aurora | 24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4

Analysis

max time kernel
0s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
19-03-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe
Size

5.4MB
MD5

e0d2634fe2b085685f0b71e66ac91ec9
SHA1

c03d6b2218ffff1957a91f64d15ee1cbb57726fd
SHA256

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4
SHA512

48e72eccb385e282b419fe7116d6a0c7c0a6cd5ca482e57ae7b1b52440e347833d0aa9c15097bdeec8074b9a60d90843a5d4f20e4ce9d0595f3dc0a38b6fdde8
SSDEEP

49152:pyWMOEmrU4VWLP6zev05oej0EL9gCegK/efy5d8A45EG273LCV0UOQJUh9q101GF:Eq6PQn4/9GEp32VLV+h9sF

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

167.235.58.189:456

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3060 schtasks.exe
664 schtasks.exe
2008 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid process

4476 powershell.exe
4476 powershell.exe
4576 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4476 powershell.exe
Token: SeDebugPrivilege 4576 powershell.exe

pid	process
3060	schtasks.exe
664	schtasks.exe
2008	schtasks.exe

pid	process
4476	powershell.exe
4476	powershell.exe
4576	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exepowershell.exe

description	pid	process	target process
PID 4032 wrote to memory of 4476	4032	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	powershell.exe
PID 4032 wrote to memory of 4476	4032	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	powershell.exe
PID 4476 wrote to memory of 3060	4476	powershell.exe	schtasks.exe
PID 4476 wrote to memory of 3060	4476	powershell.exe	schtasks.exe
PID 4032 wrote to memory of 4576	4032	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	powershell.exe
PID 4032 wrote to memory of 4576	4032	24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe
"C:\Users\Admin\AppData\Local\Temp\24c485ecb00d9d6ed8c12fb7a3162169cb1b666ab9a90eb3c1bcdf8dd8c40df4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
2⤵
PID:412

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:664

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:1616

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:3064

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
f826b0f308c70bbdc9faf72cdbfa8625

SHA1
081241c1df362da55a4f056bc5893cfe89fa0df1

SHA256
e5d2a2341a167602610fee57f134e8fa73d6e5c8bff307c81f0ebd539ae16d19

SHA512
ed6def0fe893adb849b13cb4f2ce8c808fa1c4b731cf5d612141829e4b009b7537b01b6d2d05fe8878834c8017bcccd9994bca7ed3f1cf4c770d2acd04c7e555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
67KB

MD5
f8e91a26302b3f6bae76b805fa4ed2de

SHA1
cf65a2701576efd958a9cbd1e5793c83f1cb7009

SHA256
297d5f9886078483ebcadc087a9f54b817e7ec3c5f30da9053ffcd945bc0ec9e

SHA512
8f8db869263a92227a7ae0d2652edf29fd769269728a5d56c22f5fa2e842827bd1cb96693b9115a45e031c8901596f34440acaef732bc0a32f82a2df5a6e7cae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe

Filesize
66KB

MD5
cc2dfaccc2753f20342a2e4ba89739ef

SHA1
529363b217e51ff33f47e0bc8d2af6a1e1f67524

SHA256
a2d84ac5c646c9dc282be24ef747f45f0bc3feeed84d2fd75525c8ca7f5d9dd2

SHA512
568d07d300e6a6a4a17f10f122341930a76ad305f370d057d351ccfc9fac4fda502bcf144e8ae348c019e9dc03cf89436c6dc0ca187928143e705c2c2f19f8c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
92KB

MD5
1574ebcbd725266b8de8a299e1def2db

SHA1
f36506036563c84ed49e27fef409347baa8d47d0

SHA256
2783e21c4883d983ae4bdbad293e0b5b0b947aa840396d72f40077833f631f28

SHA512
2603d1990b921dfda301ec9775257ab1b7f438753de2f518bc7f7f750c470c19b23f42da53c1c596e22dbe9b397beacaee473b647403fedd6f48872656cf4b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
114KB

