Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-03-2024 16:49

General

  • Target

    Aurora X [by RyosX].rar

  • Size

    7.8MB

  • MD5

    89fccf749850ede660ae3fbeac95e487

  • SHA1

    1795c36e70b4454784419e475516c1e1a35fe221

  • SHA256

    ba00978fa3933d128d43f7be77ecd4323284b4bdf1ac80ac0315ef09802749ae

  • SHA512

    eb2b97d321f0bda62f6a698f99debf435a8b040c26a1f68f6769bfa88337887c8dc9c951e9e7ff9dfc78b0f5c730155f4302e89f0bb4c870b3c29b4a2b807807

  • SSDEEP

    196608:Hi2cuMXbwtCZklt0wWwp2aB4gByTnN2yXwc9el:HqoZlt0Wppopb9el

Malware Config

Extracted

Family

redline

Botnet

@dxrkl0rd

C2

45.15.156.167:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 6 IoCs
  • CryptOne packer 1 IoCs

    Detects CryptOne packer defined in NCC blogpost.

  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Aurora X [by RyosX].rar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Aurora X [by RyosX].rar"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2596
  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Aurora_V2.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2388
  • C:\Users\Admin\Desktop\Aurora_V2\Aurora.exe
    "C:\Users\Admin\Desktop\Aurora_V2\Aurora.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2560
  • C:\Users\Admin\Desktop\Aurora_V2\Aurora.exe
    "C:\Users\Admin\Desktop\Aurora_V2\Aurora.exe"
    1⤵
    • Executes dropped EXE
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1044
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Aurora_V2\scripts\scripts.dll
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Aurora_V2\scripts\scripts.dll
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1932
  • C:\Users\Admin\Desktop\Aurora.exe
    "C:\Users\Admin\Desktop\Aurora.exe" C:\Users\Admin\Desktop\scripts
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2948
  • C:\Users\Admin\Desktop\Aurora.exe
    "C:\Users\Admin\Desktop\Aurora.exe" C:\Users\Admin\Desktop\scripts\scripts.dll
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    67KB

    MD5

    753df6889fd7410a2e9fe333da83a429

    SHA1

    3c425f16e8267186061dd48ac1c77c122962456e

    SHA256

    b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

    SHA512

    9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

  • C:\Users\Admin\AppData\Local\Temp\TarE1DE.tmp

    Filesize

    175KB

    MD5

    dd73cead4b93366cf3465c8cd32e2796

    SHA1

    74546226dfe9ceb8184651e920d1dbfb432b314e

    SHA256

    a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

    SHA512

    ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

  • C:\Users\Admin\Desktop\Aurora_V2.rar

    Filesize

    7.8MB

    MD5

    2319c9c1f8ee867e159c7ec45c62a2b0

    SHA1

    6acacabada1f62bd8a890d9af8ec149226c14d6d

    SHA256

    676bd489dd14f999feeada6cea8ac3ac7d01e60a1fa75010c411370d66abd624

    SHA512

    eeb46f1d03fd0e87467cc4596c419a00975f9c7ae2c371cf25120379dc75fefce7fe9ec1330307932ca07ed0a5411d0175a72cab9275a96b2f3c9ee7b767e168

  • C:\Users\Admin\Desktop\Aurora_V2\Aurora.exe

    Filesize

    620KB

    MD5

    403c733d425c072e88fc4a61595519dc

    SHA1

    ad25c881299ef6ac612ea36cdd40884caa479ba4

    SHA256

    96666cb323337b2fc5e3b87369639e637df2bb864a18422fd115c0f8f198b879

    SHA512

    1a30c2be85ec14cb644f3a81062a05b2759c09b6e29245a6856320f47865cd207b694feac6951e1d91c2350cfbe0bdbca2b302d02e92e3286de7bd2b9aafcf3e

  • C:\Users\Admin\Desktop\Aurora_V2\scripts\scripts.dll

    Filesize

    14.2MB

    MD5

    80ff8865e4cffa86d1535de0e75c0bcd

    SHA1

    99fb2db16658cdc72b3df6c26d933fe59c853907

    SHA256

    bfa10dba9571ee9dd08a4ae910cc1513ecd738cc7770030124974ad2f7a939ed

    SHA512

    7da3ed63e1f465fa1564bf2f79dea4a9d799b03e278de856eed730eb1d60d372bb57aee67180e8e7842056010e0275582c05db88d1bc2792f30c0de5e977d1a2

  • memory/1044-43-0x00000000744A0000-0x0000000074B8E000-memory.dmp

    Filesize

    6.9MB

  • memory/1044-44-0x0000000004D70000-0x0000000004DB0000-memory.dmp

    Filesize

    256KB

  • memory/1044-39-0x0000000000280000-0x00000000002D0000-memory.dmp

    Filesize

    320KB

  • memory/1044-86-0x00000000744A0000-0x0000000074B8E000-memory.dmp

    Filesize

    6.9MB

  • memory/2192-97-0x00000000001E0000-0x0000000000230000-memory.dmp

    Filesize

    320KB

  • memory/2192-102-0x0000000004F40000-0x0000000004F80000-memory.dmp

    Filesize

    256KB

  • memory/2192-101-0x0000000074670000-0x0000000074D5E000-memory.dmp

    Filesize

    6.9MB

  • memory/2560-37-0x0000000004F90000-0x0000000004FD0000-memory.dmp

    Filesize

    256KB

  • memory/2560-32-0x0000000000230000-0x0000000000280000-memory.dmp

    Filesize

    320KB

  • memory/2560-83-0x00000000744A0000-0x0000000074B8E000-memory.dmp

    Filesize

    6.9MB

  • memory/2560-36-0x00000000744A0000-0x0000000074B8E000-memory.dmp

    Filesize

    6.9MB

  • memory/2948-90-0x0000000000220000-0x0000000000270000-memory.dmp

    Filesize

    320KB

  • memory/2948-94-0x0000000074670000-0x0000000074D5E000-memory.dmp

    Filesize

    6.9MB

  • memory/2948-95-0x0000000000B40000-0x0000000000B80000-memory.dmp

    Filesize

    256KB