aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

C2

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

4888 voiceadequovl.exe
220 voiceadequovl.exe
3480 voiceadequovl.exe

pid	process
4888	voiceadequovl.exe
220	voiceadequovl.exe
3480	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 220 set thread context of 3480 220 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4296 powershell.exe
4296 powershell.exe
3412 powershell.exe
3412 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 220 voiceadequovl.exe
Token: SeDebugPrivilege 4296 powershell.exe
Token: SeDebugPrivilege 3412 powershell.exe

description	pid	process	target process
PID 220 set thread context of 3480	220	voiceadequovl.exe	voiceadequovl.exe

pid	process
4296	powershell.exe
4296	powershell.exe
3412	powershell.exe
3412	powershell.exe

description	pid	process
Token: SeDebugPrivilege	220	voiceadequovl.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 5052 wrote to memory of 4888	5052	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 5052 wrote to memory of 4888	5052	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 5052 wrote to memory of 4888	5052	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4888 wrote to memory of 220	4888	voiceadequovl.exe	voiceadequovl.exe
PID 4888 wrote to memory of 220	4888	voiceadequovl.exe	voiceadequovl.exe
PID 4888 wrote to memory of 220	4888	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 4296	220	voiceadequovl.exe	powershell.exe
PID 220 wrote to memory of 4296	220	voiceadequovl.exe	powershell.exe
PID 220 wrote to memory of 4296	220	voiceadequovl.exe	powershell.exe
PID 220 wrote to memory of 3968	220	voiceadequovl.exe	cmd.exe
PID 220 wrote to memory of 3968	220	voiceadequovl.exe	cmd.exe
PID 220 wrote to memory of 3968	220	voiceadequovl.exe	cmd.exe
PID 3968 wrote to memory of 3412	3968	cmd.exe	powershell.exe
PID 3968 wrote to memory of 3412	3968	cmd.exe	powershell.exe
PID 3968 wrote to memory of 3412	3968	cmd.exe	powershell.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe
PID 220 wrote to memory of 3480	220	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:3480

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:2508

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:3004

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:2068

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
0c2562859bb1600a2816e905c219e9e6

SHA1
81888f8144141ed5571611aecb61eee4b38d3481

SHA256
7fe500b22ecf0b757e0983eb6aa8855d9ef7d840caacf36717408d9a0890c72f

SHA512
fd3f3e7bdecde389aff393422ffd86d897bfe9f06f5a4655db2b4510586e23f5bb3c88193c6ede4f9e6f4ff5d0a0df25be149f195a4013d3ae577d5e54443720

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
299.3MB

MD5
919c5d243baf084308e894524e1153d0

SHA1
a3b09b14a72668ef18122a776c9ba30fd9c8456c

SHA256
a7db87793ae9b2e4ed04ba63cabc796d75257f566d6d8440db0c01e900be2952

SHA512
cbdcb64c2af35eda942ad2586af7a98e917c1ef23d54528bf0214641d960ee6254dfe92b20414037a5e0cea5211004fcb9b26452084e72047d3110f4191aff7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
285.9MB

MD5
610e94390d2a32dd027ea4bfe58969f5

SHA1
966884a4d76078b18c0d8f184e0eb682620a2f31

SHA256
1d3c61853ab9b682c1e4c1d2e205eb662f3da2e59bfef1c044f9f3593450035d

SHA512
c049903f6ef81631d9c839e93b570816e6301c87dbcc8b45e31035976f663f7137b5cc805722c621782e1f6448ea3c596ec70362e49cf7bbbc9f475fdd1102c7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
275.9MB

MD5
f03d76204f6021c458e8ce5a97c9e382

SHA1
00e95d2d4cf43003c95db68701c30190ac309764

SHA256
72a2cebe30bc8625b43b859ed22a6423c972852e139d1a38903f0d303b5a41c3

SHA512
3a6ca951dad09a75e770adc35ac6409a3b1117ea17986f52aa298cd900acc797dc01ea5a67da4e5b6916eeb2372b29b8efada727508d16eb22410c8e4b54f284

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
274.8MB

MD5
4aeb131a8a8b42c133094df5399b673a

SHA1
8ccc80d49b26b5052f5de3e7318c212d05b43e17

SHA256
006c2d5d6f21c1e8c5d96fd1d110a7ada6676fdd737fdfa1bf1b15d4d1b0873f

SHA512
dbafebaed8c0c9cfb2f2a8b0c428f6e9676e7f3ae40fc23c9ad9160a7718ddb1c38605fa18aeec14cc9c2365c272848c6d20c1d14f54da24a7f5f524ed7f70e9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
125.1MB

MD5
952b8f787b21860675eeb0019ac2bb64

SHA1
ede2c578e60ed2d638b11f0ff7f7b57c880cc889

SHA256
e82e9557193126bc61e61828952f25675893a456a089a310dcec044808cf6b36

SHA512
59b757c80392d050a8188a1c40a7f53e7ffa5b372554cf34a81f8b1b818f199d7d012d02adbf4b9d20916c36e332bde3f4234d943b61e17053346bd9eff97dcc

Download Submit
memory/220-138-0x0000000000040000-0x00000000007B4000-memory.dmp

Filesize
7.5MB

Download
memory/220-135-0x0000000000000000-mapping.dmp

Download
memory/220-139-0x00000000065C0000-0x00000000065E2000-memory.dmp

Filesize
136KB

Download
memory/872-172-0x0000000000000000-mapping.dmp

Download
memory/2068-171-0x0000000000000000-mapping.dmp

Download
memory/2508-168-0x0000000000000000-mapping.dmp

Download
memory/3004-169-0x0000000000000000-mapping.dmp

Download
memory/3056-170-0x0000000000000000-mapping.dmp

Download
memory/3412-149-0x0000000000000000-mapping.dmp

Download
memory/3412-163-0x00000000070C0000-0x0000000007156000-memory.dmp

Filesize
600KB

Download
memory/3412-164-0x0000000005970000-0x000000000597E000-memory.dmp

Filesize
56KB

Download
memory/3412-162-0x0000000006E70000-0x0000000006E7A000-memory.dmp

Filesize
40KB

Download
memory/3412-161-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/3412-160-0x00000000739E0000-0x0000000073A2C000-memory.dmp

Filesize
304KB

Download
memory/3412-165-0x0000000007020000-0x000000000703A000-memory.dmp

Filesize
104KB

Download
memory/3412-159-0x00000000060B0000-0x00000000060E2000-memory.dmp

Filesize
200KB

Download
memory/3412-166-0x0000000007000000-0x0000000007008000-memory.dmp

Filesize
32KB

Download
memory/3480-152-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3480-156-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3480-155-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3480-173-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3480-151-0x0000000000000000-mapping.dmp

Download
memory/3480-167-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3968-148-0x0000000000000000-mapping.dmp

Download
memory/4296-146-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/4296-145-0x00000000066B0000-0x00000000066CE000-memory.dmp

Filesize
120KB

Download
memory/4296-147-0x0000000006BC0000-0x0000000006BDA000-memory.dmp

Filesize
104KB

Download
memory/4296-144-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4296-143-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/4296-142-0x00000000058B0000-0x0000000005ED8000-memory.dmp

Filesize
6.2MB

Download
memory/4296-141-0x00000000050F0000-0x0000000005126000-memory.dmp

Filesize
216KB

Download
memory/4296-140-0x0000000000000000-mapping.dmp

Download
memory/4888-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads