aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
58s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

pid	Process
4964	voiceadequovl.exe
4824	voiceadequovl.exe
1252	voiceadequovl.exe
5044	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4824 set thread context of 5044	4824	voiceadequovl.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1580	powershell.exe
1580	powershell.exe
4824	voiceadequovl.exe
4824	voiceadequovl.exe
2908	powershell.exe
2908	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4824	voiceadequovl.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeIncreaseQuotaPrivilege	2064	wmic.exe
Token: SeSecurityPrivilege	2064	wmic.exe
Token: SeTakeOwnershipPrivilege	2064	wmic.exe
Token: SeLoadDriverPrivilege	2064	wmic.exe
Token: SeSystemProfilePrivilege	2064	wmic.exe
Token: SeSystemtimePrivilege	2064	wmic.exe
Token: SeProfSingleProcessPrivilege	2064	wmic.exe
Token: SeIncBasePriorityPrivilege	2064	wmic.exe
Token: SeCreatePagefilePrivilege	2064	wmic.exe
Token: SeBackupPrivilege	2064	wmic.exe
Token: SeRestorePrivilege	2064	wmic.exe
Token: SeShutdownPrivilege	2064	wmic.exe
Token: SeDebugPrivilege	2064	wmic.exe
Token: SeSystemEnvironmentPrivilege	2064	wmic.exe
Token: SeRemoteShutdownPrivilege	2064	wmic.exe
Token: SeUndockPrivilege	2064	wmic.exe
Token: SeManageVolumePrivilege	2064	wmic.exe
Token: 33	2064	wmic.exe
Token: 34	2064	wmic.exe
Token: 35	2064	wmic.exe
Token: 36	2064	wmic.exe
Token: SeIncreaseQuotaPrivilege	2064	wmic.exe
Token: SeSecurityPrivilege	2064	wmic.exe
Token: SeTakeOwnershipPrivilege	2064	wmic.exe
Token: SeLoadDriverPrivilege	2064	wmic.exe
Token: SeSystemProfilePrivilege	2064	wmic.exe
Token: SeSystemtimePrivilege	2064	wmic.exe
Token: SeProfSingleProcessPrivilege	2064	wmic.exe
Token: SeIncBasePriorityPrivilege	2064	wmic.exe
Token: SeCreatePagefilePrivilege	2064	wmic.exe
Token: SeBackupPrivilege	2064	wmic.exe
Token: SeRestorePrivilege	2064	wmic.exe
Token: SeShutdownPrivilege	2064	wmic.exe
Token: SeDebugPrivilege	2064	wmic.exe
Token: SeSystemEnvironmentPrivilege	2064	wmic.exe
Token: SeRemoteShutdownPrivilege	2064	wmic.exe
Token: SeUndockPrivilege	2064	wmic.exe
Token: SeManageVolumePrivilege	2064	wmic.exe
Token: 33	2064	wmic.exe
Token: 34	2064	wmic.exe
Token: 35	2064	wmic.exe
Token: 36	2064	wmic.exe
Token: SeIncreaseQuotaPrivilege	3820	WMIC.exe
Token: SeSecurityPrivilege	3820	WMIC.exe
Token: SeTakeOwnershipPrivilege	3820	WMIC.exe
Token: SeLoadDriverPrivilege	3820	WMIC.exe
Token: SeSystemProfilePrivilege	3820	WMIC.exe
Token: SeSystemtimePrivilege	3820	WMIC.exe
Token: SeProfSingleProcessPrivilege	3820	WMIC.exe
Token: SeIncBasePriorityPrivilege	3820	WMIC.exe
Token: SeCreatePagefilePrivilege	3820	WMIC.exe
Token: SeBackupPrivilege	3820	WMIC.exe
Token: SeRestorePrivilege	3820	WMIC.exe
Token: SeShutdownPrivilege	3820	WMIC.exe
Token: SeDebugPrivilege	3820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3820	WMIC.exe
Token: SeRemoteShutdownPrivilege	3820	WMIC.exe
Token: SeUndockPrivilege	3820	WMIC.exe
Token: SeManageVolumePrivilege	3820	WMIC.exe
Token: 33	3820	WMIC.exe
Token: 34	3820	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4964	2088	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 2088 wrote to memory of 4964	2088	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 2088 wrote to memory of 4964	2088	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 4964 wrote to memory of 4824	4964	voiceadequovl.exe	82
PID 4964 wrote to memory of 4824	4964	voiceadequovl.exe	82
PID 4964 wrote to memory of 4824	4964	voiceadequovl.exe	82
PID 4824 wrote to memory of 1580	4824	voiceadequovl.exe	84
PID 4824 wrote to memory of 1580	4824	voiceadequovl.exe	84
PID 4824 wrote to memory of 1580	4824	voiceadequovl.exe	84
PID 4824 wrote to memory of 5096	4824	voiceadequovl.exe	93
PID 4824 wrote to memory of 5096	4824	voiceadequovl.exe	93
PID 4824 wrote to memory of 5096	4824	voiceadequovl.exe	93
PID 5096 wrote to memory of 2908	5096	cmd.exe	95
PID 5096 wrote to memory of 2908	5096	cmd.exe	95
PID 5096 wrote to memory of 2908	5096	cmd.exe	95
PID 4824 wrote to memory of 1252	4824	voiceadequovl.exe	96
PID 4824 wrote to memory of 1252	4824	voiceadequovl.exe	96
PID 4824 wrote to memory of 1252	4824	voiceadequovl.exe	96
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 4824 wrote to memory of 5044	4824	voiceadequovl.exe	97
PID 5044 wrote to memory of 2064	5044	voiceadequovl.exe	98
PID 5044 wrote to memory of 2064	5044	voiceadequovl.exe	98
PID 5044 wrote to memory of 2064	5044	voiceadequovl.exe	98
PID 5044 wrote to memory of 3560	5044	voiceadequovl.exe	100
PID 5044 wrote to memory of 3560	5044	voiceadequovl.exe	100
PID 5044 wrote to memory of 3560	5044	voiceadequovl.exe	100
PID 3560 wrote to memory of 3820	3560	cmd.exe	102
PID 3560 wrote to memory of 3820	3560	cmd.exe	102
PID 3560 wrote to memory of 3820	3560	cmd.exe	102
PID 5044 wrote to memory of 2856	5044	voiceadequovl.exe	103
PID 5044 wrote to memory of 2856	5044	voiceadequovl.exe	103
PID 5044 wrote to memory of 2856	5044	voiceadequovl.exe	103

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1252
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5044
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3560
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:2856
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
6a90553d7d0f6cf05db1078de4110614

SHA1
aaaa5b7acb24703050f6f73e3212c6291fe5f61c

SHA256
99b1aa8d83215433d226e087f8c1d7097a61ded189280132963ad00b35fb1a79

SHA512
c20dffa8bb303800dab73c7dc032d875f424462441ce364ca4efedbd3ba1666732a77838dd2b93c93f0516073aae84bee5f792dd3cc52524b5249aa10ccca62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
326.2MB

MD5
1dc18278e92ea9378ef965b21b06a5cb

SHA1
312fe19c551a3fe3ad4aec6df484efa0c8e4c7a8

SHA256
b156ebcf9831d2e4c402250f06bb917c8c337bd46085611ca8fa5ac8f0fde297

SHA512
dedb1c68cf0d7b37682620c2728be287e69ab38ed1f1910b44e18ffa3c5ee557f3a6a98bd0053618b33c99591f533bcb75fecadf4b44ab4316d93a115952b2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
321.4MB

MD5
4bde9cc6226aa215f383002eafe796d5

SHA1
85a708b20f787dde4ff9151ab86b061cc21c3706

SHA256
546b530c2aa043443ea3581458154edcb0e14d2730664e06bfde37c3e6731384

SHA512
b1617744f9787890eb8b7df2c8c7fe16837dd8c9271bd575f0ffb81ff8d8005d906f80b0c954f669e5d4f2aff46eebf448c2e04ea700f76e701c0d30e138e9b6

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
290.5MB

MD5
c6c146a38197f182a4ec5e86f461e47b

SHA1
7fd3fe7034fe74138ae040589233239111858c2b

SHA256
5db9c37ad8a7a768a99907ddcc952a99c1813541f2645930def4c9a049034f8a

SHA512
57708c6545d40776732d79bf69bfc33af292d5f975111aaf4188606a1e0158d9405423cbc19b19852cf5ec72a4b258a6827e10a7d4db21bab8b580ae45952e48

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
308.7MB

MD5
6fb1b1279b549a1e5caa4a76ab8f151b

SHA1
64fae5539397b234e5a745cb2881613f90b3f62d

SHA256
068653c3fb9a9404deebd8d488c8941df7c4300fc975ccaf649a41c608713e2a

SHA512
db1f16ec91a49930b1704b0de99f587d5e62b1e49a9e8ac3217b136b999fd84f107037f9a53e81bb4d0ce47698d2ce94ed7f714271b80e89d50cb2ab522bb027

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
205.8MB

MD5
6953f82dc1a5564b10f564ede7043007

SHA1
c2889fc923d6b2e7a549e050e619696a614757da

SHA256
38512a90169e014f34605daf1f54a2102931b2ff25068038a9a05ee2d260449d

SHA512
e31cdf20da39dd9323ddcfc24d52539cecba7ae7663800b5879071eeefe6d9b6bad87ee4b4ba39e1ba69240fb01aafead87f410304ecf5f5380c1b4407cf37d2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
228.4MB

MD5
d08718ee789d6f1126493f8e87e7860b

SHA1
8e9daadc33a63d094941bbd6cedade6f586d020c

SHA256
275eb8807c8548adf57714341dac05f80bc02cc353d2761d4e852b87a9800036

SHA512
4ce6fea87d6526fa8c02f9082b698ba7ac7f1a7677dbf165f7656afc190bc8de13be78b3187fa506a303af6012e5f7ed571dd783125010deb76c39bb7cd6c6a5

Download Submit
memory/1580-142-0x0000000005B00000-0x0000000006128000-memory.dmp

Filesize
6.2MB

Download
memory/1580-144-0x0000000006210000-0x0000000006276000-memory.dmp

Filesize
408KB

Download
memory/1580-145-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/1580-147-0x0000000006D80000-0x0000000006D9A000-memory.dmp

Filesize
104KB

Download
memory/1580-146-0x0000000008070000-0x00000000086EA000-memory.dmp

Filesize
6.5MB

Download
memory/1580-143-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/1580-141-0x00000000032A0000-0x00000000032D6000-memory.dmp

Filesize
216KB

Download
memory/2908-163-0x0000000072F30000-0x0000000072F7C000-memory.dmp

Filesize
304KB

Download
memory/2908-165-0x0000000007D20000-0x0000000007D2A000-memory.dmp

Filesize
40KB

Download
memory/2908-173-0x0000000007EB0000-0x0000000007EB8000-memory.dmp

Filesize
32KB

Download
memory/2908-172-0x0000000007ED0000-0x0000000007EEA000-memory.dmp

Filesize
104KB

Download
memory/2908-171-0x0000000006810000-0x000000000681E000-memory.dmp

Filesize
56KB

Download
memory/2908-168-0x0000000007F70000-0x0000000008006000-memory.dmp

Filesize
600KB

Download
memory/2908-162-0x0000000006F70000-0x0000000006FA2000-memory.dmp

Filesize
200KB

Download
memory/2908-164-0x0000000006EC0000-0x0000000006EDE000-memory.dmp

Filesize
120KB

Download
memory/4824-139-0x0000000007690000-0x00000000076B2000-memory.dmp

Filesize
136KB

Download
memory/4824-138-0x0000000000FD0000-0x0000000001744000-memory.dmp

Filesize
7.5MB

Download
memory/5044-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5044-158-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5044-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/5044-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download