aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
56s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 3 IoCs

pid	Process
4452	voiceadequovl.exe
2524	voiceadequovl.exe
3460	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2524 set thread context of 3460	2524	voiceadequovl.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2292	powershell.exe
2292	powershell.exe
1532	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	voiceadequovl.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeIncreaseQuotaPrivilege	3092	wmic.exe
Token: SeSecurityPrivilege	3092	wmic.exe
Token: SeTakeOwnershipPrivilege	3092	wmic.exe
Token: SeLoadDriverPrivilege	3092	wmic.exe
Token: SeSystemProfilePrivilege	3092	wmic.exe
Token: SeSystemtimePrivilege	3092	wmic.exe
Token: SeProfSingleProcessPrivilege	3092	wmic.exe
Token: SeIncBasePriorityPrivilege	3092	wmic.exe
Token: SeCreatePagefilePrivilege	3092	wmic.exe
Token: SeBackupPrivilege	3092	wmic.exe
Token: SeRestorePrivilege	3092	wmic.exe
Token: SeShutdownPrivilege	3092	wmic.exe
Token: SeDebugPrivilege	3092	wmic.exe
Token: SeSystemEnvironmentPrivilege	3092	wmic.exe
Token: SeRemoteShutdownPrivilege	3092	wmic.exe
Token: SeUndockPrivilege	3092	wmic.exe
Token: SeManageVolumePrivilege	3092	wmic.exe
Token: 33	3092	wmic.exe
Token: 34	3092	wmic.exe
Token: 35	3092	wmic.exe
Token: 36	3092	wmic.exe
Token: SeIncreaseQuotaPrivilege	3092	wmic.exe
Token: SeSecurityPrivilege	3092	wmic.exe
Token: SeTakeOwnershipPrivilege	3092	wmic.exe
Token: SeLoadDriverPrivilege	3092	wmic.exe
Token: SeSystemProfilePrivilege	3092	wmic.exe
Token: SeSystemtimePrivilege	3092	wmic.exe
Token: SeProfSingleProcessPrivilege	3092	wmic.exe
Token: SeIncBasePriorityPrivilege	3092	wmic.exe
Token: SeCreatePagefilePrivilege	3092	wmic.exe
Token: SeBackupPrivilege	3092	wmic.exe
Token: SeRestorePrivilege	3092	wmic.exe
Token: SeShutdownPrivilege	3092	wmic.exe
Token: SeDebugPrivilege	3092	wmic.exe
Token: SeSystemEnvironmentPrivilege	3092	wmic.exe
Token: SeRemoteShutdownPrivilege	3092	wmic.exe
Token: SeUndockPrivilege	3092	wmic.exe
Token: SeManageVolumePrivilege	3092	wmic.exe
Token: 33	3092	wmic.exe
Token: 34	3092	wmic.exe
Token: 35	3092	wmic.exe
Token: 36	3092	wmic.exe
Token: SeIncreaseQuotaPrivilege	4860	WMIC.exe
Token: SeSecurityPrivilege	4860	WMIC.exe
Token: SeTakeOwnershipPrivilege	4860	WMIC.exe
Token: SeLoadDriverPrivilege	4860	WMIC.exe
Token: SeSystemProfilePrivilege	4860	WMIC.exe
Token: SeSystemtimePrivilege	4860	WMIC.exe
Token: SeProfSingleProcessPrivilege	4860	WMIC.exe
Token: SeIncBasePriorityPrivilege	4860	WMIC.exe
Token: SeCreatePagefilePrivilege	4860	WMIC.exe
Token: SeBackupPrivilege	4860	WMIC.exe
Token: SeRestorePrivilege	4860	WMIC.exe
Token: SeShutdownPrivilege	4860	WMIC.exe
Token: SeDebugPrivilege	4860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4860	WMIC.exe
Token: SeRemoteShutdownPrivilege	4860	WMIC.exe
Token: SeUndockPrivilege	4860	WMIC.exe
Token: SeManageVolumePrivilege	4860	WMIC.exe
Token: 33	4860	WMIC.exe
Token: 34	4860	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4452	4708	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 4708 wrote to memory of 4452	4708	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 4708 wrote to memory of 4452	4708	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 4452 wrote to memory of 2524	4452	voiceadequovl.exe	84
PID 4452 wrote to memory of 2524	4452	voiceadequovl.exe	84
PID 4452 wrote to memory of 2524	4452	voiceadequovl.exe	84
PID 2524 wrote to memory of 2292	2524	voiceadequovl.exe	88
PID 2524 wrote to memory of 2292	2524	voiceadequovl.exe	88
PID 2524 wrote to memory of 2292	2524	voiceadequovl.exe	88
PID 2524 wrote to memory of 3080	2524	voiceadequovl.exe	94
PID 2524 wrote to memory of 3080	2524	voiceadequovl.exe	94
PID 2524 wrote to memory of 3080	2524	voiceadequovl.exe	94
PID 3080 wrote to memory of 1532	3080	cmd.exe	96
PID 3080 wrote to memory of 1532	3080	cmd.exe	96
PID 3080 wrote to memory of 1532	3080	cmd.exe	96
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 2524 wrote to memory of 3460	2524	voiceadequovl.exe	97
PID 3460 wrote to memory of 3092	3460	voiceadequovl.exe	98
PID 3460 wrote to memory of 3092	3460	voiceadequovl.exe	98
PID 3460 wrote to memory of 3092	3460	voiceadequovl.exe	98
PID 3460 wrote to memory of 3332	3460	voiceadequovl.exe	100
PID 3460 wrote to memory of 3332	3460	voiceadequovl.exe	100
PID 3460 wrote to memory of 3332	3460	voiceadequovl.exe	100
PID 3332 wrote to memory of 4860	3332	cmd.exe	102
PID 3332 wrote to memory of 4860	3332	cmd.exe	102
PID 3332 wrote to memory of 4860	3332	cmd.exe	102
PID 3460 wrote to memory of 4504	3460	voiceadequovl.exe	104
PID 3460 wrote to memory of 4504	3460	voiceadequovl.exe	104
PID 3460 wrote to memory of 4504	3460	voiceadequovl.exe	104
PID 4504 wrote to memory of 868	4504	cmd.exe	105
PID 4504 wrote to memory of 868	4504	cmd.exe	105
PID 4504 wrote to memory of 868	4504	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3332
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
c85cdd1576bd592a1f5729860468cc82

SHA1
ef8482bd99204fb0818f64bd33ba400ae95bccf4

SHA256
b5392d970187140f206e5609426ee6177e7d7410c753985c37f4ea3e4bea64da

SHA512
e2f1632544b36b384dd620db4c7f109823cf98110a3cc0e86ca0bb271df9f2e298dfef7e6a25d9f54e9c9e0d66ad33e60e9dc4073ed55e40dce86fc8cef84996

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
282.7MB

MD5
d0a9d7cd1d5c27d712426316aa74a817

SHA1
97646a2b08ca8c41382257f7bf7f625500e58853

SHA256
c177c69246b028022d2e447627ba7af9ce9533239eecb7fab7eb8192bd5746c1

SHA512
5d1d017a6fbc995961ca9c648a6a8e307386cce8fde448d805f74d6d5b22226f9b4f2e30cdaa2c202b7dfd434d9eb5658849ec5a2bf5082cd27c329f296ec528

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
279.7MB

MD5
08d1ace8052de43397fc5d6f6eb7041f

SHA1
4f7ba63cd1586e9c17a1c35583f0eb2d7fe14386

SHA256
ce4e6a84d002280152d0876ecc3a20d54bcd38369a3a3d8af65bdd35a54928f7

SHA512
57ef1e65e83ed77e367cddb4c7283f6710a8e58f68a9fbe9eb99a821743194e49249f18c8a1743068d4ca09a7f3292db2af798d8631b3f472a86cee2e3a937f4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
257.2MB

MD5
98d9d6c0cc54704252c0ac664e1823f9

SHA1
4b8e5c0ebcfcde3857615c8a059aa0d31f1f3ca9

SHA256
8a0de7bdfb5d20f3c1d03549072f6cb6275808668baa52a613181c545cf76db6

SHA512
aa7de229dd020587f80395f07d2b96d5fed5987e60667a87282e053ceddba5b205ca358614701b9eeaa8c3d46e5f4151c0a788f0fb27ce089b208dbc214a22c1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
278.9MB

MD5
52d5db36d22f969b8ff31fb286dfe675

SHA1
84b09665dfa0c3dff159b78daa5eba37b1bb2c9a

SHA256
4397ccdb25c11bf80bf0a9dca5ac0c365c73bae8d7d1a847546d34f781c0a3a8

SHA512
b2bb3543f5a73d62da07d8ee859cba1ed9b420093df1ae5330824c21f27336891a0546c615621b6dff1a6a666054b58b20a8000a91f7884dc0ba6fdb775363f0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
155.7MB

MD5
db39434c4110592e48fca5cb312d0b53

SHA1
f07e65f4a5351d15080a0d531f907e4016dac487

SHA256
0c57760868c3cd107c0e2ba3943b54987b371f7941be93d7ce56116b949f10ad

SHA512
1b86a2da0675ab160d67d086b9bf214cd1e26b52dd9bd2c4e1a103e2c9205e32bbfcc4b698a6675c1dcd14afe277ff9913afee20618869ef9ae3fef739218798

Download Submit
memory/1532-164-0x0000000007420000-0x00000000074B6000-memory.dmp

Filesize
600KB

Download
memory/1532-163-0x00000000071F0000-0x00000000071FA000-memory.dmp

Filesize
40KB

Download
memory/1532-161-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/1532-160-0x0000000070A30000-0x0000000070A7C000-memory.dmp

Filesize
304KB

Download
memory/1532-159-0x0000000006E30000-0x0000000006E62000-memory.dmp

Filesize
200KB

Download
memory/1532-169-0x0000000005110000-0x000000000511E000-memory.dmp

Filesize
56KB

Download
memory/1532-170-0x0000000007380000-0x000000000739A000-memory.dmp

Filesize
104KB

Download
memory/1532-171-0x0000000007360000-0x0000000007368000-memory.dmp

Filesize
32KB

Download
memory/2292-142-0x0000000005050000-0x0000000005678000-memory.dmp

Filesize
6.2MB

Download
memory/2292-143-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/2292-141-0x0000000002910000-0x0000000002946000-memory.dmp

Filesize
216KB

Download
memory/2292-144-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/2292-147-0x0000000006400000-0x000000000641A000-memory.dmp

Filesize
104KB

Download
memory/2292-145-0x0000000005F00000-0x0000000005F1E000-memory.dmp

Filesize
120KB

Download
memory/2292-146-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/2524-139-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/2524-138-0x0000000000750000-0x0000000000EC4000-memory.dmp

Filesize
7.5MB

Download
memory/3460-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3460-155-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3460-152-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3460-172-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download