Overview

overview

4

Static

static

1

URLScan

urlscan

https://www.mediafir...

windows10-1703-x64

4

Resubmissions

07/03/2024, 00:11

240307-agq7dada2t 7

07/03/2024, 00:08

240307-ae5lzsch9x 4

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    07/03/2024, 00:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://www.mediafire.com/file/2xo9mbmnzpr528e/Avr0ra+X+[by+Ry0sX].zip/file

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://www.mediafire.com/file/2xo9mbmnzpr528e/Avr0ra+X+[by+Ry0sX].zip/file"
    1⤵
      PID:4932
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:292
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • NTFS ADS
      PID:3080
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2924
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:652
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:636
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4388
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:4676
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:4320
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Avr0ra X [by Ry0sX]\" -an -ai#7zMap5826:116:7zEvent2216
        1⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2356
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Avr0ra X [by Ry0sX]\Aur0raX\" -spe -an -ai#7zMap19796:116:7zEvent26485
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:500
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Avr0ra X [by Ry0sX]\README.txt
        1⤵
          PID:1000

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
          Filesize

          4KB

          MD5

          1bfe591a4fe3d91b03cdf26eaacd8f89

          SHA1

          719c37c320f518ac168c86723724891950911cea

          SHA256

          9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

          SHA512

          02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BDNVZVVU\edgecompatviewlist[1].xml
          Filesize

          74KB

          MD5

          d4fc49dc14f63895d997fa4940f24378

          SHA1

          3efb1437a7c5e46034147cbbc8db017c69d02c31

          SHA256

          853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

          SHA512

          cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\07FMH8O9\www.mediafire[1].xml
          Filesize

          1KB

          MD5

          8682c8c428240aa8593e7343fc3ba089

          SHA1

          a57305e400e5d53acbfededdf34c4b6cad9f3553

          SHA256

          25f07641e7217c797e727e9344820a29673b42d3bc7f9ce6029b3708cacc8043

          SHA512

          f6ac0a524998fee80e9e12c48c231a6116f897301c52b9458efe9bdde9d3f91469118fbbace30311bbf6b05d23ddb5dd2d3808eee4a5efa9b1523f47fb1207ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\0VVK2IGZ\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\5202WO1U\favicon[1].ico
          Filesize

          10KB

          MD5

          a301c91c118c9e041739ad0c85dfe8c5

          SHA1

          039962373b35960ef2bb5fbbe3856c0859306bf7

          SHA256

          cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f

          SHA512

          3a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2H0FF29Y\Avr0ra X [by Ry0sX][1].zip
          Filesize

          32KB

          MD5

          743afdef571bc5f61c9f9f4a29836b98

          SHA1

          7c9ec00af5850d01562b48e482484078b7100a0e

          SHA256

          4c5b65ae351918faf80aeecd9650a9cf0e9076451cec9e769a430d5e7ed87100

          SHA512

          64f183f56f7660dbb0368e92e01862596bba8d2628f1ab91cae3dfe9abf59b23000f48a085bb2ddf832b486864423ea24442787a7368db3c5e841a9ae314a75d

          Download Submit

        • C:\Users\Admin\Downloads\Avr0ra X [by Ry0sX].zip
          Filesize

          1.9MB

          MD5

          deca17ac14de387e33577975c6b8ca96

          SHA1

          d5191e76d4e185a8f3ace2bfc6bcbf64c17731e7

          SHA256

          b6e65b11723c3dcab05c9b85b338d0bbd21f27f3eb5b01b11d8aac6d92292f37

          SHA512

          13ae6197b504218f5c6a30b27fa8a32ae467d2a1ab94920037f53fdd6cb80be50c9ddd7b45c61f1844bcb7dbd2de2638a13922f914d27ead6a865226692ecdd1

          Download Submit

        • C:\Users\Admin\Downloads\Avr0ra X [by Ry0sX].zip
          Filesize

          64KB

          MD5

          05201ff86296a1134be86d843a3e714d

          SHA1

          ef150795ddfb7a20154b32504142bd70fb8932a0

          SHA256

          81090176b592d44f77354d8c0483fbb432c89a1a9b518eb1ca88b2f717afb1cd

          SHA512

          90558a260d6f8a06667fcebb3ad82a8b15d618c76b45d8d86aa3a33b851cf71a02b9be05df66c50811c2e20e37bd83db7ff877ce2c4916a4722b3d3ca6c618a8

          Download Submit

        • C:\Users\Admin\Downloads\Avr0ra X [by Ry0sX].zip.d0bj3sp.partial
          Filesize

          8.3MB

          MD5

          e8f2f5c321dc1f0829582e9eadfcdb18

          SHA1

          e8a95fcc839308b69f07ec1f8ba9ba0a0bf06eb5

          SHA256

          118784fe36902a7e0d6e172b5ef8c4f0e1f5250b123fe8b3c3b430ac36926f8a

          SHA512

          9dbc41f83de98f79aea428b8a2b5c49926f166e4b6fc6128882d12416a4afa0a794a05523b79b3ee1311790cc9e81435448c75f701a68bea466638f359cf52b6

          Download Submit

        • memory/292-0-0x0000017A03F20000-0x0000017A03F30000-memory.dmp

          Filesize

          64KB

          Download

        • memory/292-35-0x0000017A041E0000-0x0000017A041E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/292-286-0x0000017A0AF00000-0x0000017A0AF01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/292-285-0x0000017A0AAF0000-0x0000017A0AAF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/292-16-0x0000017A04700000-0x0000017A04710000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-145-0x0000026346020000-0x0000026346022000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-413-0x00000263337E0000-0x00000263337F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-101-0x00000263452E0000-0x00000263452E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-103-0x0000026345300000-0x0000026345302000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-128-0x0000026345620000-0x0000026345720000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/636-143-0x0000026346010000-0x0000026346012000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-97-0x00000263452A0000-0x00000263452A2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-150-0x00000263465A0000-0x00000263466A0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/636-151-0x0000026343F80000-0x0000026343FA0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/636-95-0x0000026345280000-0x0000026345282000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-262-0x000002634A1A0000-0x000002634A1C0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/636-93-0x0000026345260000-0x0000026345262000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-91-0x0000026345240000-0x0000026345242000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-85-0x0000026344CE0000-0x0000026344CE2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-412-0x00000263337E0000-0x00000263337F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-99-0x00000263452C0000-0x00000263452C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-414-0x00000263337E0000-0x00000263337F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-415-0x00000263337E0000-0x00000263337F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-416-0x00000263337E0000-0x00000263337F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-417-0x00000263337E0000-0x00000263337F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-418-0x00000263337E0000-0x00000263337F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-419-0x00000263337E0000-0x00000263337F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/636-82-0x0000026344CC0000-0x0000026344CC2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-80-0x0000026344C80000-0x0000026344C82000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-75-0x0000026344C30000-0x0000026344C32000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-73-0x0000026344900000-0x0000026344902000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-71-0x00000263448E0000-0x00000263448E2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-69-0x00000263448C0000-0x00000263448C2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/636-67-0x00000263446E0000-0x00000263446E2000-memory.dmp

          Filesize

          8KB

          Download