hxxp://auroraresourceconsultinggroup[.]com

Analysis

max time kernel
184s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://auroraresourceconsultinggroup.com

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
860	msedge.exe
860	msedge.exe
1020	msedge.exe
1020	msedge.exe
2556	identity_helper.exe
2556	identity_helper.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 1768	1020	msedge.exe	90
PID 1020 wrote to memory of 1768	1020	msedge.exe	90
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 1136	1020	msedge.exe	91
PID 1020 wrote to memory of 860	1020	msedge.exe	92
PID 1020 wrote to memory of 860	1020	msedge.exe	92
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93
PID 1020 wrote to memory of 380	1020	msedge.exe	93

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://auroraresourceconsultinggroup.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb212f46f8,0x7ffb212f4708,0x7ffb212f4718
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15134765406241451963,13789718931637758541,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3160 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e3dc6a82a2cb341f7c9feeaf53f466f

SHA1
915decb72e1f86e14114f14ac9bfd9ba198fdfce

SHA256
a56135007f4dadf6606bc237cb75ff5ff77326ba093dff30d6881ce9a04a114c

SHA512
0a5223e8cecce77613b1c02535c79b3795e5ad89fc0a934e9795e488712e02b527413109ad1f94bbd4eb35dd07b86dd6e9f4b57d4d7c8a0a57ec3f7f76c7890a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b42a0c13e00e0eacc0556d8c5da6004f

SHA1
dcb6edeea237411f99b782ec07d9b298c8377b8e

SHA256
c13f8f0a00536de838b846a7d2caca63383a9b72b71eb5ceb4d55af6f6604a0c

SHA512
4be1bbab37855021c7f69e6bfbb657832374ac50374012e30fad4bffc3b95f3a5c9864506349e8d904cae15c99f70d0e9fa69ee7db5196107dd8b9e35f1fada3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
614B

MD5
773f95aba042e19eca7c3c2f3069d6ab

SHA1
04eee227a20dfad49d2df7a3e1072fcc9d10d864

SHA256
661c7e2c373632defb6a7c53b14f5449b4b4e4f8186817b01d05e4f5c6485bbf

SHA512
e8dbdb26a25bbf8460c1c3b830add980cac3169939d548c02366a7e930564df65af3f13fe4adb1dc8620afff6717fb768d151cddc8aefce4c8b51b3047f105e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1cfd58f165af6604ffe21698d4d88eb2

SHA1
f1d983a85c82f2402cc8dba8293caec3a0d38aeb

SHA256
0adf2121ebc4120ba72ad85f1324a326d1abaa726b63b721b85fe4048d5d08de

SHA512
1a5c818b6c3bfe5b4581b8fbc0ff9e4232a8b1b04e79553240de3de39f8a33d1f60105db9d72cc42bf6484503ea08df36bd0d1d9c162a7fd6e9d697954caea07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
66176f4267ba34cddf47ba44f887ca4c

SHA1
248a1ecc9743cfc49e5b5d3d43ccaee01add897c

SHA256
a321e817f06af71e41625c5d3e13335e8836b538499a2391691192bfe7daba4a

SHA512
9292bc50b5c901f853bb159606731ce6180596a7d55a9ecaecaead69155db40814234a77215d8e15eb5841dfbe3ee8cefbdbc1b8633fe6adfdf5b736e9cf683c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
d758c30c3ffc45b5796d3b9ce54024e9

SHA1
f982ca95720db8150de9c2ca691c64c5246616ee

SHA256
5781660382c9529c45948137390b323151af259c66a9f907e023c1dd028250c0

SHA512
b6a6a640eef24d8fcb797bd3e201e0d9687aa8865b4a7c535f1276f62234ac2ed4f26032a36fb18653beef6bc1946ef02282d69f9f49fdd60673ec58136ce0eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59554a.TMP

Filesize
370B

MD5
a4d30801bb0dce55af639b1875c2dcb1

SHA1
8f5b70df86ab2b708d8bde7e23c5234819a97547

SHA256
c788a6a9f21a436e25551d245ebbe4ee2f83af11ea832454dbbe3aa23929e59f

SHA512
77887668cb563fe84ef4aa1ab2125a459b42a589fdb8c74fe9b5fe57d862836ca720e4da58a9a8c34c5206e5d5abe0df193df20c3dbf13b9a1a9a6576b0ef017

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8ed164820f44ac741f1d4f53530e415c

SHA1
7d4604bba4732288d57b463c34333de1448a45ac

SHA256
8446b8edf803608250ea8eb682d8f43818fd5aeffe3734726c0184d0fe076efa

SHA512
1ecbab65ab58599281fd268ad155af3b558b931af67c2ca47439320d184ef27388df2662fdc5828ec399edcbf0ac4d9b4ccb64700c30bed9203c08cbbabb7107

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
360972559bfa6dc54acd6544d3c94b1e

SHA1
58c520852500b98fda767fdb424b0433587fc4a8

SHA256
3667779835d971aaf730156f3ee9d491a4266a1ce07b55ea1780f2c4062323df

SHA512
67036eedc1cd16c12f86ea95b793b9226e83c79e16291db80cf24ab435a57726cb542966de2315d5e84ee8054013808065535060dfeffe7ed8ca7c438d2768d2

Download Submit