Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
11/03/2024, 05:23
Behavioral task
behavioral1
Sample
A u r o r а/scripts/scripts.dll
Resource
win10-20240221-en
General
-
Target
A u r o r а/А u r o r a.exe
-
Size
691KB
-
MD5
aab70c1a8440191120575cbbba6c2150
-
SHA1
a31aa44bd9e8b21220c205982fc86c2a3d6b9592
-
SHA256
9ac92a2e58c5d0230e8b3f0d6793e2bacd85a75f8302a713838d7a0f51427da7
-
SHA512
b5992dbde85cb23f0c4fb8df0becc56d0fdd7336b0745080750a3518c31491919e0342eaaa9e152cfe7ac12381d6c48b86c12bb0eeba961112936a16eb6301d5
-
SSDEEP
12288:WNH0hgTBscR7Dyzk/Yv/0fSk2VlxOUETL54h5jYg9uTVHZ4CiyBq9PC9bjErs:WNH0hg7lDrAvdVlxzR9U2vyBSMkr
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/508-29-0x0000000000900000-0x000000000094C000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/508-29-0x0000000000900000-0x000000000094C000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1292 created 3380 1292 Agents.pif 54 -
Executes dropped EXE 2 IoCs
pid Process 1292 Agents.pif 508 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2772 tasklist.exe 4576 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 996 PING.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1292 Agents.pif 1292 Agents.pif 1292 Agents.pif 1292 Agents.pif 1292 Agents.pif 1292 Agents.pif 1292 Agents.pif 1292 Agents.pif 508 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2772 tasklist.exe Token: SeDebugPrivilege 4576 tasklist.exe Token: SeDebugPrivilege 508 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1292 Agents.pif 1292 Agents.pif 1292 Agents.pif -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1292 Agents.pif 1292 Agents.pif 1292 Agents.pif -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 704 wrote to memory of 3544 704 А u r o r a.exe 74 PID 704 wrote to memory of 3544 704 А u r o r a.exe 74 PID 704 wrote to memory of 3544 704 А u r o r a.exe 74 PID 3544 wrote to memory of 2772 3544 cmd.exe 76 PID 3544 wrote to memory of 2772 3544 cmd.exe 76 PID 3544 wrote to memory of 2772 3544 cmd.exe 76 PID 3544 wrote to memory of 800 3544 cmd.exe 77 PID 3544 wrote to memory of 800 3544 cmd.exe 77 PID 3544 wrote to memory of 800 3544 cmd.exe 77 PID 3544 wrote to memory of 4576 3544 cmd.exe 79 PID 3544 wrote to memory of 4576 3544 cmd.exe 79 PID 3544 wrote to memory of 4576 3544 cmd.exe 79 PID 3544 wrote to memory of 4892 3544 cmd.exe 80 PID 3544 wrote to memory of 4892 3544 cmd.exe 80 PID 3544 wrote to memory of 4892 3544 cmd.exe 80 PID 3544 wrote to memory of 4392 3544 cmd.exe 81 PID 3544 wrote to memory of 4392 3544 cmd.exe 81 PID 3544 wrote to memory of 4392 3544 cmd.exe 81 PID 3544 wrote to memory of 4644 3544 cmd.exe 82 PID 3544 wrote to memory of 4644 3544 cmd.exe 82 PID 3544 wrote to memory of 4644 3544 cmd.exe 82 PID 3544 wrote to memory of 2344 3544 cmd.exe 83 PID 3544 wrote to memory of 2344 3544 cmd.exe 83 PID 3544 wrote to memory of 2344 3544 cmd.exe 83 PID 3544 wrote to memory of 1292 3544 cmd.exe 84 PID 3544 wrote to memory of 1292 3544 cmd.exe 84 PID 3544 wrote to memory of 1292 3544 cmd.exe 84 PID 3544 wrote to memory of 996 3544 cmd.exe 85 PID 3544 wrote to memory of 996 3544 cmd.exe 85 PID 3544 wrote to memory of 996 3544 cmd.exe 85 PID 1292 wrote to memory of 508 1292 Agents.pif 86 PID 1292 wrote to memory of 508 1292 Agents.pif 86 PID 1292 wrote to memory of 508 1292 Agents.pif 86 PID 1292 wrote to memory of 508 1292 Agents.pif 86 PID 1292 wrote to memory of 508 1292 Agents.pif 86
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\A u r o r а\А u r o r a.exe"C:\Users\Admin\AppData\Local\Temp\A u r o r а\А u r o r a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Projected Projected.bat & Projected.bat & exit3⤵
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:800
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4576
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:4892
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 282914⤵PID:4392
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 28291\Agents.pif + Habits + Okay + Baseline + Deborah + Lc 28291\Agents.pif4⤵PID:4644
