55d69ef895cf6cc504a8cb65531c20bce93877a2b47f4533d3772a16710239a3

Analysis

max time kernel
32s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2024 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AURORAV1/AVRORA V1.exe
Size

287.0MB
MD5

ae6a6df39b6c4c157233078507d95e11
SHA1

2a58a806431b91b0d08044e58293dc4493800718
SHA256

9ffaea98983a0fe1749a30f766267ca3a2a485247fbd6153492cea0decdf1fb5
SHA512

5948e3a6984742325698652072fcedcff22468dfcf4f2a62e50343e50aa5ff8a42da89510e8ccd010c03b14173e702736b1a05a38cea7a092a8080e1042d309b
SSDEEP

49152:NqttHg4EaM9b/+P5LCShPVJPuNJrdlaVtwI1EgBX:NQA4Ef5YNCSbWJRlCwIDBX

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Derived.pif

description pid process target process

PID 1920 created 3476 1920 Derived.pif Explorer.EXE

description	pid	process	target process
PID 1920 created 3476	1920	Derived.pif	Explorer.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AVRORA V1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	AVRORA V1.exe

Executes dropped EXE 2 IoCs

Processes:

Derived.pifDerived.pif

pid process

1920 Derived.pif
1384 Derived.pif
Suspicious use of SetThreadContext 1 IoCs

Processes:

Derived.pif

description pid process target process

PID 1920 set thread context of 1384 1920 Derived.pif Derived.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

5020 tasklist.exe
2676 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2000 PING.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Derived.pif

pid process

1920 Derived.pif
1920 Derived.pif
1920 Derived.pif
1920 Derived.pif
1920 Derived.pif
1920 Derived.pif
1920 Derived.pif
1920 Derived.pif
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tasklist.exetasklist.exe

description pid process

Token: SeDebugPrivilege 5020 tasklist.exe
Token: SeDebugPrivilege 2676 tasklist.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Derived.pif

pid process

1920 Derived.pif
1920 Derived.pif
1920 Derived.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Derived.pif

pid process

1920 Derived.pif
1920 Derived.pif
1920 Derived.pif

pid	process
1920	Derived.pif
1384	Derived.pif

description	pid	process	target process
PID 1920 set thread context of 1384	1920	Derived.pif	Derived.pif

pid	process
5020	tasklist.exe
2676	tasklist.exe

pid	process
2000	PING.EXE

pid	process
1920	Derived.pif
1920	Derived.pif
1920	Derived.pif
1920	Derived.pif
1920	Derived.pif
1920	Derived.pif
1920	Derived.pif
1920	Derived.pif

description	pid	process
Token: SeDebugPrivilege	5020	tasklist.exe
Token: SeDebugPrivilege	2676	tasklist.exe

pid	process
1920	Derived.pif
1920	Derived.pif
1920	Derived.pif

pid	process
1920	Derived.pif
1920	Derived.pif
1920	Derived.pif

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

AVRORA V1.execmd.exeDerived.pif

description	pid	process	target process
PID 1828 wrote to memory of 3528	1828	AVRORA V1.exe	cmd.exe
PID 1828 wrote to memory of 3528	1828	AVRORA V1.exe	cmd.exe
PID 1828 wrote to memory of 3528	1828	AVRORA V1.exe	cmd.exe
PID 3528 wrote to memory of 5020	3528	cmd.exe	tasklist.exe
PID 3528 wrote to memory of 5020	3528	cmd.exe	tasklist.exe
PID 3528 wrote to memory of 5020	3528	cmd.exe	tasklist.exe
PID 3528 wrote to memory of 4824	3528	cmd.exe	findstr.exe
PID 3528 wrote to memory of 4824	3528	cmd.exe	findstr.exe
PID 3528 wrote to memory of 4824	3528	cmd.exe	findstr.exe
PID 3528 wrote to memory of 2676	3528	cmd.exe	tasklist.exe
PID 3528 wrote to memory of 2676	3528	cmd.exe	tasklist.exe
PID 3528 wrote to memory of 2676	3528	cmd.exe	tasklist.exe
PID 3528 wrote to memory of 3192	3528	cmd.exe	findstr.exe
PID 3528 wrote to memory of 3192	3528	cmd.exe	findstr.exe
PID 3528 wrote to memory of 3192	3528	cmd.exe	findstr.exe
PID 3528 wrote to memory of 3000	3528	cmd.exe	cmd.exe
PID 3528 wrote to memory of 3000	3528	cmd.exe	cmd.exe
PID 3528 wrote to memory of 3000	3528	cmd.exe	cmd.exe
PID 3528 wrote to memory of 2272	3528	cmd.exe	findstr.exe
PID 3528 wrote to memory of 2272	3528	cmd.exe	findstr.exe
PID 3528 wrote to memory of 2272	3528	cmd.exe	findstr.exe
PID 3528 wrote to memory of 3308	3528	cmd.exe	cmd.exe
PID 3528 wrote to memory of 3308	3528	cmd.exe	cmd.exe
PID 3528 wrote to memory of 3308	3528	cmd.exe	cmd.exe
PID 3528 wrote to memory of 4608	3528	cmd.exe	cmd.exe
PID 3528 wrote to memory of 4608	3528	cmd.exe	cmd.exe
PID 3528 wrote to memory of 4608	3528	cmd.exe	cmd.exe
PID 3528 wrote to memory of 1920	3528	cmd.exe	Derived.pif
PID 3528 wrote to memory of 1920	3528	cmd.exe	Derived.pif
PID 3528 wrote to memory of 1920	3528	cmd.exe	Derived.pif
PID 3528 wrote to memory of 2000	3528	cmd.exe	PING.EXE
PID 3528 wrote to memory of 2000	3528	cmd.exe	PING.EXE
PID 3528 wrote to memory of 2000	3528	cmd.exe	PING.EXE
PID 1920 wrote to memory of 1384	1920	Derived.pif	Derived.pif
PID 1920 wrote to memory of 1384	1920	Derived.pif	Derived.pif
PID 1920 wrote to memory of 1384	1920	Derived.pif	Derived.pif
PID 1920 wrote to memory of 1384	1920	Derived.pif	Derived.pif
PID 1920 wrote to memory of 1384	1920	Derived.pif	Derived.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\AURORAV1\AVRORA V1.exe
"C:\Users\Admin\AppData\Local\Temp\AURORAV1\AVRORA V1.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Emotions Emotions.bat && Emotions.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:4824

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:3192

C:\Windows\SysWOW64\cmd.exe
cmd /c md 2692
4⤵
PID:3000

C:\Windows\SysWOW64\findstr.exe
findstr /V "MasBathroomsCompoundInjection" Participants
4⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 2692\Derived.pif + Richmond + Alot + Genre + Fighter + Violence + Ld + Que 2692\Derived.pif
4⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Pulse + Fcc + Idea + Tuning + Wx + Erotica + Harrison + Introduce + Clearing + Forever 2692\X
4⤵
PID:4608

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2692\Derived.pif
2692\Derived.pif 2692\X
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:2000

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2692\Derived.pif
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2692\Derived.pif
2⤵
- Executes dropped EXE
PID:1384

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2692\Derived.pif
Filesize
28B

MD5
8aa97c77b47172bf01434da95ae35957

SHA1
d5003133030a8b3162a37107a374bdc400d21957

SHA256
a797eb9f33292fd5cca5c741701b2aab9ac05662f9ae3b482352e326f73da04e

SHA512
cbe77641809b8ba3257d41b00d9e603a5a284488c20314a8d309d358e8a5793cacc8f3080842b98ec11a95d681882f93e2449b3594d7057c7d4625ceada4ac8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2692\Derived.pif
Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2692\X
Filesize
2.1MB

MD5
beb3f0d399c7da3a192de72accf35183

SHA1
e4b5269f0ca802f2a4adc4a93a3e9e340d8bdf44

SHA256
9d0e68ada3981817c12ff96f97df74d3d8f6578bc5a9f7b59e9d2b2a5f2ff859

SHA512
68ba394a9980ab20dd6a8c16f6b5323c6b90cb209ef835eb346091b2071bc2d5d789c5a2f1cdc215aa435199fc0ccb24b12d392fadc0ba9ec4ef365ed214ad10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alot
Filesize
46KB

MD5
2f9f83a1d508d78c3672034a43a293c5

SHA1
1f7baf69f61e749464fd6e1e4569e9a22de1c548

SHA256
0634b38196d73953401fb0348cc208625f40dc70979f13ed754277ba7fbfd291

SHA512
9c5fc69233d983567ffaf9adc3b3305f454d116743ae481c9bf57d245b4a055ab5938848ee85c87b5c71f3e2c6b4f1e4cd1adf1574bcb98098080ebf0edbebf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Clearing
Filesize
220KB

MD5
1ef4da14132bef6a979acd1456d98f3d

SHA1
59f9ffeef09845224ac57508738ae9b69e1dd1b7

SHA256
b813cfbd43195490ca29f9dc59e94bef9fb9f4e76ee0b43c16d5b16884bae5a1

SHA512
46b9a18853f14a9c36c4a9eea347ead634cb6db25a55a00c793eec7b1a7d4715c45263355d1800c81778174b57a17e77a250b0a89da59a64a855d909e4f5355d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Emotions
Filesize
12KB

MD5
5d2e99be0f015f8dd0ea396e18298b36

SHA1
ef6046177d89c2d4a8382a81b350702cac319112

SHA256
92951dd31f519369d41dd38f33d2413218e80719b0df7d644ab802631f5034a3

SHA512
e9aa8c20ed343fcfd899aada6c9ff5aecbd5a851ed153884da285732fb961d42ca096152e60c7fecd69fcc67853eb6285b8fed43e289af61c5bef25c93d51098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Erotica
Filesize
287KB

MD5
267b5e481037717e735391deeea0ff8f

SHA1
7fe2ac9c02bc53c1fb889f206aa51aa6da794f36

SHA256
afc7e1a378b9d972854c5a83ceb498b7bcd590a4841e2f34dcce9f5249de71ab

SHA512
1288a15102d756ff21a72023a24ef428b556358b37c5ec26d17aafcfab10b558b3f453cc9d481c1c4c851410190f812f9c94cc11f8cb1ee9fbe577b25ef8ac03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fcc
Filesize
209KB

MD5
3b5281a40da51473173ae333354a4708

SHA1
1caa01b6ce05f28d3df1e93b9edad31116fd8782

SHA256
06e0cded6103f91778bb311d7771ed13e39509c44fe659cd28ce4b0afe69f553

SHA512
50538e36aeca1182cb9c368976d8b3816fa7cc9fb017269d4a1e6f7608ca0db227e343038d29ca483461eeed6812717b9d6227d7e980dbb8c3cd332e5da14dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Fighter
Filesize
166KB

MD5
55bc4dc42166555b8a6f011c7f9ad209

SHA1
310e974352ee2e7ef63a91af925947a77cac6eba

SHA256
284bcbdf5593032547c119847d9d4a6359b400a74f13fa9d3774181d6be248c6

SHA512
f793c981720747f49eab38838d97458d4625ee0ee790e7a79319489c4d1bbae11b9f9c23e33609e35b15d476d5c084f77164332f654ed8040ce7c4d8faf54252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Forever
Filesize
46KB

MD5
cdc1c1777ae9a8548ef73e3d8d3cb771

SHA1
ab9e4243eff32ab19c709c57ebd8a826b226646b

SHA256
e5909739456e96f48ede99e430190574db9593ec2ef32009557cffa71f141fba

SHA512
2f384cf0a24ba04c117d8fa00f757b0bd9ce7a333182eff3d8927bd80c068d4ad9bbfa1b90f904c974162d843e65ef450c938ce13a7ac6b64a1393202d1fc3d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Genre
Filesize
257KB

MD5
e250dae40537d592778b9502cf8227fb

SHA1
303369f3adaec712570adc4c56ac5bea64e365f1

SHA256
1a6dab9fd80044680137ec4073c4963ec28341361a44ec5d710d4bea67a21074

SHA512
5bd19c4b18cdeb27be1470758efe724da9a123b857a849e742bd110f22fc6caaf65590d1628b3869a7427a8b67cfd3e63b6f42d23d0fe08d3e8a0f1d6ede65b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Harrison
Filesize
204KB

MD5
d48f0066bbbae76cf753fa44ba32c1e3

SHA1
4afa385545e4f98cb7c64caa5da8b15018d3a518

SHA256
3cf27be352bcd2994403a9af6300d36c0390089a1d768df2d307e92edb0b3ac5

SHA512
13bc1212d2de7146d00bbb03f5f0cfe93a2ae2d077311e54859239d84e772cc0881d83ba28de3010418685e8f10de218f06a526994b8cd6b3ffbc921ec92a86a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Idea
Filesize
277KB

MD5
0f1de8c0e038c0275860fd290b02c4d8

SHA1
25de651d877c2a413cf67b96c1606600d86b25d5

SHA256
4f4bc55aed3199ab69af774d87a48890c5ebc470719cb94ebb3e9691cc7aa84e

SHA512
94ebf780cdfdd68b1e5f5de76037adea1d2a7b207af06ec64907d966767987a72db7c727d819578e20eecbb29eef8f60cc69eb4150f3ad660e42394ee69c9899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Introduce
Filesize
251KB

MD5
4365b4a8e5a9f7d34d242d83148d37c9

SHA1
91d4dea7b5f2a4bdb8de6a4f01202d7c7017cbd0

SHA256
a0f8eecc85f3d72f066bfd72605132c745f849b8fb10eba610c9460b6c2e687b

SHA512
ed17236d833fa4475d1683b8660ec8243c09b2ef5d278968e317670048661b225ca0a5006c8c506ebeb22814b046e26fe64c34f8c2d6d813874b2f4c6e37d423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ld
Filesize
171KB

MD5
0fc4b1c389fa315ae8563d2c3ebc636b

SHA1
e03df5eb60d707bb7c1ad29e42e83feb47983672

SHA256
ff9bf8a27b8a03935494646154d9eff8e565452041c3cf52c8b76bf2fb0c996b

SHA512
4d9aa3cc48836a7b5d5ea9af67b25582febadc7c13ab4ffe202523558cf393ebdb39b4ee1be916e19d5389ca234b41c824bdc553f1d47bd36ddf3d63b34f09df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Participants
Filesize
59B

MD5
df7fa3ba9a23cdb72499f49026149b1b

SHA1
167a471297e7e1f9de2d51233453788fd0a1227b

SHA256
e4754b247074cc987484c9f2a38903ab11b88a9bcff87e4f9f31986fcc4334cb

SHA512
9843fcc8c2a2fd032f6366341ad7bc69b33fe7791dc4f9cf7793d7aecbe8c9340dcaeba9e1d771b35acebde2d027bc8bd804d9133038758fbbba6589e84fbc3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Pulse
Filesize
261KB

MD5
1acfe30f6c52692e861389771d895a25

SHA1
3ab030b1694910c721974e0f1b17625d28bd8404

SHA256
2301e62606fc0bce2d842c479d9c1795d18865253ae4fbe47584f0b6c5c458dc

SHA512
4241ca04a9f7b0af070af8f776ce8c450745c62af61e1eec2c4ce59e0b26d9e7f42a35093e7128336396f3ca402805a5073b9967f65e3a7d01c7e533174a71dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Que
Filesize
10KB

MD5
f216efd0e80184e0d79622683db9295a

SHA1
919909b47e5c12ebaab598e9b0f50e1c21824d0c

SHA256
b134655bdf6d40b5ffef9022258559e2fc1d16a07b1fc787953afdd83bce7ac1

SHA512
b5127430ca8eea6630117158b26a8c1e2460d447388e8254613f5a522b4a90b3eb9ccdc652eec11afdbd2b56630abcd213104ba116e7327057644e6c3ef58455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richmond
Filesize
147KB

MD5
3c370bf91af8951f8239bee8271aed1c

SHA1
3c119efa24464782f44616ccef5acbe9e05ab6d4

SHA256
ee2f4d8bd7ca8ec5ffd4748359e9b2206b8a057a7b9b101a5442920cf8ec1a92

SHA512
c1d4c820b055a66101c71f519e860f9db3631676401f91c2391c8ac21e851aea6b1156939f95393369041e379071078c5ceba60d9b22528dcb6802a98df18b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Tuning
Filesize
207KB

MD5
dba4b4595f4d9c99d69154aa0f42b4bd

SHA1
cb19ba14ea855bd2737aa35b027ab4fd10297891

SHA256
30f642a61d77c6ee9696b3d5a1d005ec480173d54b7856ed8e8ff38c5dda8b04

SHA512
529df12751251575ae545da26e2764d5d7641950c2be746598308774cadee0a936d94c9aa0f3d7820487a54b5095b6904bc65c38378c7d95aa44c25046d9986e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Violence
Filesize
124KB

MD5
686da1e809252566fa97937e1188cae0

SHA1
6ba10ebcc5e08f97bbc301abb9a5831614ac1de0

SHA256
556debffc737309044830063f82360a44faddd2cae5815311c985b9f989d3140

SHA512
343cef200d3b716da927a1fa7170518cdbfa5c3258da7146b862e49abaa60bb831de23f09c4c9b9da55ee31056abe3e0fa35e62f8ce33f1a8e7c54fbe4f87b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Wx
Filesize
212KB

MD5
ec3efd198fbe9a0f73fd23578aca60c0

SHA1
77899232753f45275e2d05bf565ae90cba2f875b

SHA256
847206f6fa8e78dd46542d742d3bf7c3675b07ff9777d58f638d22fb101b0e14

SHA512
5514e280866a7863110afe7bdca78d9036e148213b4d32ac1b4d99358962954e2aa3b60cfd0051b2999e313c4fb4b8a92f8835e623748ef5870cc031da298d7b

Download Submit
memory/1384-48-0x0000000001200000-0x0000000001352000-memory.dmp

Filesize
1.3MB

Download
memory/1384-49-0x0000000001200000-0x0000000001352000-memory.dmp

Filesize
1.3MB

Download
memory/1384-51-0x0000000001200000-0x0000000001352000-memory.dmp

Filesize
1.3MB

Download
memory/1920-45-0x0000000076F91000-0x00000000770B1000-memory.dmp

Filesize
1.1MB

Download
memory/1920-46-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download