Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

9

A u r o r ...ts.dll

windows10-1703-x64

1

A u r o r ... a.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    140s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/03/2024, 05:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    A u r o r а/А u r o r a.exe

  • Size

    691KB

  • MD5

    aab70c1a8440191120575cbbba6c2150

  • SHA1

    a31aa44bd9e8b21220c205982fc86c2a3d6b9592

  • SHA256

    9ac92a2e58c5d0230e8b3f0d6793e2bacd85a75f8302a713838d7a0f51427da7

  • SHA512

    b5992dbde85cb23f0c4fb8df0becc56d0fdd7336b0745080750a3518c31491919e0342eaaa9e152cfe7ac12381d6c48b86c12bb0eeba961112936a16eb6301d5

  • SSDEEP

    12288:WNH0hgTBscR7Dyzk/Yv/0fSk2VlxOUETL54h5jYg9uTVHZ4CiyBq9PC9bjErs:WNH0hg7lDrAvdVlxzR9U2vyBSMkr

Score
10/10
redlinezgratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3380
      • C:\Users\Admin\AppData\Local\Temp\A u r o r а\А u r o r a.exe
        "C:\Users\Admin\AppData\Local\Temp\A u r o r а\А u r o r a.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:704
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Projected Projected.bat & Projected.bat & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3544
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "wrsa.exe opssvc.exe"
            4⤵
              PID:800
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4576
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
              4⤵
                PID:4892
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 28291
                4⤵
                  PID:4392
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b 28291\Agents.pif + Habits + Okay + Baseline + Deborah + Lc 28291\Agents.pif
                  4⤵
                    PID:4644
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Beginners + Left + Mill 28291\i
                    4⤵
                      PID:2344
                    • C:\Users\Admin\AppData\Local\Temp\28291\Agents.pif
                      28291\Agents.pif 28291\i
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:1292
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 127.0.0.1
                      4⤵
                      • Runs ping.exe
                      PID:996
                • C:\Users\Admin\AppData\Local\Temp\28291\RegAsm.exe
                  C:\Users\Admin\AppData\Local\Temp\28291\RegAsm.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:508

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\28291\Agents.pif
                Filesize

                513B

                MD5

                02cc2d6a4240f552cd26dd8425d5bd1d

                SHA1

                d876bd5b74f5a16f95e0d1092646083494ee671e

                SHA256

                87b8e68883d6401ec99ba062feb80c2b8529b296eb8cc0629b4486bce4ce7b4a

                SHA512

                3a49b367bf58379a4bab3a36ae774e101c1cd151055b1cbce1de21bf2b75ab5b36ac5cbb36849eda96f86562ad14ffcb934421fad1b29cf3f70b39926f0e4ecc

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\28291\Agents.pif
                Filesize

                872KB

                MD5

                6ee7ddebff0a2b78c7ac30f6e00d1d11

                SHA1

                f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

                SHA256

                865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

                SHA512

                57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\28291\RegAsm.exe
                Filesize

                63KB

                MD5

                b58b926c3574d28d5b7fdd2ca3ec30d5

                SHA1

                d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

                SHA256

                6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

                SHA512

                b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\28291\i
                Filesize

                720KB

                MD5

                dd1889fef5f7482730231a565cd906c6

                SHA1

                dbf33bfd1229cb2f69bb3ac9e074e01400f2d995

                SHA256

                c0aa2ec6c2b6c5c922bad92d140658cd3086847218a26c3697d755d05e47ced2

                SHA512

                91f6bbf18cf5b03e3c835511dc799443351951d375c0754a5814ae50bc454be7b07698789907f086366c4b291711992c516083566013c6d7b03616766e46f8e1

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Baseline
                Filesize

                148KB

                MD5

                494c8cab5cd5d0658d250f97a09aeb5a

                SHA1

                0e20efb835cac14828d85014f492581dd8add3ac

                SHA256

                d63d827017922d315afcbc31ecfbd9be49674428c3b7ec76b5fdaa49a65c14e4

                SHA512

                1660a1629da0af57e42cc4dda4398928e886348c81c95226baa180d15d1501fae18c3642e853cd84d2712ffd7bb70f8ae23b84461c4e5e813a20a09cde189505

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Beginners
                Filesize

                208KB

                MD5

                044a2b3ef8c0786af4d60f07017ac402

                SHA1

                c151bcd5815ef58275293f24371b1bb26a106658

                SHA256

                db7e32c63ac4e3ee767b4d110a71a8f4573b97f60c8b6468d710f2846c12962e

                SHA512

                e3a580600ec4b12efe3e7a9a06f5db42710225ae4dcdb08a14c3ab4e0030dde1f56e424dbb21efeee25dce995be060d1adf0ac523eec2ef0f0b32c7b40faacea

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Deborah
                Filesize

                219KB

                MD5

                1e0a8364fb9fb767a6292f7ea9c2e2e0

                SHA1

                63c758eb30cfde06ba497597453b167eb85b5754

                SHA256

                5925e0a537b88791d7c6a37eacd033e7ebbf0bf9c4f0a038162a9d011611e872

                SHA512

                387fa869102cf875e7fb7c9b4b09d9b9f614110bd32deb7b67b32998626b1ca8ea2f32a575ff2b828bd2ac27c3c151510b4c29caa470e99d6b21df7915ec2680

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Habits
                Filesize

