aurora | 51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d

General

Target

9b34a1a535c29e31915e4b8993d9bb5e.exe
Size

6.2MB
MD5

9b34a1a535c29e31915e4b8993d9bb5e
SHA1

3801b45b01a1ddc836a10f9a4e28bb368bc958de
SHA256

51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d
SHA512

0701c9d84a14077fa5bb2a29abef21d1c67a36bedc6e4a9d0d50b6cb336d9c56ba0c0f823ecd6f31fd28847092bf3a2318f7dc3c1505ace26383523fb598dd09
SSDEEP

196608:ANOniBSEhRELqS/ohbK9iRs5Vb9sybbsx0rnsEniAd96:ANOniBSEhRELqS/ohW9iRs5Vb9sybbs9

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

C2

94.142.138.112:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

meetrounov.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	meetrounov.exe

Executes dropped EXE 2 IoCs

Processes:

meetrounov.exemeetrounov.exe

pid process

2304 meetrounov.exe
4408 meetrounov.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2304	meetrounov.exe
4408	meetrounov.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9b34a1a535c29e31915e4b8993d9bb5e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	9b34a1a535c29e31915e4b8993d9bb5e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b34a1a535c29e31915e4b8993d9bb5e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

meetrounov.exe

description pid process target process

PID 2304 set thread context of 4408 2304 meetrounov.exe meetrounov.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1840 powershell.exe
1840 powershell.exe
1840 powershell.exe

description	pid	process	target process
PID 2304 set thread context of 4408	2304	meetrounov.exe	meetrounov.exe

pid	process
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

meetrounov.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2304	meetrounov.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeIncreaseQuotaPrivilege	4552	wmic.exe
Token: SeSecurityPrivilege	4552	wmic.exe
Token: SeTakeOwnershipPrivilege	4552	wmic.exe
Token: SeLoadDriverPrivilege	4552	wmic.exe
Token: SeSystemProfilePrivilege	4552	wmic.exe
Token: SeSystemtimePrivilege	4552	wmic.exe
Token: SeProfSingleProcessPrivilege	4552	wmic.exe
Token: SeIncBasePriorityPrivilege	4552	wmic.exe
Token: SeCreatePagefilePrivilege	4552	wmic.exe
Token: SeBackupPrivilege	4552	wmic.exe
Token: SeRestorePrivilege	4552	wmic.exe
Token: SeShutdownPrivilege	4552	wmic.exe
Token: SeDebugPrivilege	4552	wmic.exe
Token: SeSystemEnvironmentPrivilege	4552	wmic.exe
Token: SeRemoteShutdownPrivilege	4552	wmic.exe
Token: SeUndockPrivilege	4552	wmic.exe
Token: SeManageVolumePrivilege	4552	wmic.exe
Token: 33	4552	wmic.exe
Token: 34	4552	wmic.exe
Token: 35	4552	wmic.exe
Token: 36	4552	wmic.exe
Token: SeIncreaseQuotaPrivilege	4552	wmic.exe
Token: SeSecurityPrivilege	4552	wmic.exe
Token: SeTakeOwnershipPrivilege	4552	wmic.exe
Token: SeLoadDriverPrivilege	4552	wmic.exe
Token: SeSystemProfilePrivilege	4552	wmic.exe
Token: SeSystemtimePrivilege	4552	wmic.exe
Token: SeProfSingleProcessPrivilege	4552	wmic.exe
Token: SeIncBasePriorityPrivilege	4552	wmic.exe
Token: SeCreatePagefilePrivilege	4552	wmic.exe
Token: SeBackupPrivilege	4552	wmic.exe
Token: SeRestorePrivilege	4552	wmic.exe
Token: SeShutdownPrivilege	4552	wmic.exe
Token: SeDebugPrivilege	4552	wmic.exe
Token: SeSystemEnvironmentPrivilege	4552	wmic.exe
Token: SeRemoteShutdownPrivilege	4552	wmic.exe
Token: SeUndockPrivilege	4552	wmic.exe
Token: SeManageVolumePrivilege	4552	wmic.exe
Token: 33	4552	wmic.exe
Token: 34	4552	wmic.exe
Token: 35	4552	wmic.exe
Token: 36	4552	wmic.exe
Token: SeIncreaseQuotaPrivilege	5112	WMIC.exe
Token: SeSecurityPrivilege	5112	WMIC.exe
Token: SeTakeOwnershipPrivilege	5112	WMIC.exe
Token: SeLoadDriverPrivilege	5112	WMIC.exe
Token: SeSystemProfilePrivilege	5112	WMIC.exe
Token: SeSystemtimePrivilege	5112	WMIC.exe
Token: SeProfSingleProcessPrivilege	5112	WMIC.exe
Token: SeIncBasePriorityPrivilege	5112	WMIC.exe
Token: SeCreatePagefilePrivilege	5112	WMIC.exe
Token: SeBackupPrivilege	5112	WMIC.exe
Token: SeRestorePrivilege	5112	WMIC.exe
Token: SeShutdownPrivilege	5112	WMIC.exe
Token: SeDebugPrivilege	5112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5112	WMIC.exe
Token: SeRemoteShutdownPrivilege	5112	WMIC.exe
Token: SeUndockPrivilege	5112	WMIC.exe
Token: SeManageVolumePrivilege	5112	WMIC.exe
Token: 33	5112	WMIC.exe
Token: 34	5112	WMIC.exe
Token: 35	5112	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

