meduza | hxxps://www[.]mediafire[.]com/file/2ckd878ulmxsnvu/aura_zip/file

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/2ckd878ulmxsnvu/aura_zip/file

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/3096-732-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza
behavioral1/memory/3096-737-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza
behavioral1/memory/800-758-0x0000000140000000-0x000000014013B000-memory.dmp	family_meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Aura.exe

Executes dropped EXE 4 IoCs

pid	Process
1968	Aura.exe
3096	Aura.exe
2216	Aura.exe
800	Aura.exe

Loads dropped DLL 2 IoCs

pid	Process
1968	Aura.exe
2216	Aura.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Aura.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Aura.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Aura.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Aura.exe
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Aura.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
333	api.ipify.org
332	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 3096	1968	Aura.exe	129
PID 2216 set thread context of 800	2216	Aura.exe	131

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5272	cmd.exe
5716	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Aura\Aura.exe:a.dll	Aura.exe
File opened for modification	C:\Users\Admin\Downloads\Aura\Aura.exe:a.dll	Aura.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Temp1_Aura.zip\Aura\Aura.exe:a.dll	Aura.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5716	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2960	msedge.exe
2960	msedge.exe
2212	msedge.exe
2212	msedge.exe
4388	identity_helper.exe
4388	identity_helper.exe
5344	msedge.exe
5344	msedge.exe
5864	msedge.exe
5864	msedge.exe
5864	msedge.exe
5864	msedge.exe
3096	Aura.exe
3096	Aura.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	5800	7zG.exe
Token: 35	5800	7zG.exe
Token: SeSecurityPrivilege	5800	7zG.exe
Token: SeSecurityPrivilege	5800	7zG.exe
Token: SeDebugPrivilege	3096	Aura.exe
Token: SeImpersonatePrivilege	3096	Aura.exe
Token: SeDebugPrivilege	800	Aura.exe
Token: SeImpersonatePrivilege	800	Aura.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe
2212	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3160	2212	msedge.exe	83
PID 2212 wrote to memory of 3160	2212	msedge.exe	83
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 1424	2212	msedge.exe	84
PID 2212 wrote to memory of 2960	2212	msedge.exe	85
PID 2212 wrote to memory of 2960	2212	msedge.exe	85
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86
PID 2212 wrote to memory of 2260	2212	msedge.exe	86

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Aura.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Aura.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/2ckd878ulmxsnvu/aura_zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff07c146f8,0x7fff07c14708,0x7fff07c14718
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7288 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7724 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,2711655856865560054,16282997251100215032,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4896 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5768

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Aura\" -spe -an -ai#7zMap25154:70:7zEvent2668
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5800

C:\Users\Admin\Downloads\Aura\Aura.exe
"C:\Users\Admin\Downloads\Aura\Aura.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:1968
- C:\Users\Admin\Downloads\Aura\Aura.exe
  "C:\Users\Admin\Downloads\Aura\Aura.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3096
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Aura\Aura.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5272
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5716

C:\Users\Admin\Downloads\Aura\Aura.exe
"C:\Users\Admin\Downloads\Aura\Aura.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
PID:2216
- C:\Users\Admin\Downloads\Aura\Aura.exe
  "C:\Users\Admin\Downloads\Aura\Aura.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:800

C:\Users\Admin\AppData\Local\Temp\Temp1_Aura.zip\Aura\Aura.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Aura.zip\Aura\Aura.exe"
1⤵
- NTFS ADS
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
168cf202e8bb7cb9464c3e5829132b77

SHA1
ae9dc03fe96ad657628e033a20f0f6eb83aacbc0

SHA256
623c27692ffca5e54a26627284bcbeed2ed658d6dbc9a169726e3b6da35abca8

SHA512
668f49f01a33f5937375e1868f91f617182fb04674cf4e5b10945625dba53decb02612ab2ee5f540e5c937d9d1939860a56aa48f1654a53ada217f017b95d53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
36KB

MD5
789a5530bb6abbdb03be489e9a14f5e1

SHA1
bf86c4014bdc7c5b2d349e1b64fb66ecf3b2df0b

SHA256
c3d3b81ae1e1888306f3bff629938079991b3278f51e4df26ebd305e73b5230d

SHA512
f24294d8f8f339fa7cdbb9708c2d5007840a3e8fcc3db6b41d4bb19f413db91b1788a207fd0e90671c4023a06251524357162689bff1cb9b8a06051469117c77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
148KB

MD5
c4308285e66f6d25e3dc1abbb711ee0f

SHA1
3a8a064cc011932854664257d9becd794430d927

SHA256
ce196add6c45143e8ddbd0650889ffc466783616cbef755b4b0cff1cde7b50af

SHA512
c0ac9231484b7ba96e829d3a9433053e56a14661579edf5dd069de6a03cafd00af2523671bf81b1abe10059e5a1107f51e57bf362c4f9e334e7a79165cc696fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
4KB

MD5
9e051ac7c948fcf7325858d1740c3333

SHA1
d4b7f301abff843999c851f3ab2381c90bbdf2d8

SHA256
1d37bf68d99bb472e794160d1b0f8e57dbdae8004ab6f5314169b5637f4fd09c

SHA512
9d7ad9e9db6bcbb3cd637977b0b3082a5e12495ecdc80df51c839287a59e912355e911d113e393cbca8eba8d2876614b605ee8c9ebad6342118482e6e764c114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
59ea2274a80e57e7d20ef45d74c51c4e

SHA1
2652791e4af40e7864cc4b56a4879b060308d610

SHA256
b84c1f9c173bf11ff6ec0bbb12ff2e1f65020364b50021f083ccc2c15977e134

SHA512
229778234fd302d82e896a0c2f8a87dbffa4b02c85bc4801120988eac3a54fec40b8ae2b3dd44a97a1b07869a0156b48e1ba7c831561549e9ff022fc3de85009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
b378eed176b9f6ede7e85c4fbbdf7ef5

SHA1
87a3639441e26b99f08a7895bebac518be66d535

SHA256
aefe3b503f3865acb13b6d7f619527bb76a400310a63449b51de5ab8bb9f3480

SHA512
3e1c6b8fa21ef5e43ae852d9006399778b63ff8546586c9f851c5ca8826a8cc44e3a4ca94ef9b0990bc682f5a8a7a0b375736cef35992ba6b070d30273085d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5cc2dc3f16f1f176d995b96c4de7ceef

SHA1
1e7197d1804e430af9fd22c3ca7cd7bf13ae5aa5

SHA256
6126bc3abb3d87094b5c8981da633d438ed0b73d9184b15c1a39cdd80444852c

SHA512
e2c69661e8d31e5fffd9d9fb0cd24884c2cb7df3fa3be2989cf1e0606dc4cee4d107c2b6d54e85a5b53a7984115ba009d55278accadbde7fe6f60e34e123308c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
39f59a30ca436c121e480f8bf39b6090

SHA1
5303638485062a6c820de4b288d4d3f11248ec30

SHA256
96e89322cda14d7fdf0afc03379c1c2d1c2784436f871da0c59bc528b3c4ce92

SHA512
ea11a560a06a8b8395c25cd7ea9f74176e206bd2b1628468b1356382ce527ce4fa9d85ebc601eb3ae2d7375482910f6d0b3a5db1e982d0862424d3921dfbb1bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
0f1aea07c556a08a81fdd1ff8cab3c83

SHA1
6c4f1af370ff612d29bb4ab28ce7561223d4edf4

SHA256
46d3d2eaee567066af83b23fa762422c3f79c9e602bdfc3f26d7ea3b55479931

SHA512
1215c6af38a8e93c0e84908d1ce4ff3c54e15453e76c865f4b6bb217bbad8b68cacf3112d632476011bdadc7c8667660ad11c47b27a745024e4c2e74589b5c60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
884c60d69f2956848d48ab75b8d86a03

SHA1
ef04d03de177c744cd0358e3ccbd0fa0bf40521e

SHA256
6c0784275f7efa9b3afd47b568ac982fd0425d6a0a055f2e854f715fdaaef73a

SHA512
3727aa1aec02820f61df856ea987b09c13e127c7aec74d5fb73d6935231e0285ec5597b416bc519e55f8fc04124557858aca3df2cbf4b47d9edd4538aadecf63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e241625c977cc7e42dd7a97f8d0206b5

SHA1
a1b8d91c65411e1f8c2c0fce47ea250bcf2fc556

SHA256
ccad532f7cbec737406b0234218c59b981ea9d0def7fabb3738809990b347a32

SHA512
6da5f001e386d7e03725b22cf70660c3fadab9add4227a6eb55e170b5eba90af35ed21804a86390b8ae56a2fdbfdbce93e3d98eda07f890d3d6c65e80c847245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
748c0f433efdf8373e107e6f89b40484

SHA1
60ed3ca5838af754dca32444d9caa9bd3aa5e1ff

SHA256
812454a849af65352247e7dea83e70147ba6708f293f53d764fcb7970807ab8c

SHA512
f2564c053505c491601744cc4e79b9247955a879e16eda922138b3929fec6225165e08fadba61a40d43cd5bae245c172f53e7e3b571b473f4195c77c6f1fbe79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
060f5551ed702b6ec08c9b21a609fbdd

SHA1
7cfecc0ae1cc4aaf2c1a190f0b03c9980d362e89

SHA256
e567011e3d3aa05ac5fc9d07589180d96999fd05645ff6b9aab54ef9ccc98ba5

SHA512
9091e6af1ee0371afcb7a13b58f5e8205ca8e1d196f80c58bf9f7a0eb8615fe39c9db18d882a60e3e375f4898d1ff77ebec0ca3237dda46fa1f5b240186350cc

Download Submit
C:\Users\Admin\Downloads\Aura\Aura.exe

Filesize
1.7MB

MD5
b2a046d842ca1552593269558d052ff5

SHA1
7d1eba1939214aef12ad53f3d0eb8cc6ce27a0d0

SHA256
fe424aa5c66338c5cd9b0b2e59211222831a373133d71955976f37ce6ad1408e

SHA512
e5379f3602fbabef5131701c5b3c6bb97855db5cca163202abdd6b92e022237218046ca2ab214077077e12c4b9bf3a3dc8d191d46a66462d8e9ecae6e774d80c

Download Submit
C:\Users\Admin\Downloads\Aura\Aura.exe:a.dll

Filesize
1.4MB

MD5
89063c77b1a1d722f87ae93a61653aa7

SHA1
486b62dd64053e3779b2aab70ddab0b752bc4258

SHA256
603cef91530cf80764891e02059a2f284265aeff918f6d138bb368a2a4b15312

SHA512
7f047c7a1397077b69ba99933a4e2af814aad77930914ae48ef677025e5e9ebdf882c319a05e0a286add18f5ce9863e905b115a78a13c153deb24dd0ab31e5f6

Download Submit
memory/800-758-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/1120-776-0x00007FF7E72F0000-0x00007FF7E74A5000-memory.dmp

Filesize
1.7MB

Download
memory/1968-736-0x00007FFEF3510000-0x00007FFEF3674000-memory.dmp

Filesize
1.4MB

Download
memory/1968-735-0x00007FF7498C0000-0x00007FF749A75000-memory.dmp

Filesize
1.7MB

Download
memory/2216-756-0x00007FF7498C0000-0x00007FF749A75000-memory.dmp

Filesize
1.7MB

Download
memory/2216-757-0x00007FFEF7530000-0x00007FFEF7694000-memory.dmp

Filesize
1.4MB

Download
memory/3096-737-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download
memory/3096-732-0x0000000140000000-0x000000014013B000-memory.dmp

Filesize
1.2MB

Download