aurora | 51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d

General

Target

tmp.exe
Size

6.2MB
MD5

9b34a1a535c29e31915e4b8993d9bb5e
SHA1

3801b45b01a1ddc836a10f9a4e28bb368bc958de
SHA256

51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d
SHA512

0701c9d84a14077fa5bb2a29abef21d1c67a36bedc6e4a9d0d50b6cb336d9c56ba0c0f823ecd6f31fd28847092bf3a2318f7dc3c1505ace26383523fb598dd09
SSDEEP

196608:ANOniBSEhRELqS/ohbK9iRs5Vb9sybbsx0rnsEniAd96:ANOniBSEhRELqS/ohW9iRs5Vb9sybbs9

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.112:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Executes dropped EXE 2 IoCs

Processes:

meetrounov.exemeetrounov.exe

pid process

836 meetrounov.exe
1344 meetrounov.exe
Loads dropped DLL 1 IoCs

Processes:

meetrounov.exe

pid process

836 meetrounov.exe

pid	process
836	meetrounov.exe
1344	meetrounov.exe

pid	process
836	meetrounov.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

meetrounov.exe

description pid process target process

PID 836 set thread context of 1344 836 meetrounov.exe meetrounov.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1464 powershell.exe

description	pid	process	target process
PID 836 set thread context of 1344	836	meetrounov.exe	meetrounov.exe

pid	process
1464	powershell.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

meetrounov.exepowershell.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	836	meetrounov.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeIncreaseQuotaPrivilege	1648	wmic.exe
Token: SeSecurityPrivilege	1648	wmic.exe
Token: SeTakeOwnershipPrivilege	1648	wmic.exe
Token: SeLoadDriverPrivilege	1648	wmic.exe
Token: SeSystemProfilePrivilege	1648	wmic.exe
Token: SeSystemtimePrivilege	1648	wmic.exe
Token: SeProfSingleProcessPrivilege	1648	wmic.exe
Token: SeIncBasePriorityPrivilege	1648	wmic.exe
Token: SeCreatePagefilePrivilege	1648	wmic.exe
Token: SeBackupPrivilege	1648	wmic.exe
Token: SeRestorePrivilege	1648	wmic.exe
Token: SeShutdownPrivilege	1648	wmic.exe
Token: SeDebugPrivilege	1648	wmic.exe
Token: SeSystemEnvironmentPrivilege	1648	wmic.exe
Token: SeRemoteShutdownPrivilege	1648	wmic.exe
Token: SeUndockPrivilege	1648	wmic.exe
Token: SeManageVolumePrivilege	1648	wmic.exe
Token: 33	1648	wmic.exe
Token: 34	1648	wmic.exe
Token: 35	1648	wmic.exe
Token: SeIncreaseQuotaPrivilege	1648	wmic.exe
Token: SeSecurityPrivilege	1648	wmic.exe
Token: SeTakeOwnershipPrivilege	1648	wmic.exe
Token: SeLoadDriverPrivilege	1648	wmic.exe
Token: SeSystemProfilePrivilege	1648	wmic.exe
Token: SeSystemtimePrivilege	1648	wmic.exe
Token: SeProfSingleProcessPrivilege	1648	wmic.exe
Token: SeIncBasePriorityPrivilege	1648	wmic.exe
Token: SeCreatePagefilePrivilege	1648	wmic.exe
Token: SeBackupPrivilege	1648	wmic.exe
Token: SeRestorePrivilege	1648	wmic.exe
Token: SeShutdownPrivilege	1648	wmic.exe
Token: SeDebugPrivilege	1648	wmic.exe
Token: SeSystemEnvironmentPrivilege	1648	wmic.exe
Token: SeRemoteShutdownPrivilege	1648	wmic.exe
Token: SeUndockPrivilege	1648	wmic.exe
Token: SeManageVolumePrivilege	1648	wmic.exe
Token: 33	1648	wmic.exe
Token: 34	1648	wmic.exe
Token: 35	1648	wmic.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

tmp.exemeetrounov.exemeetrounov.exe

description	pid	process	target process
PID 1368 wrote to memory of 836	1368	tmp.exe	meetrounov.exe
PID 1368 wrote to memory of 836	1368	tmp.exe	meetrounov.exe
PID 1368 wrote to memory of 836	1368	tmp.exe	meetrounov.exe
PID 1368 wrote to memory of 836	1368	tmp.exe	meetrounov.exe
PID 836 wrote to memory of 1464	836	meetrounov.exe	powershell.exe
PID 836 wrote to memory of 1464	836	meetrounov.exe	powershell.exe
PID 836 wrote to memory of 1464	836	meetrounov.exe	powershell.exe
PID 836 wrote to memory of 1464	836	meetrounov.exe	powershell.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 836 wrote to memory of 1344	836	meetrounov.exe	meetrounov.exe
PID 1344 wrote to memory of 1648	1344	meetrounov.exe	wmic.exe
PID 1344 wrote to memory of 1648	1344	meetrounov.exe	wmic.exe
PID 1344 wrote to memory of 1648	1344	meetrounov.exe	wmic.exe
PID 1344 wrote to memory of 1648	1344	meetrounov.exe	wmic.exe
PID 1344 wrote to memory of 280	1344	meetrounov.exe	cmd.exe
PID 1344 wrote to memory of 280	1344	meetrounov.exe	cmd.exe
PID 1344 wrote to memory of 280	1344	meetrounov.exe	cmd.exe
PID 1344 wrote to memory of 280	1344	meetrounov.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
4⤵
PID:280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
304.8MB

MD5
52dc0d47308029fc8ecc1a87a6aef2a6

SHA1
ece6df4d7374d54daf88f20de9deb052926edef6

SHA256
ec4176a51546636a068eca509916f0ee8041fcecce14dd0768c26ab46e3e1334

SHA512
ebfb7f96e7f7e3e72e9a6df11076ff53f9e551ef46886d004d2f48cbb3d55e8dfe6af47ed2886d747a6013f20612ee8d52290610e45b59f913653368ccded987

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
313.5MB

MD5
343c05ac9448cb89ec2476af5ee1f51b

SHA1
e10c8e63c77543f65067a36a8d93520801f0d815

SHA256
992333b031e926e2adc3719ae86908ba8e4706a9d5c8b2398ea46f8d336209c2

SHA512
0f94361accf385605d7fd74d7a5f107c9e3978a4b64099f274ef329c35f477cd643901e6df2fa40539510b195a241308ccc3b0f1d14ffd4dea34ccf0ac122232

Download Submit
memory/836-60-0x00000000011B0000-0x0000000001572000-memory.dmp

Filesize
3.8MB

Download
memory/836-61-0x0000000004D60000-0x0000000004F30000-memory.dmp

Filesize
1.8MB

Download
memory/836-62-0x0000000000AD0000-0x0000000000B10000-memory.dmp

Filesize
256KB

Download
memory/836-63-0x0000000001000000-0x0000000001138000-memory.dmp

Filesize
1.2MB

Download
memory/836-64-0x0000000000AD0000-0x0000000000B10000-memory.dmp

Filesize
256KB

Download
memory/1344-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1344-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-91-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1344-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1464-67-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/1464-70-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/1464-68-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/1464-69-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/1464-71-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads