Analysis

  • max time kernel
    21s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    15/04/2024, 18:36

General

  • Target

    Aurxra V6.exe

  • Size

    287.0MB

  • MD5

    feaef80a175e24dbf45cb0f3561f4891

  • SHA1

    dd8652d5623aec0e0de66f50df8d75c3cb54e050

  • SHA256

    6b5c7a2136f31631e64960abe17dea5a4eccf9f40943f0f492bc397c8189d5a3

  • SHA512

    218c01e342aead4a1094ee57344d29ecde0fbe8216d270ba376344790e0202eaea161be52e183c5442a45b55c657cf8340b6f027288ceaf790069f111994101d

  • SSDEEP

    49152:Ght9sTkCObgYD//RcCHEDIpPmChB2iqUL7h5IGn:Ght9bCOblJcqIIJtMq5H

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Aurxra V6.exe
    "C:\Users\Admin\AppData\Local\Temp\Aurxra V6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c move Look Look.bat && Look.bat
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:2656
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "wrsa.exe opssvc.exe"
        3⤵
          PID:2604
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2596
        • C:\Windows\SysWOW64\findstr.exe
          findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
          3⤵
            PID:2464
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c md 1101
            3⤵
              PID:2424
            • C:\Windows\SysWOW64\findstr.exe
              findstr /V "DeemedTalentNeedsPc" Derived
              3⤵
                PID:2420
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c copy /b Outer + Leader + Lot + Intelligent + Distinguished + Mileage + Scheduled + Train + Links 1101\G
                3⤵
                  PID:2920
                • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1101\Hybrid.pif
                  1101\Hybrid.pif 1101\G
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:2476
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 5 127.0.0.1
                  3⤵
                  • Runs ping.exe
                  PID:1056

            Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1101\G

                    Filesize

                    2.1MB

                    MD5

                    af3809ce527bfc88548eca74523b4570

                    SHA1

                    85f2fed57c547b5955c6062a3e2a57e40837ec9f

                    SHA256

                    7662801ff3af15a7d8cf6d82640b24410d2253dbe2950aac385b9a2a4d90affc

                    SHA512

                    4b4c11c596d2c8491c4c28c4b088598043ac765622ff37a19845e292339acae4b18d4b097a033d698ade81512d799f9ca31a938ec1cffe4fa1760c19d69fb143

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Derived

                    Filesize

                    157B

                    MD5

                    45dc162ecf97026475c5e414296e0677

                    SHA1

                    d18ce3307ca0156251112bd9495f9a5cf393184f

                    SHA256

                    420ec741901cf4ccd054a6d4ae24b6136afbf2bac205d32e278b29ff6ec4837c

                    SHA512

                    bd9f43091d83b000cf993729d9684c995a31794b20796fa3d80638c46956b1bbb8075af8112e87a103656754dea08cd681e0b37eb6786a63a3f6c66864fad078

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Distinguished

                    Filesize

                    207KB

                    MD5

                    e1d01f7ce1038846d788109b2f4d7dfd

                    SHA1

                    bd9603494f6ce603c0bf9d62ee0eca315044b4ab

                    SHA256

                    33cb3169611235ae15daf74d45f1f176d07a0565546f9d6aef8ce3d2d19cb271

                    SHA512

                    182ee12898ab57d4e19739e321fa4b0c439a22fe52ae261743b88ea9b6099792f0b10841943aa06fa241b52e8d77ebe7a2290403b402076f9923793ec978338c

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Drum

                    Filesize

                    59KB

                    MD5

                    0f7afb5dfabb33ac13c0b0eff637f183

                    SHA1

                    019536a338337eafdc55b051c0d8e070737b71df

                    SHA256

                    5a9b12cb9bb2ee1903de9804fc5211404637cde7f355df6d15ac0217b27b9522

                    SHA512

                    2015282fc84d4adcbba163aa7795a625db6d3d0014d1905a0c0fdfd63390da669020d280b292366cc89d58b0990c22729c808cff63644f37ddc281b27e36126a

