Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20/04/2024, 17:18
Behavioral task
behavioral1
Sample
Auora.exe
Resource
win10-20240404-en
windows10-1703-x64
4 signatures
150 seconds
General
-
Target
Auora.exe
-
Size
231KB
-
MD5
a96e98be73b7840e10e039d7b3b2a72a
-
SHA1
bde4c46b9a32ba14aafe652ebe14cb03ba2692a8
-
SHA256
886a78f6d4a3bb1667c7d8ba553487a9d42fc38188253d3604cfe5c0743b636b
-
SHA512
c4855010f4b9bf3c0d3f2b78447380d0f85ed440355ed0ed39f10727b44d555f1a7b9ae3a6d241f313d85fa8f052692c20149ecb5b4f6b841291a3f12651ced7
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4yr5ClW8e1mzi:DoZtL+EP8VCv
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
resource yara_rule behavioral1/memory/3780-0-0x0000027B6ABF0000-0x0000027B6AC30000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 3780 Auora.exe Token: SeIncreaseQuotaPrivilege 4376 wmic.exe Token: SeSecurityPrivilege 4376 wmic.exe Token: SeTakeOwnershipPrivilege 4376 wmic.exe Token: SeLoadDriverPrivilege 4376 wmic.exe Token: SeSystemProfilePrivilege 4376 wmic.exe Token: SeSystemtimePrivilege 4376 wmic.exe Token: SeProfSingleProcessPrivilege 4376 wmic.exe Token: SeIncBasePriorityPrivilege 4376 wmic.exe Token: SeCreatePagefilePrivilege 4376 wmic.exe Token: SeBackupPrivilege 4376 wmic.exe Token: SeRestorePrivilege 4376 wmic.exe Token: SeShutdownPrivilege 4376 wmic.exe Token: SeDebugPrivilege 4376 wmic.exe Token: SeSystemEnvironmentPrivilege 4376 wmic.exe Token: SeRemoteShutdownPrivilege 4376 wmic.exe Token: SeUndockPrivilege 4376 wmic.exe Token: SeManageVolumePrivilege 4376 wmic.exe Token: 33 4376 wmic.exe Token: 34 4376 wmic.exe Token: 35 4376 wmic.exe Token: 36 4376 wmic.exe Token: SeIncreaseQuotaPrivilege 4376 wmic.exe Token: SeSecurityPrivilege 4376 wmic.exe Token: SeTakeOwnershipPrivilege 4376 wmic.exe Token: SeLoadDriverPrivilege 4376 wmic.exe Token: SeSystemProfilePrivilege 4376 wmic.exe Token: SeSystemtimePrivilege 4376 wmic.exe Token: SeProfSingleProcessPrivilege 4376 wmic.exe Token: SeIncBasePriorityPrivilege 4376 wmic.exe Token: SeCreatePagefilePrivilege 4376 wmic.exe Token: SeBackupPrivilege 4376 wmic.exe Token: SeRestorePrivilege 4376 wmic.exe Token: SeShutdownPrivilege 4376 wmic.exe Token: SeDebugPrivilege 4376 wmic.exe Token: SeSystemEnvironmentPrivilege 4376 wmic.exe Token: SeRemoteShutdownPrivilege 4376 wmic.exe Token: SeUndockPrivilege 4376 wmic.exe Token: SeManageVolumePrivilege 4376 wmic.exe Token: 33 4376 wmic.exe Token: 34 4376 wmic.exe Token: 35 4376 wmic.exe Token: 36 4376 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3780 wrote to memory of 4376 3780 Auora.exe 74 PID 3780 wrote to memory of 4376 3780 Auora.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\Auora.exe"C:\Users\Admin\AppData\Local\Temp\Auora.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4628