Analysis Overview
SHA256
8c47c7b8be15f9de71e5902c37aeb659f0340a66115605cd4ca0cc10499925d7
Threat Level: Shows suspicious behavior
The file aurora.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Detects Pyinstaller
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 20:01
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 20:01
Reported
2024-11-13 20:03
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2084 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | C:\Users\Admin\AppData\Local\Temp\aurora.exe |
| PID 2084 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | C:\Users\Admin\AppData\Local\Temp\aurora.exe |
| PID 2084 wrote to memory of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | C:\Users\Admin\AppData\Local\Temp\aurora.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aurora.exe
"C:\Users\Admin\AppData\Local\Temp\aurora.exe"
C:\Users\Admin\AppData\Local\Temp\aurora.exe
"C:\Users\Admin\AppData\Local\Temp\aurora.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20842\python311.dll
| MD5 | 9a24c8c35e4ac4b1597124c1dcbebe0f |
| SHA1 | f59782a4923a30118b97e01a7f8db69b92d8382a |
| SHA256 | a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7 |
| SHA512 | 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 20:01
Reported
2024-11-13 20:03
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
140s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3488 wrote to memory of 4252 | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | C:\Users\Admin\AppData\Local\Temp\aurora.exe |
| PID 3488 wrote to memory of 4252 | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | C:\Users\Admin\AppData\Local\Temp\aurora.exe |
| PID 4252 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | C:\Windows\system32\cmd.exe |
| PID 4252 wrote to memory of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\aurora.exe | C:\Windows\system32\cmd.exe |
| PID 2584 wrote to memory of 4424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2584 wrote to memory of 4424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aurora.exe
"C:\Users\Admin\AppData\Local\Temp\aurora.exe"
C:\Users\Admin\AppData\Local\Temp\aurora.exe
"C:\Users\Admin\AppData\Local\Temp\aurora.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ExecutionPolicy Unrestricted -Scope CurrentUser -Force"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI34882\python311.dll
| MD5 | 9a24c8c35e4ac4b1597124c1dcbebe0f |
| SHA1 | f59782a4923a30118b97e01a7f8db69b92d8382a |
| SHA256 | a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7 |
| SHA512 | 9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\base_library.zip
| MD5 | 83d235e1f5b0ee5b0282b5ab7244f6c4 |
| SHA1 | 629a1ce71314d7abbce96674a1ddf9f38c4a5e9c |
| SHA256 | db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0 |
| SHA512 | 77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\_ctypes.pyd
| MD5 | 6a9ca97c039d9bbb7abf40b53c851198 |
| SHA1 | 01bcbd134a76ccd4f3badb5f4056abedcff60734 |
| SHA256 | e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535 |
| SHA512 | dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\libffi-8.dll
| MD5 | 32d36d2b0719db2b739af803c5e1c2f5 |
| SHA1 | 023c4f1159a2a05420f68daf939b9ac2b04ab082 |
| SHA256 | 128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c |
| SHA512 | a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\_socket.pyd
| MD5 | 8140bdc5803a4893509f0e39b67158ce |
| SHA1 | 653cc1c82ba6240b0186623724aec3287e9bc232 |
| SHA256 | 39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769 |
| SHA512 | d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\wx\_core.cp311-win_amd64.pyd
| MD5 | cba71fde0074e73a0580dca25c642e2f |
| SHA1 | abf23255ec54bed594e5ad7fbf7aacd99f3d1bb6 |
| SHA256 | c6f4d1cb8f0339b0d78e4a284fa32b720a1c14fc292b28544fb4b26201f78c79 |
| SHA512 | e84008b43f51d3e07c565cea04e819696d4d8f8b3279a8e9f218f9825d3dfe78ebcbef683a7ba01dc8451ccc1a08dcd6001661d41657e3e83bea6745f387d5b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\_lzma.pyd
| MD5 | 337b0e65a856568778e25660f77bc80a |
| SHA1 | 4d9e921feaee5fa70181eba99054ffa7b6c9bb3f |
| SHA256 | 613de58e4a9a80eff8f8bc45c350a6eaebf89f85ffd2d7e3b0b266bf0888a60a |
| SHA512 | 19e6da02d9d25ccef06c843b9f429e6b598667270631febe99a0d12fc12d5da4fb242973a8351d3bf169f60d2e17fe821ad692038c793ce69dfb66a42211398e |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\_hashlib.pyd
| MD5 | de4d104ea13b70c093b07219d2eff6cb |
| SHA1 | 83daf591c049f977879e5114c5fea9bbbfa0ad7b |
| SHA256 | 39bc615842a176db72d4e0558f3cdcae23ab0623ad132f815d21dcfbfd4b110e |
| SHA512 | 567f703c2e45f13c6107d767597dba762dc5caa86024c87e7b28df2d6c77cd06d3f1f97eed45e6ef127d5346679fea89ac4dc2c453ce366b6233c0fa68d82692 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\_decimal.pyd
| MD5 | d47e6acf09ead5774d5b471ab3ab96ff |
| SHA1 | 64ce9b5d5f07395935df95d4a0f06760319224a2 |
| SHA256 | d0df57988a74acd50b2d261e8b5f2c25da7b940ec2aafbee444c277552421e6e |
| SHA512 | 52e132ce94f21fa253fed4cf1f67e8d4423d8c30224f961296ee9f64e2c9f4f7064d4c8405cd3bb67d3cf880fe4c21ab202fa8cf677e3b4dad1be6929dbda4e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\_bz2.pyd
| MD5 | 4101128e19134a4733028cfaafc2f3bb |
| SHA1 | 66c18b0406201c3cfbba6e239ab9ee3dbb3be07d |
| SHA256 | 5843872d5e2b08f138a71fe9ba94813afee59c8b48166d4a8eb0f606107a7e80 |
| SHA512 | 4f2fc415026d7fd71c5018bc2ffdf37a5b835a417b9e5017261849e36d65375715bae148ce8f9649f9d807a63ac09d0fb270e4abae83dfa371d129953a5422ca |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\wx\wxmsw32u_core_vc140_x64.dll
| MD5 | dba35493bbf8fd914e59c71e8e482c2f |
| SHA1 | eb6f80c6ae85d13fb1e0dd191fc3caa08e50b079 |
| SHA256 | ff90c70ebea99acccc9623f13c61724e4f1028f73ba422240aa8fd3490a27d49 |
| SHA512 | 26e2341601b056a3bd87ffd6abafe12b8c98d44a6c521e05f2dab8f47c0bdfbb71c6a17ce39ef79352c3f6c8f74ae5ca48fc356836189f6c72c35afff936bde3 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\MSVCP140.dll
| MD5 | 6c3ad90ee8d03a4ce68dbb34b0d72b1e |
| SHA1 | 55157b5aabd167dc9dbd158a5c7ad435101652e7 |
| SHA256 | 7b8a6f283884e6448559dcf510b00c1a885bfb8e598ea05cd2c290c874657326 |
| SHA512 | 6d1626906c9d924254839a1fb9115047a8f49864338ec8902431af5d5c9ab65596208ca71f0c7e8094c103f47c788fc1a9b8e9f347471fa81adfe3aa9367065a |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\wx\wxbase32u_vc140_x64.dll
| MD5 | c93d0fae79a0362904e2cf84ab6a63d9 |
| SHA1 | e16246029c7bd47f078102b17eab86ce72c9e0b9 |
| SHA256 | b2b6c53cb73e888e5ed20db8042887905e3b7b1248f64b6ed512cf71465cdeb8 |
| SHA512 | dde8b57ac9d0ed157ad717b1a735aa520e3174a4717fa5c3a0eda309af4243aae431f75f80b09536df8ae5d2ba49b888d133b8bf4a08a0e16feaff202f217be6 |
memory/4252-54-0x00007FFDD2FC0000-0x00007FFDD37B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI34882\VCRUNTIME140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\wx\wxbase32u_net_vc140_x64.dll
| MD5 | e3211557c59521139df1ddf422f9472b |
| SHA1 | 82fb125e1665a9b600a934215d43663cbc259353 |
| SHA256 | 1ade6d2bf474fc2a3e75d083b24f01735f4185d223fe1d37c5dd0c52842d31eb |
| SHA512 | a87c6b2ea3832f107f77e51bd5621d6c498d0104f216ff209ce4e141891814a25860c1a0fb80fa7fc08aff5fa9a09939b5e549fad9b697cb4d045291fec1cb48 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\unicodedata.pyd
| MD5 | bc58eb17a9c2e48e97a12174818d969d |
| SHA1 | 11949ebc05d24ab39d86193b6b6fcff3e4733cfd |
| SHA256 | ecf7836aa0d36b5880eb6f799ec402b1f2e999f78bfff6fb9a942d1d8d0b9baa |
| SHA512 | 4aa2b2ce3eb47503b48f6a888162a527834a6c04d3b49c562983b4d5aad9b7363d57aef2e17fe6412b89a9a3b37fb62a4ade4afc90016e2759638a17b1deae6c |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\select.pyd
| MD5 | 97ee623f1217a7b4b7de5769b7b665d6 |
| SHA1 | 95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0 |
| SHA256 | 0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790 |
| SHA512 | 20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\libcrypto-1_1.dll
| MD5 | 6f4b8eb45a965372156086201207c81f |
| SHA1 | 8278f9539463f0a45009287f0516098cb7a15406 |
| SHA256 | 976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541 |
| SHA512 | 2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\wx\siplib.cp311-win_amd64.pyd
| MD5 | d2ea8bcaa26f6cea4a7ebb440b7f5b90 |
| SHA1 | e172882f284d57197e8cb0693396338515174990 |
| SHA256 | 200834d957a344d9585c2f0f7576584231adb2d34a8cb6101fcca11fd2dfd93d |
| SHA512 | 6c7f4c48881ac5ac6fd223252e4e4d34848fbc4f687fd00b6c96c946e8478d6831c9bb8b3cdf95c365b79fc52d388b03f4a47368144ba19e1c793e550c7e4cc4 |
C:\Users\Admin\AppData\Local\Temp\_MEI34882\wx\_adv.cp311-win_amd64.pyd
| MD5 | 242e81d60d11c79ccbcbb5d0410ca588 |
| SHA1 | 9755cf687be87bb863e7a02e1cd5a9fe479055e7 |
| SHA256 | 90b4ac75c53cdb4c7e76db51ceb43b5eb12e7f184bcb9cda52ac94dd41080fbb |
| SHA512 | 7ab671333043b5033ef1710fdaf856d313ff5c502fb85f0f7a5ad6c87cfa37cf88c8693e3b3c1642348f054936f8104a332fd854727be6ee064c941c40b8958a |
memory/4424-61-0x00007FFDD1373000-0x00007FFDD1375000-memory.dmp
memory/4424-72-0x00000287A1190000-0x00000287A11B2000-memory.dmp
memory/4424-62-0x00007FFDD1370000-0x00007FFDD1E31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_knb4ada3.dmd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4424-73-0x00007FFDD1370000-0x00007FFDD1E31000-memory.dmp
memory/4424-76-0x00007FFDD1370000-0x00007FFDD1E31000-memory.dmp