbdc2630b711a9ef2a2d9068216c48d00e9a063d52fce2bdb274b7872d842c91e84318da31d6d7c8d2d41a4e72204a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Proper

Filesize
292KB

MD5
5047c62efa1d3a7319f3495137cb8224

SHA1
0d0d3d840d2d484d8e4db23fd72aff6a0c514aed

SHA256
76c8d934bd2c8abae1b4cc482c45cf910935411ab643f8c0e54be92c2f63849a

SHA512
66cfc6656cd6f18fea5fba95d0403664b188acf21a53d76eda5f6692d41950f69ccf2b0ae8e7aeefb0e50c068acf4f61357109983ff2c6db8e1efc076bd9ecfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
memory/1484-44-0x0000000006AC0000-0x0000000006B36000-memory.dmp

Filesize
472KB

Download
memory/1484-43-0x00000000069A0000-0x0000000006A32000-memory.dmp

Filesize
584KB

Download
memory/1484-34-0x00000000735C0000-0x0000000073D70000-memory.dmp

Filesize
7.7MB

Download
memory/1484-35-0x0000000005B30000-0x0000000005B40000-memory.dmp

Filesize
64KB

Download
memory/1484-36-0x0000000006160000-0x0000000006778000-memory.dmp

Filesize
6.1MB

Download
memory/1484-37-0x0000000005B40000-0x0000000005C4A000-memory.dmp

Filesize
1.0MB

Download
memory/1484-38-0x0000000005A30000-0x0000000005A42000-memory.dmp

Filesize
72KB

Download
memory/1484-39-0x0000000005A90000-0x0000000005ACC000-memory.dmp

Filesize
240KB

Download
memory/1484-40-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

Filesize
304KB

Download
memory/1484-41-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/1484-42-0x0000000006E40000-0x00000000073E4000-memory.dmp

Filesize
5.6MB

Download
memory/1484-31-0x0000000001380000-0x0000000001418000-memory.dmp

Filesize
608KB

Download
memory/1484-62-0x00000000735C0000-0x0000000073D70000-memory.dmp

Filesize
7.7MB

Download
memory/1484-45-0x0000000006DA0000-0x0000000006DBE000-memory.dmp

Filesize
120KB

Download
memory/1484-46-0x0000000007B50000-0x0000000007BA0000-memory.dmp

Filesize
320KB

Download
memory/1484-47-0x0000000007FE0000-0x00000000081A2000-memory.dmp

Filesize
1.8MB

Download
memory/1484-48-0x00000000086E0000-0x0000000008C0C000-memory.dmp

Filesize
5.2MB

Download
memory/2876-24-0x0000000077AE1000-0x0000000077C01000-memory.dmp

Filesize
1.1MB

Download
memory/2876-27-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/4028-61-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/4028-63-0x00007FFE028C0000-0x00007FFE03381000-memory.dmp

Filesize
10.8MB

Download
memory/4028-64-0x00007FFE028C0000-0x00007FFE03381000-memory.dmp

Filesize
10.8MB

Download