Analysis

  • max time kernel
    141s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 16:32

General

  • Target

    AuroraV2/Aurora X.exe

  • Size

    1.2MB

  • MD5

    e05be86ba63e832615a317b86835a5b7

  • SHA1

    b49041b0fa9ac8befc69656488223b39175df8e9

  • SHA256

    3ca80cbf5989832dab19b1ad3ade16acfc6accecc0cc2a02bf94d39aedcc1e8d

  • SHA512

    886bb8eefbaf8b050455cdc032e57e47c8c96ebfd73fc05e68b6235b33fd666d75d666a5a8f36df44668d8fb5ae85f795a90b375faa690184003f496ca1c0b94

  • SSDEEP

    24576:ezb5WDTsy3Hi4lalYItHmy53anD6XWvLXzcnQveFWCe1v6Ltnq:ehUtClljK6mLzcnUeq6Ltq

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3364
      • C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe
        "C:\Users\Admin\AppData\Local\Temp\AuroraV2\Aurora X.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3440
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Approve Approve.bat & Approve.bat & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4672
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:3460
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:216
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2756
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:2288
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 5094
                4⤵
                  PID:5024
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Nuclear + Plasma + Proper + Merger 5094\Expressions.pif
                  4⤵
                    PID:520
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Practice 5094\z
                    4⤵
                      PID:1992
                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\5094\Expressions.pif
                      5094\Expressions.pif 5094\z
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: GetForegroundWindowSpam
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:2312
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:676
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\5094\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\5094\RegAsm.exe
                  2⤵
                  • Checks computer location settings
                  • Drops startup file
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2784
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:4216
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4204 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:2224

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\5094\Expressions.pif

                  Filesize

                  924KB

                  MD5

                  848164d084384c49937f99d5b894253e

                  SHA1

                  3055ef803eeec4f175ebf120f94125717ee12444

                  SHA256

                  f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                  SHA512

                  aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\5094\RegAsm.exe

                  Filesize

                  63KB

                  MD5

                  0d5df43af2916f47d00c1573797c1a13

                  SHA1

                  230ab5559e806574d26b4c20847c368ed55483b0

                  SHA256

                  c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc

                  SHA512

                  f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Approve

                  Filesize

                  11KB

                  MD5

                  4849b374e88e174f9b35b5e5e9269ae6

                  SHA1

                  6199bff5bad3b5088685aeb08686ad303f4f6c29

                  SHA256

                  1deef19e64390b8d41481acd973405e9ce23cfabdcac203f684532de244ac073

                  SHA512

                  1c079cb1d8f78e1833945967fc0daf3bd8250196fe430bea1db8522385e0b193e1ee488b821c760e1f12f4c8d61b653871df4675e73c115964857ed3d2cc0ff9

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Merger

                  Filesize

                  191KB

                  MD5

                  7196d7109e4b363cd13654db907ffea4

                  SHA1

                  21f016d6c8e5bde1c23e48e9cb811dce3227eb7b

                  SHA256

                  9eacfcb6381b4e19513707811960b233337460e57a798e053d6cd0b4e1c3a7e4

                  SHA512

                  41ab7e0411dcb7b378a2068756a403f0092b19dac52f244f871e871abee10b78d29b54a89b411a9b841777a5e4d47def9c60f40cdbbd60bc2f3690c739fd4b02

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Nuclear

                  Filesize

                  188KB

                  MD5

                  62a7e75d1df779e6169adb0cfa905694

                  SHA1

                  3f855dc814432bd0cd6e793c5a5bb2776b838602

                  SHA256

                  7fa7da730c634c4a21832d2d35cbe4a6d1484fcfadbae988e2e97a9ad76f73db

                  SHA512

                  1f22866bfe4c6186b77c05aca2e4088c30e7ea1fe6057782a2a7aefda9221c78be2fe2cc5c673fd266e12218e91a66b254e90ff1d94f9ba6b8552c1e6bbc1698

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plasma

                  Filesize

                  253KB

                  MD5

                  65b274e03e99948cbb03a0464e66ba89

                  SHA1

                  129196df7c9cc04f868f66e0f8fad494a6c4e379

                  SHA256

                  4bfaa5267e22645c0cdacc3154902d9ca2ea3559f47d6acf6813aa20ee1bb75d

                  SHA512

                  2fcb83966b7c9d1709124c9efc5bd24aa1135e91a74d2c92e344465de1ab4b42811a8f2e264e801acbe4f3080e575a0730a38e87564c9f5c74a9d5f71b7a8bc4