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Intelligent

                    Filesize

                    239KB

                    MD5

                    ceb0bc55d58cd3120e6eb769fd10255b

                    SHA1

                    e8e32df8ec409975c24cfff67175fcc3ea18c6b1

                    SHA256

                    3048f03f77975b35adb8ffe1145ca8e99f52a94547d1cc0d31803141ebee49c0

                    SHA512

                    fcd552871e0e1113833fc1cb80f6944db6ece49e4f3cc83bcf9e3d327ee8d1c33e179c6751a7203b524e61188755b425680131119d00e2986417a26dce27d26e

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Leader

                    Filesize

                    288KB

                    MD5

                    daed67e8ea6d3339b4b36c6ee4d34efb

                    SHA1

                    a66032c00543a511e767b45dd75813141850cc38

                    SHA256

                    b3c75b7e13bc5f2cf65798660093f1b69b5095bb7b19460ae09fb98af218a063

                    SHA512

                    1932aeb571f1aa1b74fa1f3926bb9986b717dc1a917f5bee29a362f0b41c601b564efab35c9d040528a8f36317dfc0844dcce118fc2c0700ff328f73b8993ab0

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Links

                    Filesize

                    171KB

                    MD5

                    46f5fe0c1139d9b705ed18fec7dd2223

                    SHA1

                    23f0f81ee9f1d717c41f8c59a931009a86f8adea

                    SHA256

                    5573cb0df10db4968aded57db48a4226f8848c352ce67ee1dcab44d50dba80ae

                    SHA512

                    0a14b7559509b434f86418cf8a5cc59c1bc4ac0ef515ea7b11af5c5082d5b3a95c20770b1f1306af2ca63b3e74a0c5ca050f6c959e32b9d3f114a56a4f8d8733

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Look

                    Filesize

                    9KB

                    MD5

                    a490c62a3d69d20520eba13415b08ef2

                    SHA1

                    321263239b797236e32969d4ff308650a4ce7be1

                    SHA256

                    0f1c3a27364776865b6bca1a5a4b361bf79e9994d04f260622e3deca5e468c60

                    SHA512

                    753b57cf945346a2dd326cd5284dd8beabf75dd39d4aece1325b2e8af2c689bf9eded6d58e00b581008785c1ad19eff64caf4cc9368353eb5dd7fe56ca39f817

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lot

                    Filesize

                    234KB

                    MD5

                    5b045dad25282c6e2bb9a71ce09aa176

                    SHA1

                    9571323c5a442dc51ae0e745c562ae08a8b4b0a7

                    SHA256

                    bc471df2c14409aaa58b5547db8d74309cbb23d9b1733fb0a51176fe13e79b94

                    SHA512

                    427f67588b1b4734152664888ce68ca063e4407cfee8ae6cb1eafd8ecc01001a6fc3529137744622efc02d84eddcec49190a0d7937c598fda4cc3140928639af

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mileage

                    Filesize

                    220KB

                    MD5

                    88342b907d5a7d41a1e631ed2c2a7fcc

                    SHA1

                    4a79ad51d45d683dbf3a5845e2f5b7aa9dd3edf5

                    SHA256

                    8b7e0060e3ab775e6728c07c4f89c79070202724af448f0b8fcc64164550c586

                    SHA512

                    071be2c875f667c8bdde0e2a4629bdd273954e2d78a8593732c45fb51ea83415927bef07d2aa7794972a27f5707cbf089f8670941186a624cee21d0dd498dc36

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Music

                    Filesize

                    201KB

                    MD5

                    a20be0eadf873f0ec5e99dfc7f49a7a6

                    SHA1

                    f855b492a60363a747bb734048ac0d63314933cb

                    SHA256

                    3278df7fa844c16802ff988565687e71939132993d5ff16d25ff4dd605278a79

                    SHA512

                    0aa118546118b54ce2af64dfab00d092ac5a583b391a84692f129ecb331cbd53af4ede5abf6084d901a8e5394d8018720ed56781dd17b6139e0b2f761e620130

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Outer

                    Filesize

                    277KB

                    MD5

                    0c2093a27ccbe8dbe228567478ccf6da

                    SHA1

                    fb5741b7059da90181f856dbbc64cd652d0a9bca

                    SHA256

                    f1865e3db735fedc8f1a6af348b85469edf8bae4867f99cdf1c4cba44ec2a61c

                    SHA512

                    b7813c97fdf2ff0244db85aad7773d6685887072b7d7061cc68961d95ba04fc7592dee31d32150f2a1f7acdb4d1b2a7d29bf4b6a0c5c3298fc094f8b7bec9ab3

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Scheduled

                    Filesize

                    226KB

                    MD5

                    a1ccff3b7811ccf1caf939ae8ff9da68

                    SHA1

                    24b89b36dece40a0092cb7e658e7f0e9657e0ffe

                    SHA256

                    9329113e849d44379b06643ec9a5dd1229b0a8734de8b180cb329106357497c3

                    SHA512

                    91001e3b9b8145bc352da29edf2030dd7e0b425c23f97684ddea483f4d88e168cb4d18077c4e00e6879306965e7df5b64b62fbb7ce2d0e4fed7435bdecd066ef

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Textile

                    Filesize

                    255KB

                    MD5

                    d4ef7c4d836f9fd404054860e465559a

                    SHA1

                    3dc79a821f859977426b37dc4202d41b10811748

                    SHA256

                    93b5f2916aa4ddfcdc7d7a57fd72806df4632c8b18bb0cac7b15a65de572e508

                    SHA512

                    a6949541727b826658fe92ea76d6a663507aa67f2ecc78da69696fb3904e196832b30d294014c240dfa188b70f0f1263f4cdec9e6941b03bc1dcdc77a322f439

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\These

                    Filesize

                    299KB

                    MD5

                    3d0e777794fdaa4c587b586809f577e4

                    SHA1

                    173a209f4bcd889a1e42c4428dafe1b715daa314

                    SHA256

                    ae6c6ea85a8c7c62d924e94c1f460c7251391560c9a1f9eb83106053f8219396

                    SHA512

                    59b6a02210f938af63c0ca12809294dce25eed3d4facca791a57ff087428fa2f07ff16bde3c8e8a5de1ffa4e38a67691512f33f119e270a3266c3a86e66a12c5

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Train

                    Filesize

                    252KB

                    MD5

                    2245703aa2c03ea2dca11fbff17349f5

                    SHA1

                    23b6672dc1c7e4b5e53cc57862683e67441d3f77

                    SHA256

                    1d8371757f071b136eadd4e8b3f0d4d74b8a42c1ac9a3a7324d5a579ec78bfd9

                    SHA512

                    1de227e090fa55675ff01a0858f785ca8bff8fa7009f3293626dfd416960a843593673712614fe43a31145de5c9e8bb77ab9a6d1bab6ea00ad12b6b8aaa194a2

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Warnings

                    Filesize

                    58KB

                    MD5

                    d12d868e8e8fd8dbb557494ed84fe552

                    SHA1

                    e550ebbc506de886f4c1bfeb2fa6faf1637b9f36

                    SHA256

                    7d2f505cb2e7b048e386d6c43606d06fc865ee61760920b1b709e3dfb32bf1ef

                    SHA512

                    95b707d4176b188a070823a6805f27a8fab1cfde1f9a72071746696cebf6d8cb633c8fe85adbb4c2bd6ba1d9a5e58934b74a555498d92054119088c982f653b9

                  • \Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\1101\Hybrid.pif

                    Filesize

                    872KB

                    MD5

                    6ee7ddebff0a2b78c7ac30f6e00d1d11

                    SHA1

                    f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2

                    SHA256

                    865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4

                    SHA512

                    57d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0

                  • memory/2476-41-0x00000000775D0000-0x00000000776A6000-memory.dmp

                    Filesize

                    856KB