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Beginners + Left + Mill 28291\i4⤵PID:2344
-
-
C:\Users\Admin\AppData\Local\Temp\28291\Agents.pif28291\Agents.pif 28291\i4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292
-
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
PID:996
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\28291\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\28291\RegAsm.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
513B
MD502cc2d6a4240f552cd26dd8425d5bd1d
SHA1d876bd5b74f5a16f95e0d1092646083494ee671e
SHA25687b8e68883d6401ec99ba062feb80c2b8529b296eb8cc0629b4486bce4ce7b4a
SHA5123a49b367bf58379a4bab3a36ae774e101c1cd151055b1cbce1de21bf2b75ab5b36ac5cbb36849eda96f86562ad14ffcb934421fad1b29cf3f70b39926f0e4ecc
-
Filesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
Filesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
Filesize
720KB
MD5dd1889fef5f7482730231a565cd906c6
SHA1dbf33bfd1229cb2f69bb3ac9e074e01400f2d995
SHA256c0aa2ec6c2b6c5c922bad92d140658cd3086847218a26c3697d755d05e47ced2
SHA51291f6bbf18cf5b03e3c835511dc799443351951d375c0754a5814ae50bc454be7b07698789907f086366c4b291711992c516083566013c6d7b03616766e46f8e1
-
Filesize
148KB
MD5494c8cab5cd5d0658d250f97a09aeb5a
SHA10e20efb835cac14828d85014f492581dd8add3ac
SHA256d63d827017922d315afcbc31ecfbd9be49674428c3b7ec76b5fdaa49a65c14e4
SHA5121660a1629da0af57e42cc4dda4398928e886348c81c95226baa180d15d1501fae18c3642e853cd84d2712ffd7bb70f8ae23b84461c4e5e813a20a09cde189505
-
Filesize
208KB
MD5044a2b3ef8c0786af4d60f07017ac402
SHA1c151bcd5815ef58275293f24371b1bb26a106658
SHA256db7e32c63ac4e3ee767b4d110a71a8f4573b97f60c8b6468d710f2846c12962e
SHA512e3a580600ec4b12efe3e7a9a06f5db42710225ae4dcdb08a14c3ab4e0030dde1f56e424dbb21efeee25dce995be060d1adf0ac523eec2ef0f0b32c7b40faacea
-
Filesize
219KB
MD51e0a8364fb9fb767a6292f7ea9c2e2e0
SHA163c758eb30cfde06ba497597453b167eb85b5754
SHA2565925e0a537b88791d7c6a37eacd033e7ebbf0bf9c4f0a038162a9d011611e872
SHA512387fa869102cf875e7fb7c9b4b09d9b9f614110bd32deb7b67b32998626b1ca8ea2f32a575ff2b828bd2ac27c3c151510b4c29caa470e99d6b21df7915ec2680
-
Filesize
177KB
MD5c747ac5d8a8b2719a5921336cfe0b82c
SHA1c8129a4db00347946452d854b3f49501196b01b9
SHA256f1229a50477cf8b019b8015270792f409e9dc7d2826bc0b1ec3c04ed5fba0b2a
SHA51203030172df615986112da2770ccc576095766a93060fa2080a8cc9b8c6cd763713931187f0ee5d8374cff1968a887c4fd23068398c2b601385995dda038525e0
-
Filesize
114KB
MD55b0389a535a15f5d519fdbce5df1fb75
SHA1b12f9da16cf8e6d1349b01e6419dbeeb646cec4e
SHA256dc2f68c2a1d7b62a389db394461198e37a324e5d0859a498831bb3d14ab0c489
SHA5122c5da9f30794d81fac0e70af444f8f4d87dbfd64199bb9fd71c8c11f8eb78c1b754497b243fb9cd3cf4516123acff98e23a66a769e80414cdaaff4f251bfe3b8
-
Filesize
262KB
MD54dcb0e1effe2d72a8b9f55006e00130a
SHA10319e776c06b227f9439d8db49a15356ec4f161b
SHA2569e80b72dbe297e891bc5e907cfbb9b2b14237533eac71f4224aeae8b41ad2aff
SHA512199eb0ddc13fa40fa3b5f368f3a150bbd0b803f4751c5b408bd999bf7466c8e49ae192ce2c2dca7a2b49fb0ca60114c4b6628122848498402d4e0d350be6d2fd
-
Filesize
250KB
MD562a183dfb4a7e35b57daf61ff24cfaa3
SHA137edd9a270735d139b22953a0b8fbaac05aaa5dd
SHA25685def15a4c39385ae46e6cc07fe8e421e7a3763e230f1134675fbac553dac6ff
SHA5129422216f9255eb15b8e65bb53564537e443882f7c8030ba1d4091e6d35f852aa9e0f2dc066d13d087ecdb484267f9518fe330cfa70807dfa2236c0ff54d3aec7
-
Filesize
214KB
MD5460dd18fe9ca72685f2efc08f92dfec0
SHA1df3a3666965048d453caa19fe0a31d6d0815ab65
SHA256c6195acce6ac98382677b4523c6bd8fa8578d3008e0378b8a957d4c3fb8c1f51
SHA5124791edc2bf972ed660adf4ee97b4575d61796b00fb5aad69884beabfdabe8f7b02dbfddb795c3ea0e5260a1b10f8b4a684bd985be26c6c9c20d8d25e3e744bfa
-
Filesize
12KB
MD5eca28a45222c88f5eb7611abffae206f
SHA1e6ccea706e0f76c270dedb1110d857407d2e6fa6
SHA256816005cdad90ea272cedf0956b2d3dc1c619925d821c3d87c5776f75af64b3ab
SHA512e16a09fea2aaf5e8cd98524a7b6638f3c1fef40033a68f508d8c662d53810d88dc28c8bd49403146587ea7a3378efd6d4725c2fc064cc9ef8ee5fb594ff23294