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Practice

                  Filesize

                  1.2MB

                  MD5

                  02c12a95e4fcbadc9cd8c35c8a6b5b45

                  SHA1

                  3f9f0e5680497727ff7f6a3a3a245087ec668a79

                  SHA256

                  d3cd709f6751e6f167b3e04706f45542528088af51454a6cfde05041523b0e72

                  SHA512

                  5cb441debcb4a68dbe2ad07576452bb7bbdc2630b711a9ef2a2d9068216c48d00e9a063d52fce2bdb274b7872d842c91e84318da31d6d7c8d2d41a4e72204a2c

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Proper

                  Filesize

                  292KB

                  MD5

                  5047c62efa1d3a7319f3495137cb8224

                  SHA1

                  0d0d3d840d2d484d8e4db23fd72aff6a0c514aed

                  SHA256

                  76c8d934bd2c8abae1b4cc482c45cf910935411ab643f8c0e54be92c2f63849a

                  SHA512

                  66cfc6656cd6f18fea5fba95d0403664b188acf21a53d76eda5f6692d41950f69ccf2b0ae8e7aeefb0e50c068acf4f61357109983ff2c6db8e1efc076bd9ecfc

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

                  Filesize

                  4KB

                  MD5

                  a5ce3aba68bdb438e98b1d0c70a3d95c

                  SHA1

                  013f5aa9057bf0b3c0c24824de9d075434501354

                  SHA256

                  9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

                  SHA512

                  7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

                • memory/2312-24-0x00000000774E1000-0x0000000077601000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2312-27-0x0000000001850000-0x0000000001851000-memory.dmp

                  Filesize

                  4KB

                • memory/2784-35-0x0000000005610000-0x000000000571A000-memory.dmp

                  Filesize

                  1.0MB

                • memory/2784-41-0x00000000063E0000-0x0000000006472000-memory.dmp

                  Filesize

                  584KB

                • memory/2784-34-0x0000000005B20000-0x0000000006138000-memory.dmp

                  Filesize

                  6.1MB

                • memory/2784-32-0x0000000072FC0000-0x0000000073770000-memory.dmp

                  Filesize

                  7.7MB

                • memory/2784-36-0x0000000005460000-0x0000000005472000-memory.dmp

                  Filesize

                  72KB

                • memory/2784-37-0x0000000005500000-0x000000000553C000-memory.dmp

                  Filesize

                  240KB

                • memory/2784-38-0x0000000005540000-0x000000000558C000-memory.dmp

                  Filesize

                  304KB

                • memory/2784-39-0x00000000058E0000-0x0000000005946000-memory.dmp

                  Filesize

                  408KB

                • memory/2784-40-0x00000000068F0000-0x0000000006E94000-memory.dmp

                  Filesize

                  5.6MB

                • memory/2784-33-0x00000000054F0000-0x0000000005500000-memory.dmp

                  Filesize

                  64KB

                • memory/2784-42-0x0000000006480000-0x00000000064F6000-memory.dmp

                  Filesize

                  472KB

                • memory/2784-43-0x00000000067E0000-0x00000000067FE000-memory.dmp

                  Filesize

                  120KB

                • memory/2784-44-0x0000000007DB0000-0x0000000007E00000-memory.dmp

                  Filesize

                  320KB

                • memory/2784-45-0x0000000007790000-0x0000000007952000-memory.dmp

                  Filesize

                  1.8MB

                • memory/2784-46-0x0000000008330000-0x000000000885C000-memory.dmp

                  Filesize

                  5.2MB

                • memory/2784-29-0x0000000000F00000-0x0000000000F98000-memory.dmp

                  Filesize

                  608KB

                • memory/2784-60-0x0000000072FC0000-0x0000000073770000-memory.dmp

                  Filesize

                  7.7MB

                • memory/4216-59-0x0000000000340000-0x0000000000348000-memory.dmp

                  Filesize

                  32KB

                • memory/4216-61-0x00007FFE61290000-0x00007FFE61D51000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4216-62-0x00007FFE61290000-0x00007FFE61D51000-memory.dmp

                  Filesize

                  10.8MB