aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
70s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 5 IoCs

pid	Process
2348	voiceadequovl.exe
4848	voiceadequovl.exe
3152	voiceadequovl.exe
628	voiceadequovl.exe
524	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4848 set thread context of 524	4848	voiceadequovl.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1460	powershell.exe
1460	powershell.exe
4608	powershell.exe
4848	voiceadequovl.exe
4848	voiceadequovl.exe
4848	voiceadequovl.exe
4848	voiceadequovl.exe
4608	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	voiceadequovl.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeIncreaseQuotaPrivilege	4176	wmic.exe
Token: SeSecurityPrivilege	4176	wmic.exe
Token: SeTakeOwnershipPrivilege	4176	wmic.exe
Token: SeLoadDriverPrivilege	4176	wmic.exe
Token: SeSystemProfilePrivilege	4176	wmic.exe
Token: SeSystemtimePrivilege	4176	wmic.exe
Token: SeProfSingleProcessPrivilege	4176	wmic.exe
Token: SeIncBasePriorityPrivilege	4176	wmic.exe
Token: SeCreatePagefilePrivilege	4176	wmic.exe
Token: SeBackupPrivilege	4176	wmic.exe
Token: SeRestorePrivilege	4176	wmic.exe
Token: SeShutdownPrivilege	4176	wmic.exe
Token: SeDebugPrivilege	4176	wmic.exe
Token: SeSystemEnvironmentPrivilege	4176	wmic.exe
Token: SeRemoteShutdownPrivilege	4176	wmic.exe
Token: SeUndockPrivilege	4176	wmic.exe
Token: SeManageVolumePrivilege	4176	wmic.exe
Token: 33	4176	wmic.exe
Token: 34	4176	wmic.exe
Token: 35	4176	wmic.exe
Token: 36	4176	wmic.exe
Token: SeIncreaseQuotaPrivilege	4176	wmic.exe
Token: SeSecurityPrivilege	4176	wmic.exe
Token: SeTakeOwnershipPrivilege	4176	wmic.exe
Token: SeLoadDriverPrivilege	4176	wmic.exe
Token: SeSystemProfilePrivilege	4176	wmic.exe
Token: SeSystemtimePrivilege	4176	wmic.exe
Token: SeProfSingleProcessPrivilege	4176	wmic.exe
Token: SeIncBasePriorityPrivilege	4176	wmic.exe
Token: SeCreatePagefilePrivilege	4176	wmic.exe
Token: SeBackupPrivilege	4176	wmic.exe
Token: SeRestorePrivilege	4176	wmic.exe
Token: SeShutdownPrivilege	4176	wmic.exe
Token: SeDebugPrivilege	4176	wmic.exe
Token: SeSystemEnvironmentPrivilege	4176	wmic.exe
Token: SeRemoteShutdownPrivilege	4176	wmic.exe
Token: SeUndockPrivilege	4176	wmic.exe
Token: SeManageVolumePrivilege	4176	wmic.exe
Token: 33	4176	wmic.exe
Token: 34	4176	wmic.exe
Token: 35	4176	wmic.exe
Token: 36	4176	wmic.exe
Token: SeIncreaseQuotaPrivilege	1440	WMIC.exe
Token: SeSecurityPrivilege	1440	WMIC.exe
Token: SeTakeOwnershipPrivilege	1440	WMIC.exe
Token: SeLoadDriverPrivilege	1440	WMIC.exe
Token: SeSystemProfilePrivilege	1440	WMIC.exe
Token: SeSystemtimePrivilege	1440	WMIC.exe
Token: SeProfSingleProcessPrivilege	1440	WMIC.exe
Token: SeIncBasePriorityPrivilege	1440	WMIC.exe
Token: SeCreatePagefilePrivilege	1440	WMIC.exe
Token: SeBackupPrivilege	1440	WMIC.exe
Token: SeRestorePrivilege	1440	WMIC.exe
Token: SeShutdownPrivilege	1440	WMIC.exe
Token: SeDebugPrivilege	1440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1440	WMIC.exe
Token: SeRemoteShutdownPrivilege	1440	WMIC.exe
Token: SeUndockPrivilege	1440	WMIC.exe
Token: SeManageVolumePrivilege	1440	WMIC.exe
Token: 33	1440	WMIC.exe
Token: 34	1440	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 2348	5016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	83
PID 5016 wrote to memory of 2348	5016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	83
PID 5016 wrote to memory of 2348	5016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	83
PID 2348 wrote to memory of 4848	2348	voiceadequovl.exe	84
PID 2348 wrote to memory of 4848	2348	voiceadequovl.exe	84
PID 2348 wrote to memory of 4848	2348	voiceadequovl.exe	84
PID 4848 wrote to memory of 1460	4848	voiceadequovl.exe	86
PID 4848 wrote to memory of 1460	4848	voiceadequovl.exe	86
PID 4848 wrote to memory of 1460	4848	voiceadequovl.exe	86
PID 4848 wrote to memory of 3364	4848	voiceadequovl.exe	89
PID 4848 wrote to memory of 3364	4848	voiceadequovl.exe	89
PID 4848 wrote to memory of 3364	4848	voiceadequovl.exe	89
PID 3364 wrote to memory of 4608	3364	cmd.exe	92
PID 3364 wrote to memory of 4608	3364	cmd.exe	92
PID 3364 wrote to memory of 4608	3364	cmd.exe	92
PID 4848 wrote to memory of 3152	4848	voiceadequovl.exe	93
PID 4848 wrote to memory of 3152	4848	voiceadequovl.exe	93
PID 4848 wrote to memory of 3152	4848	voiceadequovl.exe	93
PID 4848 wrote to memory of 628	4848	voiceadequovl.exe	94
PID 4848 wrote to memory of 628	4848	voiceadequovl.exe	94
PID 4848 wrote to memory of 628	4848	voiceadequovl.exe	94
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 4848 wrote to memory of 524	4848	voiceadequovl.exe	95
PID 524 wrote to memory of 4176	524	voiceadequovl.exe	96
PID 524 wrote to memory of 4176	524	voiceadequovl.exe	96
PID 524 wrote to memory of 4176	524	voiceadequovl.exe	96
PID 524 wrote to memory of 2304	524	voiceadequovl.exe	99
PID 524 wrote to memory of 2304	524	voiceadequovl.exe	99
PID 524 wrote to memory of 2304	524	voiceadequovl.exe	99
PID 2304 wrote to memory of 1440	2304	cmd.exe	100
PID 2304 wrote to memory of 1440	2304	cmd.exe	100
PID 2304 wrote to memory of 1440	2304	cmd.exe	100
PID 524 wrote to memory of 4168	524	voiceadequovl.exe	101
PID 524 wrote to memory of 4168	524	voiceadequovl.exe	101
PID 524 wrote to memory of 4168	524	voiceadequovl.exe	101

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:3152
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:628
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:524
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4176
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:4168
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
4fbb4d74bd9053d3dce159cc0bc1c5a4

SHA1
05d094c8a37575b9038ca012729fd508fcaacdeb

SHA256
8035cf1fb984218337d7f75c0ff2c805bd60415d0c8271723270c743cdc28982

SHA512
1ceb39ce35846e3847c2d96e4d0781ff0ab8769808c513e8f5ab3cfee3d529076dcb52d5ed72368085ffd44c2396d96ec4ff13fb29624df7bed822eedabb1b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
342.6MB

MD5
a49b1b13092243cb4d7eee0b84477383

SHA1
6fd0bcd18f83ade19d6239fbc1653b84c4991609

SHA256
522adf33b7e13f32e19101020b716f40775ab5d7e89c84dc5f567c98474b0b79

SHA512
098436b1b31a2d5a665e590a21c3c9b5e8dd86934a01d68f9a2501d4919c1fee7b896319536a73eee23d2408cc9a4582fc763f9db9467044245d39274102fb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
322.1MB

MD5
e72b5e7e24cd22f33190a5f870ea5f7a

SHA1
1c4a6ff0fb2f55a8915f9e9d7f9077c9049a6319

SHA256
001a3b924c085896a9bc25b8ed6ff46cb76e87e2195a65cde8bb01d3ca998b0b

SHA512
aab425f6fea203e3a106d7f6fd4a334fabdc394fc50e5c11b40373a04c9b656d736d0411c97fd6117e5d43df464f73a96484ba789d607eb4712415427722fa1e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
287.8MB

MD5
7f422f5e2b52f7fa8ab19d2a22ff183c

SHA1
1bb62f288ba037eaa153f4cec6f93f54b8b7c26c

SHA256
12ca79d4f8754a8175434446dd1fb9040b260f69d6511db4684b65a8e506e8f2

SHA512
a6b99762038e91be8d3245ee6a60c8c73f82671bb00fecca1810cb170d4c44367ecb9cae2c1b546cdfb400077311216c93321b8629dd641f0bb73183db71db39

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
283.4MB

MD5
fcc7811a3639e4caaca70c5fb6ba14b0

SHA1
05b9e510d9456f3a6d29eb855871e5a70e184bfd

SHA256
a088465788c4c940d185840570b6355da138247d27b9e4aa90fb184b31f040cb

SHA512
55938d0b2ca6c86845093e8cb03ef33744bee74404e43438d623fcd3ccc9a0d66ca96d0894c418b07ceff1eba1be78248be8081b0672c4ccdc02d069897afa03

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
143.6MB

MD5
3aee9aca9e5526db3e4a8fb537078adc

SHA1
3c46871642de9bf455724bff1d8907ecea981e68

SHA256
1dd5ef962289ff39e3adcb46589e0f874fba7f7906be02eeccde6c8001723297

SHA512
a2171a23fb4b49120183c1e99b70ba5d558f881d82cb808aa1a5bbd44345b4f02066db15bba9b363bbed0c79eae501eb6071b174dc95e2b0d74db6b52f427270

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
147.3MB

MD5
e941a306905dac3a60820b50d7630f7f

SHA1
17d54e97076702233933e96c40eef392a5b5034e

SHA256
7445e433d3b63d1be53a29edf98e66b3ac37e5ce5c832a6ee0c7db43149b555c

SHA512
9534cfd03f666344e195077a368aefecb576067d990dac15537dbf8d1db34b972d709c86643d7119cf1c86e03ab5bb3ea314629074f3eaa32e4355439ce10dbd

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
152.9MB

MD5
a23aaecb44ee1ca861bf7e9160392d63

SHA1
52da103c7ec1a20759d2f1986906c17f18275c94

SHA256
dce7fed4196d4b09fb831f8a637f7d6f195a5c6417321e15da14ee2caa16a7aa

SHA512
febc752ccba606724992194d891b528e45341be087e3d1eb837990dc244f22d634d3f7f327fc27a59cf396286d7a1d99bc11c3c5c637c644135ae26009e82e6a

Download Submit
memory/524-156-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/524-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/524-161-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/524-176-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1460-143-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/1460-142-0x00000000052B0000-0x00000000058D8000-memory.dmp

Filesize
6.2MB

Download
memory/1460-141-0x00000000029D0000-0x0000000002A06000-memory.dmp

Filesize
216KB

Download
memory/1460-147-0x0000000006430000-0x000000000644A000-memory.dmp

Filesize
104KB

Download
memory/1460-146-0x00000000075D0000-0x0000000007C4A000-memory.dmp

Filesize
6.5MB

Download
memory/1460-145-0x0000000005FA0000-0x0000000005FBE000-memory.dmp

Filesize
120KB

Download
memory/1460-144-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/4608-173-0x00000000061E0000-0x00000000061EE000-memory.dmp

Filesize
56KB

Download
memory/4608-165-0x00000000074E0000-0x00000000074FE000-memory.dmp

Filesize
120KB

Download
memory/4608-166-0x00000000076F0000-0x00000000076FA000-memory.dmp

Filesize
40KB

Download
memory/4608-163-0x0000000007500000-0x0000000007532000-memory.dmp

Filesize
200KB

Download
memory/4608-168-0x0000000007930000-0x00000000079C6000-memory.dmp

Filesize
600KB

Download
memory/4608-164-0x00000000756C0000-0x000000007570C000-memory.dmp

Filesize
304KB

Download
memory/4608-174-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/4608-175-0x0000000007870000-0x0000000007878000-memory.dmp

Filesize
32KB

Download
memory/4848-138-0x0000000000DD0000-0x0000000001544000-memory.dmp

Filesize
7.5MB

Download
memory/4848-139-0x0000000007490000-0x00000000074B2000-memory.dmp

Filesize
136KB

Download