Edit tour

Windows Analysis Report
https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win

Overview

General Information

Sample URL:	https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win
Analysis ID:	1428697

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Enables debug privileges

Stores files to the Windows start menu directory

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

System is w10x64_ra

chrome.exe (PID: 7040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 3704 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1956,i,12269075984306992411,5489090037202435979,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

rundll32.exe (PID: 7536 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

aurora-agent-64.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe" MD5: F8C72C8C6CF68119F4991D764BEB6A70)

aurora-agent-64.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe" MD5: F8C72C8C6CF68119F4991D764BEB6A70)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win	HTTP Parser: No favicon
Source: https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 23.55.253.34:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.253.34:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:49718 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 23.55.253.34
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203

Source: unknown

DNS traffic detected: queries for: update1.nextron-systems.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 23.55.253.34:443 -> 192.168.2.16:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.253.34:443 -> 192.168.2.16:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.16:49718 version: TLS 1.2

Source: classification engine

Classification label: clean1.win@20/12@6/80

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03

Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe

File opened: C:\Windows\system32\77f94e831ececf7dd57afd28c1df76bbc7d87e73f210314e550f03609ad4a2e7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1956,i,12269075984306992411,5489090037202435979,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1956,i,12269075984306992411,5489090037202435979,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe "C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe "C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe"
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: tdh.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe

File opened: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\config\false-positives.cfg

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\Temp1_aurora-agent-lite-win-pack.zip\aurora-agent-64.exe

Process token adjusted: Debug

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Rundll32	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
update1.nextron-systems.com	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
update1.nextron-systems.com	87.106.126.89	true	false	0%, Virustotal, Browse	unknown
www.google.com	142.251.15.147	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
64.233.185.113	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
87.106.126.89	update1.nextron-systems.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
64.233.185.94	unknown	United States	15169	GOOGLEUS	false
142.251.15.84	unknown	United States	15169	GOOGLEUS	false
142.251.15.147	www.google.com	United States	15169	GOOGLEUS	false
172.253.124.138	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428697
Start date and time:	2024-04-19 11:55:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean1.win@20/12@6/80

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 64.233.185.94, 172.253.124.138, 172.253.124.100, 172.253.124.113, 172.253.124.102, 172.253.124.139, 172.253.124.101, 142.251.15.84, 34.104.35.123
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, edgedl.me.gvt1.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 08:56:19 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.987583522777037
Encrypted:	false
SSDEEP:
MD5:	87E39B4F13EE1AD08D9E294C11159811
SHA1:	DBF8EE240C4A8C34773ADB1683DA0580F488BE2B
SHA-256:	9E282B197310C9909C646E4B1EBB09B61B177D7B2B7754626AB1016BF8C90333
SHA-512:	CD1508C87303DA6316E95F4F71CE4D230E09BB8D41757443448D4C0127C4537AE9203BBA355905603DE96EB48DC062174C28FD906DA7B0FADC500D7EA6C2E9C7
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......?...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.O....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.O....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.O....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.O..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.O...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............)z.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 08:56:19 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.003483210891411
Encrypted:	false
SSDEEP:
MD5:	C8CA183E0EBCBD76E6EEF725FA215010
SHA1:	7D8B3783E8806904462B259EFB1245CFE2F70598
SHA-256:	267980FF2A8EAC1D949BEE1C78BFCD657A1961154AE227B01BB1926272389E50
SHA-512:	9993DEE313366B43B710CC9148FFF8EBD3406165752B350B54B6FA468B8E15A624DF7B2E4AA8167DA5814EC3A2910CFBE6C98243E8B20160A4E31E55DF3EFEB6
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,........?...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.O....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.O....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.O....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.O..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.O...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............)z.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.0096411287956535
Encrypted:	false
SSDEEP:
MD5:	003F1433EDD9B877ED03AC70E207DA2F
SHA1:	4842741A1C0B88DC2465047B65C906AA502327C5
SHA-256:	C9F3192780B46F213A6D283F10F9F4F723F74125D306D8B3774A574BA5F1128E
SHA-512:	A3BC87E56B285C66E6F174F2C4FBD038CF456FD39A133992F4C2F68BE3D2596FD367FB56608AE17467D910861CF8ECFEFA7088D2C736E0D695667B3BE0706E38
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.O....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.O....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.O....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.O..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............)z.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 08:56:19 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9998992062022296
Encrypted:	false
SSDEEP:
MD5:	421619F20D7506879BB873EE4A997AE3
SHA1:	8201333D87F6A1E6E85E5F27EEA546372C741012
SHA-256:	FDFDCEE621882CE3FD962BD382EA91566085603C700B144258E18E25A7B2B317
SHA-512:	9BC8C303E247001D039DF3D3CBFBFF98405EC8F18AAD7E63E3EB715AA7CDA5A32B0C8C53B37D00351130170AA3325B63374C278A71A5698DE790FE2DAEDDA0E5
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....l'..?...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.O....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.O....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.O....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.O..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.O...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............)z.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 08:56:19 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9905813211293513
Encrypted:	false
SSDEEP:
MD5:	412DBA8C01A4D7B1057A6A306ADE6E30
SHA1:	5B8827233D20695791D28FAF53A0F84793D405D3
SHA-256:	816F37FCBBF4B5F5D4841BB7BFA8E3941E0CB4504D613BA78ABECBDE8BC6A97D
SHA-512:	BD2F0B4556145251211B9DCF269081AA6866AB5240C827B4C5E4C6D52D18C1F71C1249DF155690001DF0DA34BB06E662C010707E7BC84CB568A85001429B1F72
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,........?...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.O....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.O....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.O....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.O..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.O...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............)z.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Apr 19 08:56:19 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.999694718802954
Encrypted:	false
SSDEEP:
MD5:	CF5551E6E55FFFA3A1B006B8488FF4F6
SHA1:	3CFBF55F7A8000EB7222F80E86E2EDE0F351F453
SHA-256:	0FCEB41A49A28F9CAF765AF5068023F92CD31E644F8882D9C09C3F279CF96A9B
SHA-512:	39FF5085CD92B8C627F2A2457B9DAB8B308118D84A4C923242698CC7C292C3AB1955AFBE689E936B7E95461B786550DE4586D338311AA69673711F1001928D01
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....M..?...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.O....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.O....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.O....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.O..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.O...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............)z.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\a87f6afb-320c-4e1b-ae83-ea9d9c2ea4c1.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	8343
Entropy (8bit):	7.957118131418628
Encrypted:	false
SSDEEP:
MD5:	4A2F47F51B4E00EA18BB7FA2A640D4C7
SHA1:	BCD38EECE7AC12197E3B827A6BB41E9143798FEF
SHA-256:	674A021C2080071933B894118CB06493CB1B056071C8C1B5F97E2F4C40AD11FD
SHA-512:	3416ECBBEAA566F71342234C9A8AF26A31DDE6E0EEF4396FB06F966BDEEF3A2B26801F46EB2608955E24D88B1188A866B44E55D856C5C4C535769FE992AD56DD
Malicious:	false
Reputation:	unknown
Preview:	PK.........E.X................signatures/UT..../"fux.............PK.........E.XP.,g............signatures/sigmarevUT..../"fux.............r2024-03-26-27-ga1a3b2969.PK.........E.X................signatures/iocs/UT..../"fux.............PK.........E.X1.N.......!...signatures/iocs/filename-iocs.datUT..../"fux.................@.E?...aI09g.sN..oZ..H=j.(^.{..v.v;..L....{....SJ6.... ~.@...'.`....c.!`.]....w...4..n`.;}b..8.d.T.&..s.{..:..p.q.V...=.....\j...~.p.B..}...7X7.a..).d...{.u..[........" .......R.w?.....f....D.O.,....B..t2?........u++.#.k.[.....b.-y.G..~...-....a...7.m].6...'<HT...5/0...9...7..Rc/...?."..Y.oL&.Un.Xn.....}.}....).k)fGjn.93..s..u.....Sh......i_-LA..7.L..m-.98}`.k.-.KR\3..g?......u..<F.{...X;........%.sb..SM1^.W.Xx.o.;/s..OB.M~..R..z.,M.k...;....'..v.@hc.A0..08.g-q.#....I4.A'};...5U.K.p7....}...B1`E.....}.J...A.ttg..?}s...A.Q../..&#....~v.x.........gY1..g.VQ..LO..8oP......1.Q?..K.]\L... wu....6.1./.l...X1{..H...>.)i.....*..gQS.f;c6...

C:\Users\user\Downloads\aurora-agent-lite-win-pack.zip (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	FC153A658C77C4A0328A79E38AC0F65F
SHA1:	A9B0BB5EE948B9EEACF3CA665C4EF0DA386D6918
SHA-256:	C94429D2DEB1D5672D770074650BB189AA8020474CEF14A62EBCD6EB21FC0D11
SHA-512:	463D4EB8B39073A945D9C959C3B4277FED6AAF0CCF7057AF15ED21D5260333D3FAFC5EB44921890067F15468973CFC207536E6E3DE1B22E6AFA52E0CDB28BE6D
Malicious:	false
Reputation:	unknown
Preview:	PK.........E.X................signatures/UT..../"fux.............PK.........E.XP.,g............signatures/sigmarevUT..../"fux.............r2024-03-26-27-ga1a3b2969.PK.........E.X................signatures/iocs/UT..../"fux.............PK.........E.X1.N.......!...signatures/iocs/filename-iocs.datUT..../"fux.................@.E?...aI09g.sN..oZ..H=j.(^.{..v.v;..L....{....SJ6.... ~.@...'.`....c.!`.]....w...4..n`.;}b..8.d.T.&..s.{..:..p.q.V...=.....\j...~.p.B..}...7X7.a..).d...{.u..[........" .......R.w?.....f....D.O.,....B..t2?........u++.#.k.[.....b.-y.G..~...-....a...7.m].6...'<HT...5/0...9...7..Rc/...?."..Y.oL&.Un.Xn.....}.}....).k)fGjn.93..s..u.....Sh......i_-LA..7.L..m-.98}`.k.-.KR\3..g?......u..<F.{...X;........%.sb..SM1^.W.Xx.o.;/s..OB.M~..R..z.,M.k...;....'..v.@hc.A0..08.g-q.#....I4.A'};...5U.K.p7....}...B1`E.....}.J...A.ttg..?}s...A.Q../..&#....~v.x.........gY1..g.VQ..LO..8oP......1.Q?..K.]\L... wu....6.1./.l...X1{..H...>.)i.....*..gQS.f;c6...

C:\Users\user\Downloads\aurora-agent-lite-win-pack.zip.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	28686578
Entropy (8bit):	7.990569392769954
Encrypted:	true
SSDEEP:
MD5:	FC153A658C77C4A0328A79E38AC0F65F
SHA1:	A9B0BB5EE948B9EEACF3CA665C4EF0DA386D6918
SHA-256:	C94429D2DEB1D5672D770074650BB189AA8020474CEF14A62EBCD6EB21FC0D11
SHA-512:	463D4EB8B39073A945D9C959C3B4277FED6AAF0CCF7057AF15ED21D5260333D3FAFC5EB44921890067F15468973CFC207536E6E3DE1B22E6AFA52E0CDB28BE6D
Malicious:	false
Reputation:	unknown
Preview:	PK.........E.X................signatures/UT..../"fux.............PK.........E.XP.,g............signatures/sigmarevUT..../"fux.............r2024-03-26-27-ga1a3b2969.PK.........E.X................signatures/iocs/UT..../"fux.............PK.........E.X1.N.......!...signatures/iocs/filename-iocs.datUT..../"fux.................@.E?...aI09g.sN..oZ..H=j.(^.{..v.v;..L....{....SJ6.... ~.@...'.`....c.!`.]....w...4..n`.;}b..8.d.T.&..s.{..:..p.q.V...=.....\j...~.p.B..}...7X7.a..).d...{.u..[........" .......R.w?.....f....D.O.,....B..t2?........u++.#.k.[.....b.-y.G..~...-....a...7.m].6...'<HT...5/0...9...7..Rc/...?."..Y.oL&.Un.Xn.....}.}....).k)fGjn.93..s..u.....Sh......i_-LA..7.L..m-.98}`.k.-.KR\3..g?......u..<F.{...X;........%.sb..SM1^.W.Xx.o.;/s..OB.M~..R..z.,M.k...;....'..v.@hc.A0..08.g-q.#....I4.A'};...5U.K.p7....}...B1`E.....}.J...A.ttg..?}s...A.Q../..&#....~v.x.........gY1..g.VQ..LO..8oP......1.Q?..K.]\L... wu....6.1./.l...X1{..H...>.)i.....*..gQS.f;c6...

Chrome Cache Entry: 65

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text
Category:	downloaded
Size (bytes):	114
Entropy (8bit):	4.462459947115376
Encrypted:	false
SSDEEP:
MD5:	BCC3EC9DF081E80EFE599ADC1CA3FB56
SHA1:	FFFFF12FF1F96757FB864AF08C59F71978AF3916
SHA-256:	29CFBA36A660097035110F9074732634EF0711C53A4CA4F1967E244B649D22F3
SHA-512:	3931FA5B946DAB1947F59A51540270842C0C3068FA940CAF1860A97ED8902EC30D9744E19A3576ADA62CE1BF85A534373AEAA4696443E793388D58361D817AF8
Malicious:	false
Reputation:	unknown
URL:	https://update1.nextron-systems.com/eulacheck.js
Preview:	$("#eula-check").click(function() {. $("#download").toggle(. $("#eula-check").prop("checked"). );.});

Chrome Cache Entry: 67

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 3 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	15086
Entropy (8bit):	2.2210521641135252
Encrypted:	false
SSDEEP:
MD5:	272E09A275448748EE79A2F9F268E82D
SHA1:	C52F10BB7008D0D49D98A7207B3D6D5B93E318F1
SHA-256:	E4CAB202C7FA676E6E549A099B3E2F81FC39EE525696EBF6A11C44365372FD8D
SHA-512:	192C6913E20313F231070C1015715B2D51724884D3DC69DD3604D6EB784E7BC13DEEA099B84051254A8401E10FF1AC4A6615C3B03F64F697A0A9FACB3868D52A
Malicious:	false
Reputation:	unknown
Preview:	......00.... ..%..6... .... ......%........ .h....6..(...0...`..... ......$........................................................................................................................................................................................................................................................................4............................................................................................................................................................................................................................................................................................................X.............................................................................................................................................................................

Chrome Cache Entry: 68

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (13668)
Category:	downloaded
Size (bytes):	18404
Entropy (8bit):	6.045889825054409
Encrypted:	false
SSDEEP:
MD5:	C1FC04C863F201125825245000E8851C
SHA1:	737C62259EF3EFC81F30AABD52E723EC933BA951
SHA-256:	9999EFF591D934DED15C96534A411DD6AF6DBC1BF1BD4A4ED8E382C4FD0C7898
SHA-512:	1AF903B616294B2164CACFC5E04E54FBC65BED40EDBD3F520196EFDA5BB02E04CED852FC0A55662384D7390E08D9ACEA71968007D23C7528B74D5591AD164FDD
Malicious:	false
Reputation:	unknown
URL:	https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">.<head>. <header>. <script src="jquery.js" type="text/javascript"></script>. <title>Nextron Software Downloads</title>. <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png">. <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png">. <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png">. <link rel="manifest" href="/manifest.json">. <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#5bbad5">. <meta name="theme-color" content="#ffffff">. <meta http-equiv="Content-Security-Policy" content="default-src 'none'; font-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self' data:; style-src 'self';">. <style type="text/css">. #info {.

Chrome Cache Entry: 70

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65447)
Category:	downloaded
Size (bytes):	89501
Entropy (8bit):	5.289893677458563
Encrypted:	false
SSDEEP:
MD5:	8FB8FEE4FCC3CC86FF6C724154C49C42
SHA1:	B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
SHA-256:	FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
SHA-512:	F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
Malicious:	false
Reputation:	unknown
URL:	https://update1.nextron-systems.com/jquery.js
Preview:	/! jQuery v3.6.0 \| (c) OpenJS Foundation and other contributors \| jquery.org/license /.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n\|\|E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]\|\|t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct

Static File Info

⊘No static file info

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\a87f6afb-320c-4e1b-ae83-ea9d9c2ea4c1.tmp

C:\Users\user\Downloads\aurora-agent-lite-win-pack.zip (copy)

C:\Users\user\Downloads\aurora-agent-lite-win-pack.zip.crdownload

Chrome Cache Entry: 65

Chrome Cache Entry: 67

Chrome Cache Entry: 68

Chrome Cache Entry: 70

Static File Info

Windows Analysis Report
https://update1.nextron-systems.com/getlite.php?type=aurora-agent-lite-win