Analysis
-
max time kernel
92s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-02-2024 16:32
Behavioral task
behavioral1
Sample
AuroraV2/Aurora X.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AuroraV2/Aurora X.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
AuroraV2/scripts/scripts.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
AuroraV2/scripts/scripts.dll
Resource
win10v2004-20240226-en
General
-
Target
AuroraV2/Aurora X.exe
-
Size
1.2MB
-
MD5
e05be86ba63e832615a317b86835a5b7
-
SHA1
b49041b0fa9ac8befc69656488223b39175df8e9
-
SHA256
3ca80cbf5989832dab19b1ad3ade16acfc6accecc0cc2a02bf94d39aedcc1e8d
-
SHA512
886bb8eefbaf8b050455cdc032e57e47c8c96ebfd73fc05e68b6235b33fd666d75d666a5a8f36df44668d8fb5ae85f795a90b375faa690184003f496ca1c0b94
-
SSDEEP
24576:ezb5WDTsy3Hi4lalYItHmy53anD6XWvLXzcnQveFWCe1v6Ltnq:ehUtClljK6mLzcnUeq6Ltq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Expressions.pifpid process 904 Expressions.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1052 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2208 tasklist.exe 2860 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Expressions.pifpid process 904 Expressions.pif 904 Expressions.pif 904 Expressions.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tasklist.exetasklist.exedescription pid process Token: SeDebugPrivilege 2208 tasklist.exe Token: SeDebugPrivilege 2860 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Expressions.pifpid process 904 Expressions.pif 904 Expressions.pif 904 Expressions.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Expressions.pifpid process 904 Expressions.pif 904 Expressions.pif 904 Expressions.pif -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
Aurora X.execmd.exedescription pid process target process PID 2360 wrote to memory of 1052 2360 Aurora X.exe cmd.exe PID 2360 wrote to memory of 1052 2360 Aurora X.exe cmd.exe PID 2360 wrote to memory of 1052 2360 Aurora X.exe cmd.exe PID 2360 wrote to memory of 1052 2360 Aurora X.exe cmd.exe PID 1052 wrote to memory of 2208 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 2208 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 2208 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 2208 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 2028 1052 cmd.exe findstr.exe PID 1052 wrote to memory of 2028 1052 cmd.exe findstr.exe PID 1052 wrote to memory of 2028 1052 cmd.exe findstr.exe PID 1052 wrote to memory of 2028 1052 cmd.exe findstr.exe PID 1052 wrote to memory of 2860 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 2860 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 2860 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 2860 1052 cmd.exe tasklist.exe PID 1052 wrote to memory of 1928 1052 cmd.exe findstr.exe PID 1052 wrote to memory of 1928 1052 cmd.exe findstr.exe PID 1052 wrote to memory of 1928 1052 cmd.exe findstr.exe PID 1052 wrote to memory of 1928 1052 cmd.exe findstr.exe PID 1052 wrote to memory of 908 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 908 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 908 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 908 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 808 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 808 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 808 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 808 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 1984 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 1984 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 1984 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 1984 1052 cmd.exe cmd.exe PID 1052 wrote to memory of 904 1052 cmd.exe Expressions.pif PID 1052 wrote to memory of 904 1052 cmd.exe Expressions.pif PID 1052 wrote to memory of 904 1052 cmd.exe Expressions.pif PID 1052 wrote to memory of 904 1052 cmd.exe Expressions.pif PID 1052 wrote to memory of 2848 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 2848 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 2848 1052 cmd.exe PING.EXE PID 1052 wrote to memory of 2848 1052 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"3⤵PID:2028
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"3⤵PID:1928
-
C:\Windows\SysWOW64\cmd.execmd /c md 53103⤵PID:908
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Nuclear + Plasma + Proper + Merger 5310\Expressions.pif3⤵PID:808
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Practice 5310\z3⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\5310\Expressions.pif5310\Expressions.pif 5310\z3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:904 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.13⤵
- Runs ping.exe
PID:2848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD54849b374e88e174f9b35b5e5e9269ae6
SHA16199bff5bad3b5088685aeb08686ad303f4f6c29
SHA2561deef19e64390b8d41481acd973405e9ce23cfabdcac203f684532de244ac073
SHA5121c079cb1d8f78e1833945967fc0daf3bd8250196fe430bea1db8522385e0b193e1ee488b821c760e1f12f4c8d61b653871df4675e73c115964857ed3d2cc0ff9
-
Filesize
191KB
MD57196d7109e4b363cd13654db907ffea4
SHA121f016d6c8e5bde1c23e48e9cb811dce3227eb7b
SHA2569eacfcb6381b4e19513707811960b233337460e57a798e053d6cd0b4e1c3a7e4
SHA51241ab7e0411dcb7b378a2068756a403f0092b19dac52f244f871e871abee10b78d29b54a89b411a9b841777a5e4d47def9c60f40cdbbd60bc2f3690c739fd4b02
-
Filesize
188KB
MD562a7e75d1df779e6169adb0cfa905694
SHA13f855dc814432bd0cd6e793c5a5bb2776b838602
SHA2567fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db
SHA5121f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698
-
Filesize
253KB
MD565b274e03e99948cbb03a0464e66ba89
SHA1129196df7c9cc04f868f66e0f8fad494a6c4e379
SHA2564bfaa5267e22645c0cdacc3154902d9ca2ea3559f47d6acf6813aa20ee1bb75d
SHA5122fcb83966b7c9d1709124c9efc5bd24aa1135e91a74d2c92e344465de1ab4b42811a8f2e264e801acbe4f3080e575a0730a38e87564c9f5c74a9d5f71b7a8bc4
-
Filesize
1.2MB
MD502c12a95e4fcbadc9cd8c35c8a6b5b45
SHA13f9f0e5680497727ff7f6a3a3a245087ec668a79
SHA256d3cd709f6751e6f167b3e04706f45542528088af51454a6cfde05041523b0e72
SHA5125cb441debcb4a68dbe2ad07576452bb7bbdc2630b711a9ef2a2d9068216c48d00e9a063d52fce2bdb274b7872d842c91e84318da31d6d7c8d2d41a4e72204a2c
-
Filesize
292KB
MD55047c62efa1d3a7319f3495137cb8224
SHA10d0d3d840d2d484d8e4db23fd72aff6a0c514aed
SHA25676c8d934bd2c8abae1b4cc482c45cf910935411ab643f8c0e54be92c2f63849a
SHA51266cfc6656cd6f18fea5fba95d0403664b188acf21a53d76eda5f6692d41950f69ccf2b0ae8e7aeefb0e50c068acf4f61357109983ff2c6db8e1efc076bd9ecfc
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a