MD5
9ab9fda63ceb1683098025fe10d782f5

SHA1
2350e8626420947521f44f063cba2191505c1e93

SHA256
c8a134da4dfc8f2601ef8d1e39a74c0789d6433d437df52f243b74a6a345173b

SHA512
6adc3976b36f799af0578527b6c1ff76dd8d578fd34580d608dbc55f84052b6889209c4488de1634a7a81536d696ec790539e3934010b8fce83b15b070df1d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe

Filesize
199KB

MD5
34dcb0f2c8c79d768f3495a05dbd8eca

SHA1
d77448ebfdf9e13be2c3db788b5914c5a0d6d900

SHA256
a0a5dedea8d1549ac84dc41270cbaee766e891326ecad00536809a732951ed76

SHA512
501cae77c39cce238515e8de3d2dca2b2dc9dcc456818712fbeed5911061793d120da23f577a8c45bcc128401849a6bafc7bf16dc7e921c6bf189e178fc1e323

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ks0ea54i.m2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
78KB

MD5
1cda1243886a2af0158e3539cc6d63ab

SHA1
716aab2d56cf6cdd0b3ef955d2aa282aaab0a089

SHA256
b4e558ce70d2b49333dfb8c30d0b743d5161164778a9920b365e2561b40db0cd

SHA512
33cd6b9c4abf983ee0ffab92086aba3d437637c5b0617c640ab32e581193158b1ecfbe08e571ea4320ba535130fc9946f7b827748b4c2d8f55c553cd9f15d274

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe

Filesize
66KB

MD5
bbb28c8874fb79fe1ec1f6d6bd812b80

SHA1
a1327a2821cd0bcbcb2c2bb936431264fa1a478d

SHA256
732b7d226542c4909cdb6b2bb26e772ea9ebbbff27590428abcd09d6a0bba5eb

SHA512
6ed514849409855650b4c130f784870cfb35485e033b1abb651ab9042f4f591dfebd7eaf2418547a214afdd7a5cb806c75c2cefc0a1fab9281c198d018892564

Download Submit
memory/412-48-0x0000027E50ED0000-0x0000027E50EE0000-memory.dmp

Filesize
64KB

Download
memory/412-40-0x00007FFA21620000-0x00007FFA220E2000-memory.dmp

Filesize
10.8MB

Download
memory/412-52-0x00007FFA21620000-0x00007FFA220E2000-memory.dmp

Filesize
10.8MB

Download
memory/412-47-0x0000027E50ED0000-0x0000027E50EE0000-memory.dmp

Filesize
64KB

Download
memory/412-50-0x0000027E50ED0000-0x0000027E50EE0000-memory.dmp

Filesize
64KB

Download
memory/4476-14-0x0000013F1D870000-0x0000013F1D880000-memory.dmp

Filesize
64KB

Download
memory/4476-17-0x00007FFA21620000-0x00007FFA220E2000-memory.dmp

Filesize
10.8MB

Download
memory/4476-13-0x0000013F1D870000-0x0000013F1D880000-memory.dmp

Filesize
64KB

Download
memory/4476-11-0x00007FFA21620000-0x00007FFA220E2000-memory.dmp

Filesize
10.8MB

Download
memory/4476-12-0x0000013F1D870000-0x0000013F1D880000-memory.dmp

Filesize
64KB

Download
memory/4476-10-0x0000013F1D920000-0x0000013F1D942000-memory.dmp

Filesize
136KB

Download
memory/4576-29-0x00007FFA21410000-0x00007FFA21ED2000-memory.dmp

Filesize
10.8MB

Download
memory/4576-31-0x000001E1CBDA0000-0x000001E1CBDB0000-memory.dmp

Filesize
64KB

Download
memory/4576-35-0x00007FFA21410000-0x00007FFA21ED2000-memory.dmp

Filesize
10.8MB

Download
memory/4576-33-0x000001E1CBDA0000-0x000001E1CBDB0000-memory.dmp

Filesize
64KB

Download
memory/4576-30-0x000001E1CBDA0000-0x000001E1CBDB0000-memory.dmp

Filesize
64KB

Download