Analysis
-
max time kernel
316s -
max time network
1588s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-04-2024 17:19
General
-
Target
Auora.exe
-
Size
231KB
-
MD5
a96e98be73b7840e10e039d7b3b2a72a
-
SHA1
bde4c46b9a32ba14aafe652ebe14cb03ba2692a8
-
SHA256
886a78f6d4a3bb1667c7d8ba553487a9d42fc38188253d3604cfe5c0743b636b
-
SHA512
c4855010f4b9bf3c0d3f2b78447380d0f85ed440355ed0ed39f10727b44d555f1a7b9ae3a6d241f313d85fa8f052692c20149ecb5b4f6b841291a3f12651ced7
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4yr5ClW8e1mzi:DoZtL+EP8VCv
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2676-0-0x00000194DC6D0000-0x00000194DC710000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Auora.exewmic.exedescription pid process Token: SeDebugPrivilege 2676 Auora.exe Token: SeIncreaseQuotaPrivilege 1040 wmic.exe Token: SeSecurityPrivilege 1040 wmic.exe Token: SeTakeOwnershipPrivilege 1040 wmic.exe Token: SeLoadDriverPrivilege 1040 wmic.exe Token: SeSystemProfilePrivilege 1040 wmic.exe Token: SeSystemtimePrivilege 1040 wmic.exe Token: SeProfSingleProcessPrivilege 1040 wmic.exe Token: SeIncBasePriorityPrivilege 1040 wmic.exe Token: SeCreatePagefilePrivilege 1040 wmic.exe Token: SeBackupPrivilege 1040 wmic.exe Token: SeRestorePrivilege 1040 wmic.exe Token: SeShutdownPrivilege 1040 wmic.exe Token: SeDebugPrivilege 1040 wmic.exe Token: SeSystemEnvironmentPrivilege 1040 wmic.exe Token: SeRemoteShutdownPrivilege 1040 wmic.exe Token: SeUndockPrivilege 1040 wmic.exe Token: SeManageVolumePrivilege 1040 wmic.exe Token: 33 1040 wmic.exe Token: 34 1040 wmic.exe Token: 35 1040 wmic.exe Token: 36 1040 wmic.exe Token: SeIncreaseQuotaPrivilege 1040 wmic.exe Token: SeSecurityPrivilege 1040 wmic.exe Token: SeTakeOwnershipPrivilege 1040 wmic.exe Token: SeLoadDriverPrivilege 1040 wmic.exe Token: SeSystemProfilePrivilege 1040 wmic.exe Token: SeSystemtimePrivilege 1040 wmic.exe Token: SeProfSingleProcessPrivilege 1040 wmic.exe Token: SeIncBasePriorityPrivilege 1040 wmic.exe Token: SeCreatePagefilePrivilege 1040 wmic.exe Token: SeBackupPrivilege 1040 wmic.exe Token: SeRestorePrivilege 1040 wmic.exe Token: SeShutdownPrivilege 1040 wmic.exe Token: SeDebugPrivilege 1040 wmic.exe Token: SeSystemEnvironmentPrivilege 1040 wmic.exe Token: SeRemoteShutdownPrivilege 1040 wmic.exe Token: SeUndockPrivilege 1040 wmic.exe Token: SeManageVolumePrivilege 1040 wmic.exe Token: 33 1040 wmic.exe Token: 34 1040 wmic.exe Token: 35 1040 wmic.exe Token: 36 1040 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Auora.exedescription pid process target process PID 2676 wrote to memory of 1040 2676 Auora.exe wmic.exe PID 2676 wrote to memory of 1040 2676 Auora.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Auora.exe"C:\Users\Admin\AppData\Local\Temp\Auora.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2676-0-0x00000194DC6D0000-0x00000194DC710000-memory.dmpFilesize
256KB
-
memory/2676-1-0x00007FFA5EE10000-0x00007FFA5F7FC000-memory.dmpFilesize
9.9MB
-
memory/2676-2-0x00000194F6D10000-0x00000194F6D20000-memory.dmpFilesize
64KB
-
memory/2676-4-0x00007FFA5EE10000-0x00007FFA5F7FC000-memory.dmpFilesize
9.9MB