aurora | 51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d

General

Target

9b34a1a535c29e31915e4b8993d9bb5e.exe
Size

6.2MB
MD5

9b34a1a535c29e31915e4b8993d9bb5e
SHA1

3801b45b01a1ddc836a10f9a4e28bb368bc958de
SHA256

51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d
SHA512

0701c9d84a14077fa5bb2a29abef21d1c67a36bedc6e4a9d0d50b6cb336d9c56ba0c0f823ecd6f31fd28847092bf3a2318f7dc3c1505ace26383523fb598dd09
SSDEEP

196608:ANOniBSEhRELqS/ohbK9iRs5Vb9sybbsx0rnsEniAd96:ANOniBSEhRELqS/ohW9iRs5Vb9sybbs9

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.112:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Executes dropped EXE 3 IoCs

Processes:

meetrounov.exemeetrounov.exemeetrounov.exe

pid process

832 meetrounov.exe
1352 meetrounov.exe
808 meetrounov.exe
Loads dropped DLL 2 IoCs

Processes:

meetrounov.exe

pid process

832 meetrounov.exe
832 meetrounov.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
832	meetrounov.exe
1352	meetrounov.exe
808	meetrounov.exe

pid	process
832	meetrounov.exe
832	meetrounov.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9b34a1a535c29e31915e4b8993d9bb5e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	9b34a1a535c29e31915e4b8993d9bb5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b34a1a535c29e31915e4b8993d9bb5e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

meetrounov.exe

description pid process target process

PID 832 set thread context of 808 832 meetrounov.exe meetrounov.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exemeetrounov.exe

pid process

684 powershell.exe
832 meetrounov.exe

description	pid	process	target process
PID 832 set thread context of 808	832	meetrounov.exe	meetrounov.exe

pid	process
684	powershell.exe
832	meetrounov.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

meetrounov.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	832	meetrounov.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeIncreaseQuotaPrivilege	992	wmic.exe
Token: SeSecurityPrivilege	992	wmic.exe
Token: SeTakeOwnershipPrivilege	992	wmic.exe
Token: SeLoadDriverPrivilege	992	wmic.exe
Token: SeSystemProfilePrivilege	992	wmic.exe
Token: SeSystemtimePrivilege	992	wmic.exe
Token: SeProfSingleProcessPrivilege	992	wmic.exe
Token: SeIncBasePriorityPrivilege	992	wmic.exe
Token: SeCreatePagefilePrivilege	992	wmic.exe
Token: SeBackupPrivilege	992	wmic.exe
Token: SeRestorePrivilege	992	wmic.exe
Token: SeShutdownPrivilege	992	wmic.exe
Token: SeDebugPrivilege	992	wmic.exe
Token: SeSystemEnvironmentPrivilege	992	wmic.exe
Token: SeRemoteShutdownPrivilege	992	wmic.exe
Token: SeUndockPrivilege	992	wmic.exe
Token: SeManageVolumePrivilege	992	wmic.exe
Token: 33	992	wmic.exe
Token: 34	992	wmic.exe
Token: 35	992	wmic.exe
Token: SeIncreaseQuotaPrivilege	992	wmic.exe
Token: SeSecurityPrivilege	992	wmic.exe
Token: SeTakeOwnershipPrivilege	992	wmic.exe
Token: SeLoadDriverPrivilege	992	wmic.exe
Token: SeSystemProfilePrivilege	992	wmic.exe
Token: SeSystemtimePrivilege	992	wmic.exe
Token: SeProfSingleProcessPrivilege	992	wmic.exe
Token: SeIncBasePriorityPrivilege	992	wmic.exe
Token: SeCreatePagefilePrivilege	992	wmic.exe
Token: SeBackupPrivilege	992	wmic.exe
Token: SeRestorePrivilege	992	wmic.exe
Token: SeShutdownPrivilege	992	wmic.exe
Token: SeDebugPrivilege	992	wmic.exe
Token: SeSystemEnvironmentPrivilege	992	wmic.exe
Token: SeRemoteShutdownPrivilege	992	wmic.exe
Token: SeUndockPrivilege	992	wmic.exe
Token: SeManageVolumePrivilege	992	wmic.exe
Token: 33	992	wmic.exe
Token: 34	992	wmic.exe
Token: 35	992	wmic.exe
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe
Token: SeSecurityPrivilege	916	WMIC.exe
Token: SeTakeOwnershipPrivilege	916	WMIC.exe
Token: SeLoadDriverPrivilege	916	WMIC.exe
Token: SeSystemProfilePrivilege	916	WMIC.exe
Token: SeSystemtimePrivilege	916	WMIC.exe
Token: SeProfSingleProcessPrivilege	916	WMIC.exe
Token: SeIncBasePriorityPrivilege	916	WMIC.exe
Token: SeCreatePagefilePrivilege	916	WMIC.exe
Token: SeBackupPrivilege	916	WMIC.exe
Token: SeRestorePrivilege	916	WMIC.exe
Token: SeShutdownPrivilege	916	WMIC.exe
Token: SeDebugPrivilege	916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	916	WMIC.exe
Token: SeRemoteShutdownPrivilege	916	WMIC.exe
Token: SeUndockPrivilege	916	WMIC.exe
Token: SeManageVolumePrivilege	916	WMIC.exe
Token: 33	916	WMIC.exe
Token: 34	916	WMIC.exe
Token: 35	916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	916	WMIC.exe
Token: SeSecurityPrivilege	916	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

9b34a1a535c29e31915e4b8993d9bb5e.exemeetrounov.exemeetrounov.execmd.execmd.exe

description	pid	process	target process
PID 1484 wrote to memory of 832	1484	9b34a1a535c29e31915e4b8993d9bb5e.exe	meetrounov.exe
PID 1484 wrote to memory of 832	1484	9b34a1a535c29e31915e4b8993d9bb5e.exe	meetrounov.exe
PID 1484 wrote to memory of 832	1484	9b34a1a535c29e31915e4b8993d9bb5e.exe	meetrounov.exe
PID 1484 wrote to memory of 832	1484	9b34a1a535c29e31915e4b8993d9bb5e.exe	meetrounov.exe
PID 832 wrote to memory of 684	832	meetrounov.exe	powershell.exe
PID 832 wrote to memory of 684	832	meetrounov.exe	powershell.exe
PID 832 wrote to memory of 684	832	meetrounov.exe	powershell.exe
PID 832 wrote to memory of 684	832	meetrounov.exe	powershell.exe
PID 832 wrote to memory of 1352	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 1352	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 1352	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 1352	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 832 wrote to memory of 808	832	meetrounov.exe	meetrounov.exe
PID 808 wrote to memory of 992	808	meetrounov.exe	wmic.exe
PID 808 wrote to memory of 992	808	meetrounov.exe	wmic.exe
PID 808 wrote to memory of 992	808	meetrounov.exe	wmic.exe
PID 808 wrote to memory of 992	808	meetrounov.exe	wmic.exe
PID 808 wrote to memory of 1000	808	meetrounov.exe	cmd.exe
PID 808 wrote to memory of 1000	808	meetrounov.exe	cmd.exe
PID 808 wrote to memory of 1000	808	meetrounov.exe	cmd.exe
PID 808 wrote to memory of 1000	808	meetrounov.exe	cmd.exe
PID 1000 wrote to memory of 916	1000	cmd.exe	WMIC.exe
PID 1000 wrote to memory of 916	1000	cmd.exe	WMIC.exe
PID 1000 wrote to memory of 916	1000	cmd.exe	WMIC.exe
PID 1000 wrote to memory of 916	1000	cmd.exe	WMIC.exe
PID 808 wrote to memory of 1660	808	meetrounov.exe	cmd.exe
PID 808 wrote to memory of 1660	808	meetrounov.exe	cmd.exe
PID 808 wrote to memory of 1660	808	meetrounov.exe	cmd.exe
PID 808 wrote to memory of 1660	808	meetrounov.exe	cmd.exe
PID 1660 wrote to memory of 624	1660	cmd.exe	WMIC.exe
PID 1660 wrote to memory of 624	1660	cmd.exe	WMIC.exe
PID 1660 wrote to memory of 624	1660	cmd.exe	WMIC.exe
PID 1660 wrote to memory of 624	1660	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\9b34a1a535c29e31915e4b8993d9bb5e.exe
"C:\Users\Admin\AppData\Local\Temp\9b34a1a535c29e31915e4b8993d9bb5e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
3⤵
- Executes dropped EXE
PID:1352

