Analysis
-
max time kernel
135s -
max time network
137s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
20-04-2024 17:18
Behavioral task
behavioral1
Sample
Auora.exe
Resource
win10-20240404-en
4 signatures
150 seconds
General
-
Target
Auora.exe
-
Size
231KB
-
MD5
a96e98be73b7840e10e039d7b3b2a72a
-
SHA1
bde4c46b9a32ba14aafe652ebe14cb03ba2692a8
-
SHA256
886a78f6d4a3bb1667c7d8ba553487a9d42fc38188253d3604cfe5c0743b636b
-
SHA512
c4855010f4b9bf3c0d3f2b78447380d0f85ed440355ed0ed39f10727b44d555f1a7b9ae3a6d241f313d85fa8f052692c20149ecb5b4f6b841291a3f12651ced7
-
SSDEEP
6144:xloZM+rIkd8g+EtXHkv/iD4yr5ClW8e1mzi:DoZtL+EP8VCv
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3780-0-0x0000027B6ABF0000-0x0000027B6AC30000-memory.dmp family_umbral -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
Auora.exewmic.exedescription pid process Token: SeDebugPrivilege 3780 Auora.exe Token: SeIncreaseQuotaPrivilege 4376 wmic.exe Token: SeSecurityPrivilege 4376 wmic.exe Token: SeTakeOwnershipPrivilege 4376 wmic.exe Token: SeLoadDriverPrivilege 4376 wmic.exe Token: SeSystemProfilePrivilege 4376 wmic.exe Token: SeSystemtimePrivilege 4376 wmic.exe Token: SeProfSingleProcessPrivilege 4376 wmic.exe Token: SeIncBasePriorityPrivilege 4376 wmic.exe Token: SeCreatePagefilePrivilege 4376 wmic.exe Token: SeBackupPrivilege 4376 wmic.exe Token: SeRestorePrivilege 4376 wmic.exe Token: SeShutdownPrivilege 4376 wmic.exe Token: SeDebugPrivilege 4376 wmic.exe Token: SeSystemEnvironmentPrivilege 4376 wmic.exe Token: SeRemoteShutdownPrivilege 4376 wmic.exe Token: SeUndockPrivilege 4376 wmic.exe Token: SeManageVolumePrivilege 4376 wmic.exe Token: 33 4376 wmic.exe Token: 34 4376 wmic.exe Token: 35 4376 wmic.exe Token: 36 4376 wmic.exe Token: SeIncreaseQuotaPrivilege 4376 wmic.exe Token: SeSecurityPrivilege 4376 wmic.exe Token: SeTakeOwnershipPrivilege 4376 wmic.exe Token: SeLoadDriverPrivilege 4376 wmic.exe Token: SeSystemProfilePrivilege 4376 wmic.exe Token: SeSystemtimePrivilege 4376 wmic.exe Token: SeProfSingleProcessPrivilege 4376 wmic.exe Token: SeIncBasePriorityPrivilege 4376 wmic.exe Token: SeCreatePagefilePrivilege 4376 wmic.exe Token: SeBackupPrivilege 4376 wmic.exe Token: SeRestorePrivilege 4376 wmic.exe Token: SeShutdownPrivilege 4376 wmic.exe Token: SeDebugPrivilege 4376 wmic.exe Token: SeSystemEnvironmentPrivilege 4376 wmic.exe Token: SeRemoteShutdownPrivilege 4376 wmic.exe Token: SeUndockPrivilege 4376 wmic.exe Token: SeManageVolumePrivilege 4376 wmic.exe Token: 33 4376 wmic.exe Token: 34 4376 wmic.exe Token: 35 4376 wmic.exe Token: 36 4376 wmic.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Auora.exedescription pid process target process PID 3780 wrote to memory of 4376 3780 Auora.exe wmic.exe PID 3780 wrote to memory of 4376 3780 Auora.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Auora.exe"C:\Users\Admin\AppData\Local\Temp\Auora.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4628
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3780-0-0x0000027B6ABF0000-0x0000027B6AC30000-memory.dmpFilesize
256KB
-
memory/3780-1-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmpFilesize
9.9MB
-
memory/3780-2-0x0000027B6D2D0000-0x0000027B6D2E0000-memory.dmpFilesize
64KB
-
memory/3780-4-0x00007FF8922E0000-0x00007FF892CCC000-memory.dmpFilesize
9.9MB