Windows Analysis Report
Aura.exe

Overview

General Information

Sample name: Aura.exe
Analysis ID: 1561474
MD5: 137e48d526e2a840e07d309edffaca30
SHA1: 294d908562372639119ff5fc7e0e4c8b528bd3f7
SHA256: 18344d1186a130b07d7f6da7fd4164ae5e03863873df9872bdd4151abef46df3
Tags: exeuser-4k95m
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Aura.exe ReversingLabs: Detection: 36%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\gdi32.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Aura.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Aura.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: Aura.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\user\Desktop\Aura.PDB source: Aura.exe, 00000000.00000002.2367346591.000000000077A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Aura.exe, 00000000.00000002.2367587213.0000000000B41000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb, Cg source: Aura.exe, 00000000.00000002.2367587213.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Aura.exe, 00000000.00000002.2367587213.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WERC939.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbP source: Aura.exe, 00000000.00000002.2367587213.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WERC939.tmp.dmp.6.dr
Source: Binary string: n0C:\Windows\mscorlib.pdb source: Aura.exe, 00000000.00000002.2367346591.000000000077A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERC939.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb@ source: Aura.exe, 00000000.00000002.2367587213.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC4FD2 FindFirstFileExW, 0_2_6CDC4FD2
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Aura.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1CE638E1h 0_2_00394810
Source: C:\Users\user\Desktop\Aura.exe Code function: 4x nop then mov byte ptr [ebx], al 0_2_00372D30
Source: C:\Users\user\Desktop\Aura.exe Code function: 4x nop then movzx edx, byte ptr [esi+ecx-32907D79h] 0_2_0037F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edi, byte ptr [esp+ecx] 3_2_027C1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movsx eax, byte ptr [ebp+ecx+00h] 3_2_027C1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then jmp eax 3_2_027A1660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx ecx, byte ptr [esp+eax+08h] 3_2_0279F250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [edx], bl 3_2_02789630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov esi, edx 3_2_0278A220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [eax], cx 3_2_027AA6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov byte ptr [ebx], al 3_2_027A06B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov eax, edx 3_2_0278A2A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edx, byte ptr [esi+ecx-32907D79h] 3_2_027AD360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh 3_2_02781F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx edi, byte ptr [esp+ebx-652DDA2Ah] 3_2_02789300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx esi, byte ptr [esp+ecx+36h] 3_2_027A7C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov edx, ecx 3_2_027BD000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax 3_2_02787960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h] 3_2_02787960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then movzx esi, word ptr [ecx] 3_2_027985C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1CE638E1h 3_2_027C2190

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 104.21.33.116:443
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.33.116 104.21.33.116
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 104.21.33.116:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: Aura.exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: Aura.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Aura.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Aura.exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: Aura.exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: Aura.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Aura.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Aura.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Aura.exe String found in binary or memory: http://ocsp.digicert.com0
Source: Aura.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: Aura.exe String found in binary or memory: http://ocsp.entrust.net02
Source: Aura.exe String found in binary or memory: http://ocsp.entrust.net03
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: Aura.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: Aura.exe String found in binary or memory: http://www.entrust.net/rpa03
Source: aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/
Source: aspnet_regiis.exe, 00000003.00000002.2075233661.0000000002A86000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/Qq
Source: aspnet_regiis.exe, 00000003.00000003.2070154688.00000000029FC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075233661.0000000002A80000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.00000000029FC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2070154688.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2070154688.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api
Source: aspnet_regiis.exe, 00000003.00000003.2070154688.00000000029FC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.00000000029FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api%
Source: aspnet_regiis.exe, 00000003.00000002.2075233661.0000000002A80000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2070154688.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2072356098.0000000002A7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiNlV&
Source: Aura.exe String found in binary or memory: https://www.entrust.net/rpa0
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49708 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027B4F00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_027B4F00
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027B4F00 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 3_2_027B4F00

System Summary
barindex
PE file contains section with special chars
Source: Aura.exe Static PE information: section name: $;3F&L
PE file has nameless sections
Source: Aura.exe Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDB87F0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtGetContextThread,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,VirtualAlloc, 0_2_6CDB87F0
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDB6750 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,GetModuleHandleW, 0_2_6CDB6750
Creates files inside the system directory
Source: C:\Windows\System32\SIHClient.exe File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMP11BB.tmp Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP1E79.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_00372AB0 0_2_00372AB0
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_003720F0 0_2_003720F0
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_00372D30 0_2_00372D30
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_0038FB10 0_2_0038FB10
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_00387160 0_2_00387160
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_00373F40 0_2_00373F40
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_0038CD90 0_2_0038CD90
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_00387390 0_2_00387390
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_0038BFF0 0_2_0038BFF0
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDB1530 0_2_6CDB1530
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDB87F0 0_2_6CDB87F0
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDB6750 0_2_6CDB6750
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDB1000 0_2_6CDB1000
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDB8290 0_2_6CDB8290
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC0A10 0_2_6CDC0A10
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDCAFA1 0_2_6CDCAFA1
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_0038E0D0 0_2_0038E0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027BA710 3_2_027BA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0278D3D0 3_2_0278D3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0278B0D0 3_2_0278B0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0279FA70 3_2_0279FA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027C1670 3_2_027C1670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02785E60 3_2_02785E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027A1660 3_2_027A1660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02786E50 3_2_02786E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0279F250 3_2_0279F250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027BAE50 3_2_027BAE50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027A8640 3_2_027A8640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027886E0 3_2_027886E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027AA6E0 3_2_027AA6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027B4AE0 3_2_027B4AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02789AD0 3_2_02789AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027A06B0 3_2_027A06B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0278E73F 3_2_0278E73F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02786320 3_2_02786320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027827F0 3_2_027827F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027C2FF0 3_2_027C2FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027B9BD0 3_2_027B9BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02782B90 3_2_02782B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02783F80 3_2_02783F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027C2780 3_2_027C2780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02799450 3_2_02799450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027A7C30 3_2_027A7C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027A0430 3_2_027A0430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027BD000 3_2_027BD000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027A18C0 3_2_027A18C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027BB4B0 3_2_027BB4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027BD490 3_2_027BD490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0279A08D 3_2_0279A08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02799882 3_2_02799882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027A5570 3_2_027A5570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027B9970 3_2_027B9970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02787960 3_2_02787960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_02798940 3_2_02798940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027B4D10 3_2_027B4D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_0278B5F0 3_2_0278B5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027849E0 3_2_027849E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027869C0 3_2_027869C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027A39B0 3_2_027A39B0
One or more processes crash
Source: C:\Users\user\Desktop\Aura.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1228
PE / OLE file has an invalid certificate
Source: Aura.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Aura.exe, 00000000.00000000.2021830455.00000000003E2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQuinnAvaKaitlyn.tSyST vs Aura.exe
Source: Aura.exe, 00000000.00000002.2367587213.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Aura.exe
Source: Aura.exe Binary or memory string: OriginalFilenameQuinnAvaKaitlyn.tSyST vs Aura.exe
Uses 32bit PE files
Source: Aura.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Aura.exe Static PE information: Section: $;3F&L ZLIB complexity 1.0003169993455496
Source: classification engine Classification label: mal100.evad.winEXE@6/12@1/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027BA710 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW, 3_2_027BA710
Source: C:\Users\user\Desktop\Aura.exe File created: C:\Users\user\AppData\Roaming\gdi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Mutant created: NULL
Source: C:\Windows\System32\SIHClient.exe Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4956:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2836
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\be81a78e-517a-4563-a11a-51458097df82 Jump to behavior
Source: Aura.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Aura.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\SIHClient.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Aura.exe ReversingLabs: Detection: 36%
Source: Aura.exe String found in binary or memory: -addpset
Source: Aura.exe String found in binary or memory: -addfulltrust
Source: Aura.exe String found in binary or memory: -addgroup
Source: Aura.exe String found in binary or memory: -help
Source: C:\Users\user\Desktop\Aura.exe File read: C:\Users\user\Desktop\Aura.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Aura.exe "C:\Users\user\Desktop\Aura.exe"
Source: C:\Users\user\Desktop\Aura.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Aura.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\Aura.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2836 -s 1228
Source: C:\Users\user\Desktop\Aura.exe Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv jMwXD3dEvUmoR35eQmr9Ww.0.2
Source: C:\Users\user\Desktop\Aura.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Aura.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Aura.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\user\Desktop\Aura.PDB source: Aura.exe, 00000000.00000002.2367346591.000000000077A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Aura.exe, 00000000.00000002.2367587213.0000000000B41000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb, Cg source: Aura.exe, 00000000.00000002.2367587213.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Aura.exe, 00000000.00000002.2367587213.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdb source: WERC939.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdbP source: Aura.exe, 00000000.00000002.2367587213.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdb source: WERC939.tmp.dmp.6.dr
Source: Binary string: n0C:\Windows\mscorlib.pdb source: Aura.exe, 00000000.00000002.2367346591.000000000077A000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERC939.tmp.dmp.6.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb@ source: Aura.exe, 00000000.00000002.2367587213.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Aura.exe Unpacked PE file: 0.2.Aura.exe.330000.0.unpack $;3F&L:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
PE file contains sections with non-standard names
Source: Aura.exe Static PE information: section name: $;3F&L
Source: Aura.exe Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_003369B6 push eax; iretd 0_2_003369BB
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_003371FE push esp; iretd 0_2_00337208
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_00336FFC push esp; iretd 0_2_00337002
Source: Aura.exe Static PE information: section name: $;3F&L entropy: 7.999725121175837
Drops PE files
Source: C:\Users\user\Desktop\Aura.exe File created: C:\Users\user\AppData\Roaming\gdi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\SIHClient.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Aura.exe PID: 2836, type: MEMORYSTR
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: 2750000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: 2680000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: 4D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: 5D70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: 5EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: 6EA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: 71F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: 81F0000 memory reserve | memory write watch Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 6516 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\SIHClient.exe TID: 2412 Thread sleep time: -60000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC4FD2 FindFirstFileExW, 0_2_6CDC4FD2
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000003.00000003.2070154688.00000000029FC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.00000000029FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8-
Source: aspnet_regiis.exe, 00000003.00000003.2070154688.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2075123056.0000000002A34000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000002.2612119697.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2220130489.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2611620582.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2219902536.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2220763050.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2221132911.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: SIHClient.exe, 00000008.00000002.2612119697.0000029D85958000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2611620582.0000029D85958000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: SIHClient.exe, 00000008.00000002.2612119697.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2220130489.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2611620582.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2219902536.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2220763050.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000008.00000003.2221132911.0000029D859A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Aura.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Code function: 3_2_027BFAC0 LdrInitializeThunk, 3_2_027BFAC0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC491A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CDC491A
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC48E9 mov eax, dword ptr fs:[00000030h] 0_2_6CDC48E9
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC3715 mov eax, dword ptr fs:[00000030h] 0_2_6CDC3715
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC64FC GetProcessHeap, 0_2_6CDC64FC
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC491A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CDC491A
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC1AB1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CDC1AB1
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC1F8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CDC1F8A
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Aura.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2780000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2780000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2780000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2781000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27C4000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27C7000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D8000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D9000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2781000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27C4000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27C7000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D8000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27D9000 Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2586008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Aura.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC2158 cpuid 0_2_6CDC2158
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Aura.exe Queries volume information: C:\Users\user\Desktop\Aura.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Aura.exe Code function: 0_2_6CDC1BD3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6CDC1BD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561474 Sample: Aura.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 25 property-imper.sbs 2->25 29 Suricata IDS alerts for network traffic 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 Yara detected AntiVM3 2->33 35 5 other signatures 2->35 7 Aura.exe 2 2->7         started        signatures3 process4 file5 21 C:\Users\user\AppData\Roaming\gdi32.dll, PE32 7->21 dropped 37 Detected unpacking (changes PE section rights) 7->37 39 Writes to foreign memory regions 7->39 41 Allocates memory in foreign processes 7->41 43 Injects a PE file into a foreign processes 7->43 11 WerFault.exe 19 16 7->11         started        14 aspnet_regiis.exe 7->14         started        17 SIHClient.exe 6 7->17         started        19 conhost.exe 7->19         started        signatures6 process7 dnsIp8 23 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->23 dropped 27 property-imper.sbs 104.21.33.116, 443, 49708, 49710 CLOUDFLARENETUS United States 14->27 file9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.33.116
 property-imper.sbs United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
property-imper.sbs 104.21.33.116 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://property-imper.sbs/api false
    		high