Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
29-06-2024 15:49
General
-
Target
Aura.exe
-
Size
343KB
-
MD5
5b82f58dfef767e24021ffc205c14b18
-
SHA1
1cf35a41bc428fd46c96069dd592b81b2da558aa
-
SHA256
f45bdf5984dca63e9cb56eedf128d8a720d75df58c60d9943f859a7f5bea337a
-
SHA512
5e14390ad5526edc775fb2182e5ac101d3d0ee14ee64f4a2a15a8b3092d7afbd72ca475096257121683e69420129b1b3daf44cba3c0de9a8481a086d79182bb7
-
SSDEEP
3072:TMu8A44fzQZ4B34rke1wk1OFvGtg7BZOUXmFOwlpXsvGtg7BZGUXObOw+pb:KAMZ4c6FvT7/tmFzyvT7/FObQ
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Detected phishing page
-
Program crash 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Aura.exe"C:\Users\Admin\AppData\Local\Temp\Aura.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 10642⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4932 -ip 49321⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffc7e946f8,0x7fffc7e94708,0x7fffc7e947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1980,14851016632793113005,370546808651540600,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5568 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b4 0x2fc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
1024KB
MD5214b2fa780663e5b1778c56a8c0c63fd
SHA12a82b012c67b9f595eb9d236514bdc5fd69f99e1
SHA256916ba93a76b04c7ba7dd845ba5df93b495016834581ea315af3b99207251cf47
SHA5126d1b74be3c6db291094fd464f4a6e9495e5d88eae0ab98cd94c27c2d201cc002c5dbac312157693ffb97504b14b1137f6faece68e5bce762a215d58466555ec7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
168B
MD560757ef592dc14e27b4b2758b235a2d9
SHA1b7945d1802b491c901b3d2d74999ef8e3ca4f613
SHA25663867e26bf4cbabaeb9ef97f3735542338f3987c47c5fbde8974efc232604c48
SHA5127efde2848999767e91f24cca117cdca3e0a0653b1d8e269f2c61823e3e925ff971d274aecc5cf53db53e0715fe872c94201dc734bda07d325929971a32b4f391
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
467B
MD5e2595ecfcd3989b1b758ffc69129b7a0
SHA1ad0be3535b21d3a89e399a3e818153248ecbd2cd
SHA256cd11be11cb84bf9706a08292e2f9e51218992fcb9d9096926347266378a87be3
SHA512484271d63bda72a261ffd97e86a139a5db43c7bd071d520a359c76bd1e1d5a8950520eee6ade491c16e269d2520d5c3d51cebba9f2614b8ba9b027adc5634c22
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5734399c0a328b47978368248a2e7a058
SHA177a1b74ae8d01bb9927815dc131b77df0afab595
SHA2567a2473722962a713c56866942e22cabd44827ac66c176e04a326d33df260eebe
SHA512acc30aba23782f62ffd3d1ab7dcb116b47499e47c638091934692ed2cf11a0fcd99338a4ced2b305205735c37d8c1733d50310a1508bbc13eff6d79142f46f29
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5a92c5383a518c282d452615f22e37415
SHA10a81ee556193d7bcb65b5dd63bc54977bd7abda8
SHA2566a2dd5477d0ddd8e06624f7f97937dc3cf9b5e43373851c2ac7c57492c097705
SHA51280a91a55eb5ab3b7eba519fc975afad593e0a25b988e589e20cc7b7b40abd8e25009da1881e695080e191befde13e61bb7dc00897e5c0dcf41819b021e2eb7ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5acd0c78cfbc33a593f46254552befe3a
SHA1163667bd87a23143bf35e2400a02210beb236036
SHA2564012b1ba6e03c4c32b5d4740b964ed73532d0a81259160b8d450085451dfec79
SHA512178ca8ca349048562f127fbb8ce8427a840895cb31d9874d70e1b49a3a1db12cf577a230e50b2b0ee32ed738c2f896d18072eb36b7dda3ada75e72440e4b92c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ac5913d1-823e-4e6b-a9eb-42ea57ad897f.tmpFilesize
6KB
MD528234147f3aab1916c849b9adb9dcc3d
SHA11457d4c7d6f6934a1790235232dc01c8c4e2a673
SHA25688ab6dbaa29a893df35345cae5f1ef2cee3c40f3a11c1e1c878ebb6021775e44
SHA512018c1533156286189ff3befeb4b725218a234aa192de74ceca3d00cefcb800300ae4c4b10178dd2898417d41580de1b51e9d9191517d8a498c565a197164e266
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD53ea448ff1e2c8044320246a01e36af27
SHA1fa5f5d0661fb7aca46d1f63e70a9dc61a8d505ae
SHA2567d151ebb25b14dbc15b3f4b5faf487f6bc8f6ba86993bc470e9bca50469787e1
SHA512e353ad685c925bf401f0e8967690f9379c846acc450682a35d74fd17edcfb3426e64cb119831f53fe2feaf02653c0118d06e15addb34bcc66a2c57e2a69fadec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD50b7f221b322c465a378b860277de3979
SHA1570877e92562f7a705378846658e4c96810e64e3
SHA2568eeaac47ab73ccf15aa0cf04b35ac6ff7f59f0a50065a9322a71ed313ff67fc7
SHA512c8e88ad8278284ce47e25cf33c956d4ee200f34d76327a7ae7bee7e6b6581a8b974d79ce7b16fbde681251548f1d858996be71503dc4edb9974660c6363aa1cf
-
\??\pipe\LOCAL\crashpad_3876_YDORVFRWCPNWBVPAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4932-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmpFilesize
4KB
-
memory/4932-3-0x0000000074A50000-0x0000000075200000-memory.dmpFilesize
7.7MB
-
memory/4932-2-0x0000000074A50000-0x0000000075200000-memory.dmpFilesize
7.7MB
-
memory/4932-1-0x00000000004E0000-0x000000000053C000-memory.dmpFilesize
368KB