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
5⤵
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
209.8MB

MD5
ce44797b915deca925f13b1ddd207616

SHA1
0f1a4ec65ef13c765c44c7d22988daba1a9613c2

SHA256
57bad8822cdc44cb44956ac5b59b817742cc7134610cffcd611b0ed4c64884ca

SHA512
b997240e47d87f2489f5d72c7f241e753723f1e0a0a4c849294f587870e20f79281dd00c1e97082e8ef45e79d0e95dd0e7edd530984dc33db04d5f6e9583c344

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
229.8MB

MD5
d2aa6c9e518d1c60b1485450847ffaae

SHA1
b44ff4a6d39e3633d5b957bce5a630540c3c2ad2

SHA256
818eb2a33a65073cbc8dacccad671552a00e8ac8934481bc4d84c6771054a418

SHA512
5552652e6047b8f44078f4ab9982bab15bc9e2cc4df11af69903a2555a6c36bef81eaf04749e9a7177d672b0985d216cc2e7610c9dae0e6934ab05e3eab279df

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
dfeffc3924409d9c9d3c8cae05be922b

SHA1
a89046cbf54c00e17ff0a5f3e1a8f01eb399bce4

SHA256
06ea3ad1c1c1067bfdfaa5ad8a91632fac6cad9776ded85fa65d3b6181d89be6

SHA512
d9614ecf528a2bf48cafe99a4c54d5c9f3656d628001fbf575d367d5ad8008cf30a58a7b3d9489d8534064442df89a7263df4a91d0863dcd6cc33574c576da33

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
221.6MB

MD5
e304ed5f02cd7944b36cc24f75ba6ee3

SHA1
07fa6e9be9171e299c4f0f76f78f4c3eadf1efaa

SHA256
662963e10588588b3dcf7cc6093bb856059c742283e40d5ee79b6a2d36b8762d

SHA512
22164560a4bf318912559797dfaca97c4ec7d92145c2d26fe82b398c5303cc3dac15d0287f43fbfe6a9c72cc0935560ec372e831f75a773d5706597d84defbd4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
218.1MB

MD5
e95527c64dd9dcacbb6a61b49f3c3fc9

SHA1
031b1b6b720d1766051e6cf92f65d5d2bd85314b

SHA256
f70ab49168f2f141e28f3bb96759cf1f42741b33b8de463e7e2697813375a367

SHA512
2f58edf256597a38369b7815e538a38776f2cd384af9eced2a38d4aaf46bd36354cd9d6dbb8f77aabd742553e5269cf4edc973063137c266ce05f953f9ae982b

Download Submit
memory/684-68-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/684-67-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/684-69-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/684-70-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/808-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-124-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/808-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-91-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/808-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/832-61-0x0000000004C90000-0x0000000004E60000-memory.dmp

Filesize
1.8MB

Download
memory/832-62-0x0000000005140000-0x0000000005278000-memory.dmp

Filesize
1.2MB

Download
memory/832-63-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download
memory/832-60-0x0000000000A20000-0x0000000000DE2000-memory.dmp

Filesize
3.8MB

Download
memory/832-66-0x0000000002220000-0x0000000002260000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads