aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
55s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

pid	Process
4928	voiceadequovl.exe
4872	voiceadequovl.exe
2536	voiceadequovl.exe
1012	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4872 set thread context of 1012	4872	voiceadequovl.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4980	powershell.exe
4980	powershell.exe
4872	voiceadequovl.exe
4872	voiceadequovl.exe
1768	powershell.exe
1768	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4872	voiceadequovl.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeIncreaseQuotaPrivilege	4716	wmic.exe
Token: SeSecurityPrivilege	4716	wmic.exe
Token: SeTakeOwnershipPrivilege	4716	wmic.exe
Token: SeLoadDriverPrivilege	4716	wmic.exe
Token: SeSystemProfilePrivilege	4716	wmic.exe
Token: SeSystemtimePrivilege	4716	wmic.exe
Token: SeProfSingleProcessPrivilege	4716	wmic.exe
Token: SeIncBasePriorityPrivilege	4716	wmic.exe
Token: SeCreatePagefilePrivilege	4716	wmic.exe
Token: SeBackupPrivilege	4716	wmic.exe
Token: SeRestorePrivilege	4716	wmic.exe
Token: SeShutdownPrivilege	4716	wmic.exe
Token: SeDebugPrivilege	4716	wmic.exe
Token: SeSystemEnvironmentPrivilege	4716	wmic.exe
Token: SeRemoteShutdownPrivilege	4716	wmic.exe
Token: SeUndockPrivilege	4716	wmic.exe
Token: SeManageVolumePrivilege	4716	wmic.exe
Token: 33	4716	wmic.exe
Token: 34	4716	wmic.exe
Token: 35	4716	wmic.exe
Token: 36	4716	wmic.exe
Token: SeIncreaseQuotaPrivilege	4716	wmic.exe
Token: SeSecurityPrivilege	4716	wmic.exe
Token: SeTakeOwnershipPrivilege	4716	wmic.exe
Token: SeLoadDriverPrivilege	4716	wmic.exe
Token: SeSystemProfilePrivilege	4716	wmic.exe
Token: SeSystemtimePrivilege	4716	wmic.exe
Token: SeProfSingleProcessPrivilege	4716	wmic.exe
Token: SeIncBasePriorityPrivilege	4716	wmic.exe
Token: SeCreatePagefilePrivilege	4716	wmic.exe
Token: SeBackupPrivilege	4716	wmic.exe
Token: SeRestorePrivilege	4716	wmic.exe
Token: SeShutdownPrivilege	4716	wmic.exe
Token: SeDebugPrivilege	4716	wmic.exe
Token: SeSystemEnvironmentPrivilege	4716	wmic.exe
Token: SeRemoteShutdownPrivilege	4716	wmic.exe
Token: SeUndockPrivilege	4716	wmic.exe
Token: SeManageVolumePrivilege	4716	wmic.exe
Token: 33	4716	wmic.exe
Token: 34	4716	wmic.exe
Token: 35	4716	wmic.exe
Token: 36	4716	wmic.exe
Token: SeIncreaseQuotaPrivilege	392	WMIC.exe
Token: SeSecurityPrivilege	392	WMIC.exe
Token: SeTakeOwnershipPrivilege	392	WMIC.exe
Token: SeLoadDriverPrivilege	392	WMIC.exe
Token: SeSystemProfilePrivilege	392	WMIC.exe
Token: SeSystemtimePrivilege	392	WMIC.exe
Token: SeProfSingleProcessPrivilege	392	WMIC.exe
Token: SeIncBasePriorityPrivilege	392	WMIC.exe
Token: SeCreatePagefilePrivilege	392	WMIC.exe
Token: SeBackupPrivilege	392	WMIC.exe
Token: SeRestorePrivilege	392	WMIC.exe
Token: SeShutdownPrivilege	392	WMIC.exe
Token: SeDebugPrivilege	392	WMIC.exe
Token: SeSystemEnvironmentPrivilege	392	WMIC.exe
Token: SeRemoteShutdownPrivilege	392	WMIC.exe
Token: SeUndockPrivilege	392	WMIC.exe
Token: SeManageVolumePrivilege	392	WMIC.exe
Token: 33	392	WMIC.exe
Token: 34	392	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 4928	3108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 3108 wrote to memory of 4928	3108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 3108 wrote to memory of 4928	3108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 4928 wrote to memory of 4872	4928	voiceadequovl.exe	82
PID 4928 wrote to memory of 4872	4928	voiceadequovl.exe	82
PID 4928 wrote to memory of 4872	4928	voiceadequovl.exe	82
PID 4872 wrote to memory of 4980	4872	voiceadequovl.exe	85
PID 4872 wrote to memory of 4980	4872	voiceadequovl.exe	85
PID 4872 wrote to memory of 4980	4872	voiceadequovl.exe	85
PID 4872 wrote to memory of 4948	4872	voiceadequovl.exe	93
PID 4872 wrote to memory of 4948	4872	voiceadequovl.exe	93
PID 4872 wrote to memory of 4948	4872	voiceadequovl.exe	93
PID 4948 wrote to memory of 1768	4948	cmd.exe	95
PID 4948 wrote to memory of 1768	4948	cmd.exe	95
PID 4948 wrote to memory of 1768	4948	cmd.exe	95
PID 4872 wrote to memory of 2536	4872	voiceadequovl.exe	96
PID 4872 wrote to memory of 2536	4872	voiceadequovl.exe	96
PID 4872 wrote to memory of 2536	4872	voiceadequovl.exe	96
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 4872 wrote to memory of 1012	4872	voiceadequovl.exe	97
PID 1012 wrote to memory of 4716	1012	voiceadequovl.exe	99
PID 1012 wrote to memory of 4716	1012	voiceadequovl.exe	99
PID 1012 wrote to memory of 4716	1012	voiceadequovl.exe	99
PID 1012 wrote to memory of 3240	1012	voiceadequovl.exe	101
PID 1012 wrote to memory of 3240	1012	voiceadequovl.exe	101
PID 1012 wrote to memory of 3240	1012	voiceadequovl.exe	101
PID 3240 wrote to memory of 392	3240	cmd.exe	102
PID 3240 wrote to memory of 392	3240	cmd.exe	102
PID 3240 wrote to memory of 392	3240	cmd.exe	102
PID 1012 wrote to memory of 2952	1012	voiceadequovl.exe	104
PID 1012 wrote to memory of 2952	1012	voiceadequovl.exe	104
PID 1012 wrote to memory of 2952	1012	voiceadequovl.exe	104

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:2536
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4716
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3240
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:2952
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:3208

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
afa8d4015cd655af69e749e7d419216f

SHA1
b272a76ef017edb52ae0bb95a2cc459ac67a303c

SHA256
a2aeea7ba7a1ea4f6f1f53440d5409341c95fb71e41788f9cae036cc357f2f75

SHA512
68375eac0d1f6a563d8ee1e5e97b01878583b8ef6b8ab29c580eb43a537f827f612f65e74fee59a5536da3f1514163c1afabdb56116f3a97b7183b83fa3a61d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
264.8MB

MD5
2fbe26e3e6c20e190171394ed52cbbbd

SHA1
cb449b6b141cad3cad4851620d42fa216d0cc661

SHA256
182deb6e1717d7774dbb58e3720dbf458202e0d04b9f80349be1b8e1b959df6b

SHA512
4fc42d7bb181a1442eaa6855c8bcb8373db4a85a2e6d7e1ab39a3a4b9fd09d57f9d124c1877fc6c2b3a2373c50a19b558033fc0d787be2224604d8bb844f9c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
255.1MB

MD5
b957a95f4fe5c323820a58dafbab8444

SHA1
214d4a7bbcda67b59b010a9746ff4ac5c93227d9

SHA256
2c534f200c1cb37421b032c780b162b0ef625d025e23f81e7b61ebd9b20ca4da

SHA512
4230c415a00d7381c31a4a1cd16fdedafbdc052b34fabea78336e888daca5073d59fb37630c3d75373ce34ae8476290c58a3058b0618baa51e731ffc1883b6b6

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.9MB

MD5
a8a89a09f698c4b2e9d9af900bf4d34e

SHA1
d2ac4eaa426fe548d99379cb02324a61fb010006

SHA256
979f9a53955a7615fa8fadf952553c8c4cc3a0dbf0f95afdf918576c33f5a7cc

SHA512
45b799c8ac13e1a58aa28494f084da21afd83637ea8ed3776d675251fb563487ed3fea38d9d9a2d4159168e34c3147f2f72fd7387452b86bc69e0e9e8d560109

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
248.0MB

MD5
4c3ec08601ab208d790de6b1597944fc

SHA1
6186aad18a22d059534681e102f6c429c39b91e7

SHA256
710b607cb8422a77ab97332d10d7426c854fdf389cbdf31d7f358819cd5cf680

SHA512
574d2c1751043d7be3bf65591bd86858f4dedcf6d3a4d203556ab128c94c274436b86eb7888905bf84a4cfa29850b2d016d0e8e231fd3d90266550177526feb3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
202.8MB

MD5
50f1a54e6f543a4a49eb5e5b379ec249

SHA1
c58a4d9483ba10afd0146a855eb6b3ce807256be

SHA256
e9214400335fe217e355623e12fe582b79b3b78e4e6b15365eba898539b89c66

SHA512
71f06fcd2809686e256714805da3386310461faad0aaa40150368b9b6c0f18ca59040d3c8aa1ee9d3e70163c8c93a43709525f291d2252210a9bcd7f276bd9e2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
212.6MB

MD5
177b210af251dd1b96e826be6c77c2b9

SHA1
0d77bbdc598d9ca34d4dd4745f74119124b3cfc5

SHA256
7589b743d4c14cdf3786430d6c1833ad9359b678996fb1e490b3e005c16f828c

SHA512
6056bb268fe0b20c1e864b283c2c06a3a02ed71a0e0228e23c8b4108396eb6651c816f83874cb80a1ca0163b185bdad8e27a4ebd96562ae0d7a0333fab6c3118

Download Submit
memory/1012-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1012-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1012-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1012-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1768-162-0x00000000758C0000-0x000000007590C000-memory.dmp

Filesize
304KB

Download
memory/1768-161-0x0000000006ED0000-0x0000000006F02000-memory.dmp

Filesize
200KB

Download
memory/1768-173-0x0000000007440000-0x0000000007448000-memory.dmp

Filesize
32KB

Download
memory/1768-172-0x0000000007460000-0x000000000747A000-memory.dmp

Filesize
104KB

Download
memory/1768-169-0x0000000005900000-0x000000000590E000-memory.dmp

Filesize
56KB

Download
memory/1768-166-0x00000000074E0000-0x0000000007576000-memory.dmp

Filesize
600KB

Download
memory/1768-164-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/1768-163-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/4872-139-0x0000000006FF0000-0x0000000007012000-memory.dmp

Filesize
136KB

Download
memory/4872-138-0x0000000000920000-0x0000000001094000-memory.dmp

Filesize
7.5MB

Download
memory/4980-141-0x0000000003390000-0x00000000033C6000-memory.dmp

Filesize
216KB

Download
memory/4980-142-0x0000000005B70000-0x0000000006198000-memory.dmp

Filesize
6.2MB

Download
memory/4980-143-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/4980-144-0x0000000006330000-0x0000000006396000-memory.dmp

Filesize
408KB

Download
memory/4980-145-0x0000000006950000-0x000000000696E000-memory.dmp

Filesize
120KB

Download
memory/4980-146-0x00000000081C0000-0x000000000883A000-memory.dmp

Filesize
6.5MB

Download
memory/4980-147-0x0000000006E40000-0x0000000006E5A000-memory.dmp

Filesize
104KB

Download