Analysis
-
max time kernel
316s -
max time network
1588s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-04-2024 17:19
General
-
Target
Auora.exe
-
Size
231KB
-
MD5
a96e98be73b7840e10e039d7b3b2a72a
-
SHA1
bde4c46b9a32ba14aafe652ebe14cb03ba2692a8
-
SHA256
886a78f6d4a3bb1667c7d8ba553487a9d42fc38188253d3604cfe5c0743b636b
-
SHA512
c4855010f4b9bf3c0d3f2b78447380d0f85ed440355ed0ed39f10727b44d555f1a7b9ae3a6d241f313d85fa8f052692c20149ecb5b4f6b841291a3f12651ced7
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4yr5ClW8e1mzi:DoZtL+EP8VCv
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/2676-0-0x00000194DC6D0000-0x00000194DC710000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2676 Auora.exe Token: SeIncreaseQuotaPrivilege 1040 wmic.exe Token: SeSecurityPrivilege 1040 wmic.exe Token: SeTakeOwnershipPrivilege 1040 wmic.exe Token: SeLoadDriverPrivilege 1040 wmic.exe Token: SeSystemProfilePrivilege 1040 wmic.exe Token: SeSystemtimePrivilege 1040 wmic.exe Token: SeProfSingleProcessPrivilege 1040 wmic.exe Token: SeIncBasePriorityPrivilege 1040 wmic.exe Token: SeCreatePagefilePrivilege 1040 wmic.exe Token: SeBackupPrivilege 1040 wmic.exe Token: SeRestorePrivilege 1040 wmic.exe Token: SeShutdownPrivilege 1040 wmic.exe Token: SeDebugPrivilege 1040 wmic.exe Token: SeSystemEnvironmentPrivilege 1040 wmic.exe Token: SeRemoteShutdownPrivilege 1040 wmic.exe Token: SeUndockPrivilege 1040 wmic.exe Token: SeManageVolumePrivilege 1040 wmic.exe Token: 33 1040 wmic.exe Token: 34 1040 wmic.exe Token: 35 1040 wmic.exe Token: 36 1040 wmic.exe Token: SeIncreaseQuotaPrivilege 1040 wmic.exe Token: SeSecurityPrivilege 1040 wmic.exe Token: SeTakeOwnershipPrivilege 1040 wmic.exe Token: SeLoadDriverPrivilege 1040 wmic.exe Token: SeSystemProfilePrivilege 1040 wmic.exe Token: SeSystemtimePrivilege 1040 wmic.exe Token: SeProfSingleProcessPrivilege 1040 wmic.exe Token: SeIncBasePriorityPrivilege 1040 wmic.exe Token: SeCreatePagefilePrivilege 1040 wmic.exe Token: SeBackupPrivilege 1040 wmic.exe Token: SeRestorePrivilege 1040 wmic.exe Token: SeShutdownPrivilege 1040 wmic.exe Token: SeDebugPrivilege 1040 wmic.exe Token: SeSystemEnvironmentPrivilege 1040 wmic.exe Token: SeRemoteShutdownPrivilege 1040 wmic.exe Token: SeUndockPrivilege 1040 wmic.exe Token: SeManageVolumePrivilege 1040 wmic.exe Token: 33 1040 wmic.exe Token: 34 1040 wmic.exe Token: 35 1040 wmic.exe Token: 36 1040 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2676 wrote to memory of 1040 2676 Auora.exe 74 PID 2676 wrote to memory of 1040 2676 Auora.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\Auora.exe"C:\Users\Admin\AppData\Local\Temp\Auora.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040
-