                177KB

                MD5

                c747ac5d8a8b2719a5921336cfe0b82c

                SHA1

                c8129a4db00347946452d854b3f49501196b01b9

                SHA256

                f1229a50477cf8b019b8015270792f409e9dc7d2826bc0b1ec3c04ed5fba0b2a

                SHA512

                03030172df615986112da2770ccc576095766a93060fa2080a8cc9b8c6cd763713931187f0ee5d8374cff1968a887c4fd23068398c2b601385995dda038525e0

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Lc
                Filesize

                114KB

                MD5

                5b0389a535a15f5d519fdbce5df1fb75

                SHA1

                b12f9da16cf8e6d1349b01e6419dbeeb646cec4e

                SHA256

                dc2f68c2a1d7b62a389db394461198e37a324e5d0859a498831bb3d14ab0c489

                SHA512

                2c5da9f30794d81fac0e70af444f8f4d87dbfd64199bb9fd71c8c11f8eb78c1b754497b243fb9cd3cf4516123acff98e23a66a769e80414cdaaff4f251bfe3b8

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Left
                Filesize

                262KB

                MD5

                4dcb0e1effe2d72a8b9f55006e00130a

                SHA1

                0319e776c06b227f9439d8db49a15356ec4f161b

                SHA256

                9e80b72dbe297e891bc5e907cfbb9b2b14237533eac71f4224aeae8b41ad2aff

                SHA512

                199eb0ddc13fa40fa3b5f368f3a150bbd0b803f4751c5b408bd999bf7466c8e49ae192ce2c2dca7a2b49fb0ca60114c4b6628122848498402d4e0d350be6d2fd

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Mill
                Filesize

                250KB

                MD5

                62a183dfb4a7e35b57daf61ff24cfaa3

                SHA1

                37edd9a270735d139b22953a0b8fbaac05aaa5dd

                SHA256

                85def15a4c39385ae46e6cc07fe8e421e7a3763e230f1134675fbac553dac6ff

                SHA512

                9422216f9255eb15b8e65bb53564537e443882f7c8030ba1d4091e6d35f852aa9e0f2dc066d13d087ecdb484267f9518fe330cfa70807dfa2236c0ff54d3aec7

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Okay
                Filesize

                214KB

                MD5

                460dd18fe9ca72685f2efc08f92dfec0

                SHA1

                df3a3666965048d453caa19fe0a31d6d0815ab65

                SHA256

                c6195acce6ac98382677b4523c6bd8fa8578d3008e0378b8a957d4c3fb8c1f51

                SHA512

                4791edc2bf972ed660adf4ee97b4575d61796b00fb5aad69884beabfdabe8f7b02dbfddb795c3ea0e5260a1b10f8b4a684bd985be26c6c9c20d8d25e3e744bfa

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Projected
                Filesize

                12KB

                MD5

                eca28a45222c88f5eb7611abffae206f

                SHA1

                e6ccea706e0f76c270dedb1110d857407d2e6fa6

                SHA256

                816005cdad90ea272cedf0956b2d3dc1c619925d821c3d87c5776f75af64b3ab

                SHA512

                e16a09fea2aaf5e8cd98524a7b6638f3c1fef40033a68f508d8c662d53810d88dc28c8bd49403146587ea7a3378efd6d4725c2fc064cc9ef8ee5fb594ff23294

                Download Submit

              • memory/508-29-0x0000000000900000-0x000000000094C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/508-38-0x0000000005DA0000-0x0000000005DB2000-memory.dmp

                Filesize

                72KB

                Download

              • memory/508-47-0x0000000073A00000-0x00000000740EE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/508-32-0x0000000073A00000-0x00000000740EE000-memory.dmp

                Filesize

                6.9MB

                Download

              • memory/508-33-0x00000000054A0000-0x000000000599E000-memory.dmp

                Filesize

                5.0MB

                Download

              • memory/508-34-0x0000000004E40000-0x0000000004ED2000-memory.dmp

                Filesize

                584KB

                Download

              • memory/508-35-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

                Filesize

                40KB

                Download

              • memory/508-36-0x0000000006270000-0x0000000006876000-memory.dmp

                Filesize

                6.0MB

                Download

              • memory/508-37-0x0000000005EB0000-0x0000000005FBA000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/508-45-0x0000000007C70000-0x000000000819C000-memory.dmp

                Filesize

                5.2MB

                Download

              • memory/508-39-0x0000000005E00000-0x0000000005E3E000-memory.dmp

                Filesize

                248KB

                Download

              • memory/508-40-0x0000000005E40000-0x0000000005E8B000-memory.dmp

                Filesize

                300KB

                Download

              • memory/508-41-0x0000000006080000-0x00000000060E6000-memory.dmp

                Filesize

                408KB

                Download

              • memory/508-42-0x0000000006A00000-0x0000000006A76000-memory.dmp

                Filesize

                472KB

                Download

              • memory/508-43-0x0000000006980000-0x000000000699E000-memory.dmp

                Filesize

                120KB

                Download

              • memory/508-44-0x0000000007570000-0x0000000007732000-memory.dmp

                Filesize

                1.8MB

                Download

              • memory/1292-27-0x0000000000820000-0x0000000000821000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1292-25-0x0000000077CD1000-0x0000000077DE4000-memory.dmp

                Filesize

                1.1MB

                Download