aurora | 83d67c10baf6087354badb32305228e3addefca87641b2cf8fe7045daed43b10

Resubmissions

08-03-2024 17:19

240308-vvs84sdd51 10

15-02-2024 05:23

240215-f3h1saad63 10

Analysis

max time kernel
1796s
max time network
1803s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 17:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

runtime.exe
Size

1024.0MB
MD5

12e85f4fb4973d62ebfd30cf52412512
SHA1

097d71e82681fbaa290f8bf2f49929a2a1206e87
SHA256

ff3977b7044b3739035cbd17b6d462886b7e228d666c780b8a70c887af797243
SHA512

bc44f93e99813b124307611b64af16d37d27dc637c50ea9a0852d3907850219ac08cd0316a944762434186ab3e3f5cce4d2c13efd7d4adab95680f3368976f22
SSDEEP

49152:pyWMOEmrU4VWLP6zev05oej0EL9gCegK/efy5d8A45EG273LCV0UOQJUh9q101GF:Eq6PQn4/9GEp32VLV+h9sF

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

167.235.58.189:456

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Executes dropped EXE 3 IoCs

Processes:

runtime.exeruntime.exeruntime.exe

pid process

1632 runtime.exe
2680 runtime.exe
2220 runtime.exe
Loads dropped DLL 6 IoCs

Processes:

taskeng.exe

pid process

2164 taskeng.exe
2164 taskeng.exe
2164 taskeng.exe
2164 taskeng.exe
2164 taskeng.exe
2164 taskeng.exe

pid	process
1632	runtime.exe
2680	runtime.exe
2220	runtime.exe

pid	process
2164	taskeng.exe
2164	taskeng.exe
2164	taskeng.exe
2164	taskeng.exe
2164	taskeng.exe
2164	taskeng.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

runtime.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	runtime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	runtime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	runtime.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2840 schtasks.exe
2480 schtasks.exe
1888 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1948 powershell.exe
2180 powershell.exe
2776 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1948 powershell.exe
Token: SeDebugPrivilege 2180 powershell.exe
Token: SeDebugPrivilege 2776 powershell.exe

pid	process
2840	schtasks.exe
2480	schtasks.exe
1888	schtasks.exe

pid	process
1948	powershell.exe
2180	powershell.exe
2776	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

runtime.exepowershell.exepowershell.exetaskeng.exepowershell.exe

description	pid	process	target process
PID 2356 wrote to memory of 1948	2356	runtime.exe	powershell.exe
PID 2356 wrote to memory of 1948	2356	runtime.exe	powershell.exe
PID 2356 wrote to memory of 1948	2356	runtime.exe	powershell.exe
PID 1948 wrote to memory of 2840	1948	powershell.exe	schtasks.exe
PID 1948 wrote to memory of 2840	1948	powershell.exe	schtasks.exe
PID 1948 wrote to memory of 2840	1948	powershell.exe	schtasks.exe
PID 2356 wrote to memory of 2180	2356	runtime.exe	powershell.exe
PID 2356 wrote to memory of 2180	2356	runtime.exe	powershell.exe
PID 2356 wrote to memory of 2180	2356	runtime.exe	powershell.exe
PID 2180 wrote to memory of 2480	2180	powershell.exe	schtasks.exe
PID 2180 wrote to memory of 2480	2180	powershell.exe	schtasks.exe
PID 2180 wrote to memory of 2480	2180	powershell.exe	schtasks.exe
PID 2164 wrote to memory of 1632	2164	taskeng.exe	runtime.exe
PID 2164 wrote to memory of 1632	2164	taskeng.exe	runtime.exe
PID 2164 wrote to memory of 1632	2164	taskeng.exe	runtime.exe
PID 2164 wrote to memory of 2680	2164	taskeng.exe	runtime.exe
PID 2164 wrote to memory of 2680	2164	taskeng.exe	runtime.exe
PID 2164 wrote to memory of 2680	2164	taskeng.exe	runtime.exe
PID 2356 wrote to memory of 2776	2356	runtime.exe	powershell.exe
PID 2356 wrote to memory of 2776	2356	runtime.exe	powershell.exe
PID 2356 wrote to memory of 2776	2356	runtime.exe	powershell.exe
PID 2776 wrote to memory of 1888	2776	powershell.exe	schtasks.exe
PID 2776 wrote to memory of 1888	2776	powershell.exe	schtasks.exe
PID 2776 wrote to memory of 1888	2776	powershell.exe	schtasks.exe
PID 2164 wrote to memory of 2220	2164	taskeng.exe	runtime.exe
PID 2164 wrote to memory of 2220	2164	taskeng.exe	runtime.exe
PID 2164 wrote to memory of 2220	2164	taskeng.exe	runtime.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\runtime.exe
"C:\Users\Admin\AppData\Local\Temp\runtime.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\taskeng.exe
taskeng.exe {5D4A6A78-6EB1-4AFA-BA3F-A26507D9EE57} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
2⤵
- Executes dropped EXE
PID:2680

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
2⤵
- Executes dropped EXE
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
13.0MB

MD5
7a55b6e9c56f5750ac4dbcb8a63fc04e

SHA1
f0d4331e2e96bd4920d9617b2dff2b565a113ef4

SHA256
42fec329ad4b6b3b61d35fa8353a46302966c46229d4ea0aa8543705b889b872

SHA512
6988f4f41c085fb49a55fc9855cc60f432fb3f80e4faffe51ad52ee8fc4c2fc4d5f0296d4d8b8c8e257561fcf314fb350ac6499eb8fd99b96d62dfbb12859fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
10.4MB

MD5
1ed916cc07cb7178c818bd78e3de9444

SHA1
3ec7b591725dd0524e369820a66246d826664f56

SHA256
5a1f057af900319717f879f5dd80096de9ae606c302d2dc3b231fe8b953104c8

SHA512
0caf151149f0cfd65aa066d28a0a00657f566a3439fe33d5d5b778552d046b8ed2081c34ed00dc868cd423f32ab89301f9065b46d0e926fbc121e645d9d123ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
2.8MB

MD5
89b49b6645588b4ebb38b5d439d2692f

SHA1
694d64dd508c2d8f5d205d9c795760d0b4392180

SHA256
a51801b56d09b324104c7cd05ad437849bb55c35f6a094d5a40f4452aab05843

SHA512
b67c26db741f702e230b3c65d9a5e97ddd5cd8d751e2040077ad5c6278dc16b5fdf26effe0fb91a42b01e83afe64cb19fa8f1ba83b26e65381ae9355720c35eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
787KB

MD5
a79409e0dd3832aad2bbc5829e936992

SHA1
901b1a43299a12aa502d0f3630ed59c0c046a23d

SHA256
32c737c3bb99d3d555f2bc330e3a3c1ce4bf684de020c7fe1b6469461360b865

SHA512
b81597180a41a9a93bf9852e1638c73a923ff59bb8b6bf7d60314a556539c052f1c774b85ae9baf233034e1e24b96e617e30118ea3974e700203f7eb6265594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
875KB

MD5
00508bc7b350a91fc7863ff8ab259be5

SHA1
82658aa297559b81d2d33b792fed8b5d47808f61

SHA256
9169d12f6ded3b6797db5192c1564481cc579b2b68306b9e42a1ccc9908d5c0f

SHA512
60b8fa2678ab9b4e32323b99bf92c422459607f770e9e18285cc3a6b966e06137940c19b03f83c2f90d1df7155587665cb471f846acac70d18f65859050d99e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
666c653e8d3123c818aec337cd0ded6a

SHA1
c5ed9fa6e2440a2bcaf2326cc70cb757347feda5

SHA256
484294965d2ec174af53e572d586bc34a821945d912aa768e138cf04207a1cb5

SHA512
748c64c5157891965daa24755adc01996f661e3f36034a0d820354a06521e38260df24c3225c2fe5797ac315b6e8aef203b7aa1f2e33b61751a453426e0367d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
11.5MB

MD5
b3165c433d1612625bca739daf265450

SHA1
ad30f80b3d19d8617d4ccb79e2896804536507eb

SHA256
b3563e63b4b980fcccfb553c74345bc388ba1387021ef6eb3831785fbab0cd1a

SHA512
de4ed4ef4c6fbb23c868c8515635bd90cc6675bcbd960fe3b45e6bc34169ba9c4c04cd105a3c67e61b5dc55bd43f13f3cc8ddb56209eec1aaf2b7a2a173708b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
8.0MB

MD5
76781e17c6e04e016a346da2a9e6ac93

SHA1
26610567a8527ca03863acaca20d8fc9ced2230e

SHA256
07c9720a45799fc2d5245ea2916a70e3ff47709b503cd9392545ba9d13ca09a9

SHA512
6043bdf2345cc8e29f9076a63184373d096f14c1639d1b38138c7e6984e66d9e16b2539b9bf6e29f5f1d4e979660217f59b709824bc8dbf879a1d68db648ff90

Download Submit
\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
192KB

MD5
4d24f02da078768ff573321d105a130e

SHA1
629f5e1fd50dd335ee70c3952aa2d7a0bc66704d

SHA256
8eec822aff2e5da58a4c64d635309edf4872de5e50602bfa82791765a9e19245

SHA512
4ab1054cfc085b2e3b04a031a23ab04197045c2fef72f09cb0fbb761982dcf838996bdfcf95f9b37693035364460bf6d5842cb4831f7a36b9091bc0ae893defb

Download Submit
\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
10.1MB

MD5
7f9e6483060dac47633e2929784919ab

SHA1
17174f7de05cc501fb4ead932d38c5d51478a5f7

SHA256
2c110b982fb6b14a65ad842842cda2a41f537f148adc70a87663958b1403cb1f

SHA512
974bcbfeed31ffd9b9cf66a638945b2d17a2b2508340ae380c4b00cd0ad7810cee8330b0525969e4b758e309d7c4525c5bb7f7386f9a4fee8039ff6868f1a004

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
691KB

MD5
f1fd7816f30caae51c7c1d5f7c2f1ee7

SHA1
cfec50e36d91386925de2a498a9ff0b93364423a

SHA256
ddf23c2a8d35864e985303eecf2c58d031d7c9da014317b0143c3167a1fe54d8

SHA512
d363a5a9dc09d0efd1ae298bb8c448b1c15e47219a893f9fbab11d3b2b3ddaaba6a8df4bf69d39b07179b5fe4a43741df606c3fe65713f7c0f5e264a38e1509d

Download Submit
\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
736KB

MD5
ec82ad57134df347dad369d106292f9d

SHA1
84ad7cec52cd5a57a86490a2f63eca2d9ff9fc67

SHA256
4f836054e016fe948b8a2e1ae4c60b293bb309b7af11d7632a63ee79183994b0

SHA512
b2dcd19616b80ab2caa5b7ce835adc6eaebbb8b31cabccd50c806cb63a741bf2e41c3ebe45ab1e73e33be7295a8bc98ccab961fd57b888c15e133f28d076fc23

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
64KB

MD5
27da0712bbfcf970fedc39e6b74ac184

SHA1
78467665d606a12d7b6e36199d22b39122496f09

SHA256
3bfc66ee4bea4f08e3554802e2702dca1ef7568792ccdb010351a6fd25ea823c

SHA512
b41a033ea3674662d9209f33bfb9f7575b5953e4262341270e57bab31e32d9315489ca87de0b6acc6b95951ad859205185bfbbcb390868dc8ab597fa9f64f7d6

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
9.3MB

MD5
f37d547457d49fce0ee9ba7137c7a218

SHA1
616f44b96529474d3c7014e5a498e7168e10a04d

SHA256
3ad312ee9b1f399c91c4b02274b5a36df93377411230d4b596053bfebb38a93d

SHA512
738980debda6e9a20eab73d34f368233d6548ed94f6afb049f2c013ffbcfec6df66cb1c897cd7e5dda3122914c2ccfb78f994d5dd1078d3047fa2fd70261e0e6

Download Submit
memory/1948-10-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1948-11-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1948-14-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-9-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-6-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-13-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1948-7-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/1948-12-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/1948-8-0x0000000002810000-0x0000000002890000-memory.dmp

Filesize
512KB

Download
memory/2180-28-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-26-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2180-25-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2180-22-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2180-27-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2180-23-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2180-24-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-45-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-49-0x0000000002C40000-0x0000000002CC0000-memory.dmp

Filesize
512KB

Download
memory/2776-50-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download
memory/2776-48-0x0000000002C40000-0x0000000002CC0000-memory.dmp

Filesize
512KB

Download
memory/2776-47-0x0000000002C40000-0x0000000002CC0000-memory.dmp

Filesize
512KB

Download
memory/2776-46-0x0000000002C40000-0x0000000002CC0000-memory.dmp

Filesize
512KB

Download
memory/2776-44-0x000007FEF5D00000-0x000007FEF669D000-memory.dmp

Filesize
9.6MB

Download