9b34a1a535c29e31915e4b8993d9bb5e.exemeetrounov.exemeetrounov.execmd.execmd.exe

description	pid	process	target process
PID 3732 wrote to memory of 2304	3732	9b34a1a535c29e31915e4b8993d9bb5e.exe	meetrounov.exe
PID 3732 wrote to memory of 2304	3732	9b34a1a535c29e31915e4b8993d9bb5e.exe	meetrounov.exe
PID 3732 wrote to memory of 2304	3732	9b34a1a535c29e31915e4b8993d9bb5e.exe	meetrounov.exe
PID 2304 wrote to memory of 1840	2304	meetrounov.exe	powershell.exe
PID 2304 wrote to memory of 1840	2304	meetrounov.exe	powershell.exe
PID 2304 wrote to memory of 1840	2304	meetrounov.exe	powershell.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 2304 wrote to memory of 4408	2304	meetrounov.exe	meetrounov.exe
PID 4408 wrote to memory of 4552	4408	meetrounov.exe	wmic.exe
PID 4408 wrote to memory of 4552	4408	meetrounov.exe	wmic.exe
PID 4408 wrote to memory of 4552	4408	meetrounov.exe	wmic.exe
PID 4408 wrote to memory of 2632	4408	meetrounov.exe	cmd.exe
PID 4408 wrote to memory of 2632	4408	meetrounov.exe	cmd.exe
PID 4408 wrote to memory of 2632	4408	meetrounov.exe	cmd.exe
PID 2632 wrote to memory of 5112	2632	cmd.exe	WMIC.exe
PID 2632 wrote to memory of 5112	2632	cmd.exe	WMIC.exe
PID 2632 wrote to memory of 5112	2632	cmd.exe	WMIC.exe
PID 4408 wrote to memory of 1780	4408	meetrounov.exe	cmd.exe
PID 4408 wrote to memory of 1780	4408	meetrounov.exe	cmd.exe
PID 4408 wrote to memory of 1780	4408	meetrounov.exe	cmd.exe
PID 1780 wrote to memory of 2236	1780	cmd.exe	WMIC.exe
PID 1780 wrote to memory of 2236	1780	cmd.exe	WMIC.exe
PID 1780 wrote to memory of 2236	1780	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\9b34a1a535c29e31915e4b8993d9bb5e.exe
"C:\Users\Admin\AppData\Local\Temp\9b34a1a535c29e31915e4b8993d9bb5e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
5⤵
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
Filesize
366.1MB

MD5
0f1c71b32b79c69580a2047de48151d5

SHA1
21f5a5060f0681de7d77ad8ef5cac16c61569c92

SHA256
e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98

SHA512
a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
dce9b749d38fdc247ab517e8a76e6102

SHA1
d6c5b6548e1a3da3326bd097c50c49fc7906be3f

SHA256
5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7

SHA512
56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t3pk1155.jj3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
92d24961d2ebaacf1ace5463dfc9930d

SHA1
99ffaf6904ab616c33a37ce01d383e4a493df335

SHA256
9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3

SHA512
77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

Download Submit
memory/1840-158-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/1840-160-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

Filesize
64KB

Download
memory/1840-143-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

Filesize
64KB

Download
memory/1840-145-0x0000000005160000-0x00000000051C6000-memory.dmp

Filesize
408KB

Download
memory/1840-146-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/1840-142-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

Filesize
64KB

Download
memory/1840-156-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/1840-144-0x0000000005290000-0x00000000058B8000-memory.dmp

Filesize
6.2MB

Download
memory/1840-141-0x0000000004C20000-0x0000000004C56000-memory.dmp

Filesize
216KB

Download
memory/1840-159-0x0000000006580000-0x000000000659A000-memory.dmp

Filesize
104KB

Download
memory/2304-139-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2304-157-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Filesize
64KB

Download
memory/2304-140-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/2304-138-0x0000000000370000-0x0000000000732000-memory.dmp

Filesize
3.8MB

Download
memory/4408-164-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4408-170-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4408-171-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4408-172-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4408-173-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4408-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4408-175-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4408-169-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4408-168-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4408-228-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads