aurora | 51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d

General

Target

tmp.exe
Size

6.2MB
MD5

9b34a1a535c29e31915e4b8993d9bb5e
SHA1

3801b45b01a1ddc836a10f9a4e28bb368bc958de
SHA256

51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d
SHA512

0701c9d84a14077fa5bb2a29abef21d1c67a36bedc6e4a9d0d50b6cb336d9c56ba0c0f823ecd6f31fd28847092bf3a2318f7dc3c1505ace26383523fb598dd09
SSDEEP

196608:ANOniBSEhRELqS/ohbK9iRs5Vb9sybbsx0rnsEniAd96:ANOniBSEhRELqS/ohW9iRs5Vb9sybbs9

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.112:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Executes dropped EXE 2 IoCs

Processes:

meetrounov.exemeetrounov.exe

pid process

824 meetrounov.exe
284 meetrounov.exe
Loads dropped DLL 1 IoCs

Processes:

meetrounov.exe

pid process

824 meetrounov.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
824	meetrounov.exe
284	meetrounov.exe

pid	process
824	meetrounov.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

meetrounov.exe

description pid process target process

PID 824 set thread context of 284 824 meetrounov.exe meetrounov.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

772 powershell.exe

description	pid	process	target process
PID 824 set thread context of 284	824	meetrounov.exe	meetrounov.exe

pid	process
772	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

meetrounov.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	824	meetrounov.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemProfilePrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeProfSingleProcessPrivilege	1568	wmic.exe
Token: SeIncBasePriorityPrivilege	1568	wmic.exe
Token: SeCreatePagefilePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeDebugPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeRemoteShutdownPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe
Token: SeManageVolumePrivilege	1568	wmic.exe
Token: 33	1568	wmic.exe
Token: 34	1568	wmic.exe
Token: 35	1568	wmic.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemProfilePrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeProfSingleProcessPrivilege	1568	wmic.exe
Token: SeIncBasePriorityPrivilege	1568	wmic.exe
Token: SeCreatePagefilePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeDebugPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeRemoteShutdownPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe
Token: SeManageVolumePrivilege	1568	wmic.exe
Token: 33	1568	wmic.exe
Token: 34	1568	wmic.exe
Token: 35	1568	wmic.exe
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe
Token: SeSecurityPrivilege	916	WMIC.exe
Token: SeTakeOwnershipPrivilege	916	WMIC.exe
Token: SeLoadDriverPrivilege	916	WMIC.exe
Token: SeSystemProfilePrivilege	916	WMIC.exe
Token: SeSystemtimePrivilege	916	WMIC.exe
Token: SeProfSingleProcessPrivilege	916	WMIC.exe
Token: SeIncBasePriorityPrivilege	916	WMIC.exe
Token: SeCreatePagefilePrivilege	916	WMIC.exe
Token: SeBackupPrivilege	916	WMIC.exe
Token: SeRestorePrivilege	916	WMIC.exe
Token: SeShutdownPrivilege	916	WMIC.exe
Token: SeDebugPrivilege	916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	916	WMIC.exe
Token: SeRemoteShutdownPrivilege	916	WMIC.exe
Token: SeUndockPrivilege	916	WMIC.exe
Token: SeManageVolumePrivilege	916	WMIC.exe
Token: 33	916	WMIC.exe
Token: 34	916	WMIC.exe
Token: 35	916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe
Token: SeSecurityPrivilege	916	WMIC.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

tmp.exemeetrounov.exemeetrounov.execmd.execmd.exe

description	pid	process	target process
PID 1376 wrote to memory of 824	1376	tmp.exe	meetrounov.exe
PID 1376 wrote to memory of 824	1376	tmp.exe	meetrounov.exe
PID 1376 wrote to memory of 824	1376	tmp.exe	meetrounov.exe
PID 1376 wrote to memory of 824	1376	tmp.exe	meetrounov.exe
PID 824 wrote to memory of 772	824	meetrounov.exe	powershell.exe
PID 824 wrote to memory of 772	824	meetrounov.exe	powershell.exe
PID 824 wrote to memory of 772	824	meetrounov.exe	powershell.exe
PID 824 wrote to memory of 772	824	meetrounov.exe	powershell.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 824 wrote to memory of 284	824	meetrounov.exe	meetrounov.exe
PID 284 wrote to memory of 1568	284	meetrounov.exe	wmic.exe
PID 284 wrote to memory of 1568	284	meetrounov.exe	wmic.exe
PID 284 wrote to memory of 1568	284	meetrounov.exe	wmic.exe
PID 284 wrote to memory of 1568	284	meetrounov.exe	wmic.exe
PID 284 wrote to memory of 1628	284	meetrounov.exe	cmd.exe
PID 284 wrote to memory of 1628	284	meetrounov.exe	cmd.exe
PID 284 wrote to memory of 1628	284	meetrounov.exe	cmd.exe
PID 284 wrote to memory of 1628	284	meetrounov.exe	cmd.exe
PID 1628 wrote to memory of 916	1628	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 916	1628	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 916	1628	cmd.exe	WMIC.exe
PID 1628 wrote to memory of 916	1628	cmd.exe	WMIC.exe
PID 284 wrote to memory of 1572	284	meetrounov.exe	cmd.exe
PID 284 wrote to memory of 1572	284	meetrounov.exe	cmd.exe
PID 284 wrote to memory of 1572	284	meetrounov.exe	cmd.exe
PID 284 wrote to memory of 1572	284	meetrounov.exe	cmd.exe
PID 1572 wrote to memory of 1704	1572	cmd.exe	WMIC.exe
PID 1572 wrote to memory of 1704	1572	cmd.exe	WMIC.exe
PID 1572 wrote to memory of 1704	1572	cmd.exe	WMIC.exe
PID 1572 wrote to memory of 1704	1572	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
5⤵
PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
7634ebd082abbba35a8e6a300ec83c51

SHA1
953666e70fbed932e4bed446f1d1e432781972b7

SHA256
792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f

SHA512
6f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
memory/284-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-91-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/284-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/284-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-71-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/772-70-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/772-69-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/772-68-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/772-67-0x00000000023A0000-0x00000000023E0000-memory.dmp

Filesize
256KB

Download
memory/824-63-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/824-61-0x0000000004EF0000-0x00000000050C0000-memory.dmp

Filesize
1.8MB

Download
memory/824-62-0x00000000053A0000-0x00000000054D8000-memory.dmp

Filesize
1.2MB

Download
memory/824-64-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/824-60-0x00000000009D0000-0x0000000000D92000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads