aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
84s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2023, 01:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 5 IoCs

pid	Process
744	voiceadequovl.exe
4892	voiceadequovl.exe
1248	voiceadequovl.exe
3240	voiceadequovl.exe
2732	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 2732	4892	voiceadequovl.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
32	powershell.exe
32	powershell.exe
4892	voiceadequovl.exe
4892	voiceadequovl.exe
3532	powershell.exe
4892	voiceadequovl.exe
4892	voiceadequovl.exe
3532	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	voiceadequovl.exe
Token: SeDebugPrivilege	32	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeIncreaseQuotaPrivilege	616	wmic.exe
Token: SeSecurityPrivilege	616	wmic.exe
Token: SeTakeOwnershipPrivilege	616	wmic.exe
Token: SeLoadDriverPrivilege	616	wmic.exe
Token: SeSystemProfilePrivilege	616	wmic.exe
Token: SeSystemtimePrivilege	616	wmic.exe
Token: SeProfSingleProcessPrivilege	616	wmic.exe
Token: SeIncBasePriorityPrivilege	616	wmic.exe
Token: SeCreatePagefilePrivilege	616	wmic.exe
Token: SeBackupPrivilege	616	wmic.exe
Token: SeRestorePrivilege	616	wmic.exe
Token: SeShutdownPrivilege	616	wmic.exe
Token: SeDebugPrivilege	616	wmic.exe
Token: SeSystemEnvironmentPrivilege	616	wmic.exe
Token: SeRemoteShutdownPrivilege	616	wmic.exe
Token: SeUndockPrivilege	616	wmic.exe
Token: SeManageVolumePrivilege	616	wmic.exe
Token: 33	616	wmic.exe
Token: 34	616	wmic.exe
Token: 35	616	wmic.exe
Token: 36	616	wmic.exe
Token: SeIncreaseQuotaPrivilege	616	wmic.exe
Token: SeSecurityPrivilege	616	wmic.exe
Token: SeTakeOwnershipPrivilege	616	wmic.exe
Token: SeLoadDriverPrivilege	616	wmic.exe
Token: SeSystemProfilePrivilege	616	wmic.exe
Token: SeSystemtimePrivilege	616	wmic.exe
Token: SeProfSingleProcessPrivilege	616	wmic.exe
Token: SeIncBasePriorityPrivilege	616	wmic.exe
Token: SeCreatePagefilePrivilege	616	wmic.exe
Token: SeBackupPrivilege	616	wmic.exe
Token: SeRestorePrivilege	616	wmic.exe
Token: SeShutdownPrivilege	616	wmic.exe
Token: SeDebugPrivilege	616	wmic.exe
Token: SeSystemEnvironmentPrivilege	616	wmic.exe
Token: SeRemoteShutdownPrivilege	616	wmic.exe
Token: SeUndockPrivilege	616	wmic.exe
Token: SeManageVolumePrivilege	616	wmic.exe
Token: 33	616	wmic.exe
Token: 34	616	wmic.exe
Token: 35	616	wmic.exe
Token: 36	616	wmic.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 744	4808	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 4808 wrote to memory of 744	4808	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 4808 wrote to memory of 744	4808	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 744 wrote to memory of 4892	744	voiceadequovl.exe	82
PID 744 wrote to memory of 4892	744	voiceadequovl.exe	82
PID 744 wrote to memory of 4892	744	voiceadequovl.exe	82
PID 4892 wrote to memory of 32	4892	voiceadequovl.exe	89
PID 4892 wrote to memory of 32	4892	voiceadequovl.exe	89
PID 4892 wrote to memory of 32	4892	voiceadequovl.exe	89
PID 4892 wrote to memory of 3888	4892	voiceadequovl.exe	94
PID 4892 wrote to memory of 3888	4892	voiceadequovl.exe	94
PID 4892 wrote to memory of 3888	4892	voiceadequovl.exe	94
PID 3888 wrote to memory of 3532	3888	cmd.exe	95
PID 3888 wrote to memory of 3532	3888	cmd.exe	95
PID 3888 wrote to memory of 3532	3888	cmd.exe	95
PID 4892 wrote to memory of 1248	4892	voiceadequovl.exe	96
PID 4892 wrote to memory of 1248	4892	voiceadequovl.exe	96
PID 4892 wrote to memory of 1248	4892	voiceadequovl.exe	96
PID 4892 wrote to memory of 3240	4892	voiceadequovl.exe	98
PID 4892 wrote to memory of 3240	4892	voiceadequovl.exe	98
PID 4892 wrote to memory of 3240	4892	voiceadequovl.exe	98
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 4892 wrote to memory of 2732	4892	voiceadequovl.exe	97
PID 2732 wrote to memory of 616	2732	voiceadequovl.exe	100
PID 2732 wrote to memory of 616	2732	voiceadequovl.exe	100
PID 2732 wrote to memory of 616	2732	voiceadequovl.exe	100
PID 2732 wrote to memory of 1404	2732	voiceadequovl.exe	101
PID 2732 wrote to memory of 1404	2732	voiceadequovl.exe	101
PID 2732 wrote to memory of 1404	2732	voiceadequovl.exe	101
PID 1404 wrote to memory of 2676	1404	cmd.exe	103
PID 1404 wrote to memory of 2676	1404	cmd.exe	103
PID 1404 wrote to memory of 2676	1404	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:32
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1248
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:2676
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:916
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:4092
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:3240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
978e7a09880d871d307a4f1115e432bb

SHA1
8984b34c32fb93be6cdf57c4979b057a8b269e20

SHA256
d0f8cd45a9f30d6ac0af75796a44e3ff1d7cd9bdeaa568f740c6d441779783f9

SHA512
5ea4e5ba4e4d6dcecf6ccc46e19e871ba78b52fc12e66c54f6035db93529cb620519a473bb47a9ed5edadb5699d208f2d6769dd09df5380118a933904ba2bcf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
358.5MB

MD5
01cb88d3ffb38a7ef134c61983960c76

SHA1
c24e0f84637e31069f5dc89c3debcf5f127d7025

SHA256
06e7ff8d4d2ab602d0d078f3be878774dae311af8238a0b47ae31e86198a82b0

SHA512
4d26218b9dc893139e2d3011d3cd3fec115a2713a3854c970e970f2b9db6b1c2db493e43f947318eb9a7b0a75ae662e82f331e94bf0e01bb7c55ad4a54698cac

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
248.2MB

MD5
f60f515f3eef637d3ae0b6af1eb8ac31

SHA1
e809531f495ec088750a6b20aa24a1a71a474409

SHA256
4a1d68c3336bf86ba46637c5cbc22bdb996177221d5a5329538e0fda160e2316

SHA512
1f9e5dfc59a5aba10e131e942ec86f72f0b6c99f3697f27a2842b606fac72a6d6765d128d9f9cf9119d404f352e0148c9a5b30d7e79beb2d30c8cbc0e1f7d514

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
244.1MB

MD5
38a283b41e5018db647f26cfc187b166

SHA1
85dabf1388a7c952389a2431d27d654a95f477ed

SHA256
837d2bb5588610a80df7d8edaa64fc33954924634150036bf2ac26825875fb32

SHA512
8499e319bd28d6d333552c1fb2862489bb2b1f9666e20730c6efe5ef085ad4c5df51318c2a56b71cd325eb0cc78b2134fb0920279def45f350f863f8035a44f4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
141.8MB

MD5
b145cd307d28dc6d3964903f3662376d

SHA1
affc82b56dc483298f159554603b961b13d72473

SHA256
1c697c41453c54d878b83055debd85673d3d4976cd52bfce4cb41ad20cf24b83

SHA512
c16131adca20044d38d6bbcc0ebaf1552557403977cacf20e1c13d0b2309e73d73fea79f36993b2a58907cba3bd027d7b6574dad1143e5f7ebe14f569c730a0f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
139.8MB

MD5
4dbdaa69040db8dba325a441178f4e89

SHA1
d689e9455230f723ff1bb219f6e1165f574193b9

SHA256
3865dba13d5670984bfafe4d87f30a106c34e31fba0d81dddb1b4f6dc836372c

SHA512
adfee94215ba5e6d1034e50c812e7697990b5e7816a2dc561990c7b9d4c1ac302c0c3e996c608aea7ab0acfb063bde5fb49d84d27c5906d522196a2b03b1964e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
140.4MB

MD5
21b882a4486e94d313dc225a74ab531a

SHA1
1c3728e0a9af24621cc7791cadef48a8204bd018

SHA256
c41e47b8a54ccc75d96a5d51da5742f700eddbfeb171b2bb1d787ed1e127119f

SHA512
99015a3a3663789c5aad3909298461656390759e24dbb565d38720781212b2a8b47790e6216bf6c9c278df9dbdcd1628ba269333c79a20b78a4c293509a7bf2c

Download Submit
memory/32-144-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/32-141-0x0000000002480000-0x00000000024B6000-memory.dmp

Filesize
216KB

Download
memory/32-142-0x0000000004CD0000-0x00000000052F8000-memory.dmp

Filesize
6.2MB

Download
memory/32-145-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/32-146-0x00000000070D0000-0x000000000774A000-memory.dmp

Filesize
6.5MB

Download
memory/32-147-0x0000000005F50000-0x0000000005F6A000-memory.dmp

Filesize
104KB

Download
memory/32-143-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/2732-156-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2732-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2732-161-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2732-176-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3532-166-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download
memory/3532-171-0x00000000056E0000-0x00000000056EE000-memory.dmp

Filesize
56KB

Download
memory/3532-164-0x0000000070D90000-0x0000000070DDC000-memory.dmp

Filesize
304KB

Download
memory/3532-163-0x0000000006250000-0x0000000006282000-memory.dmp

Filesize
200KB

Download
memory/3532-168-0x0000000007270000-0x0000000007306000-memory.dmp

Filesize
600KB

Download
memory/3532-173-0x00000000071D0000-0x00000000071D8000-memory.dmp

Filesize
32KB

Download
memory/3532-165-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/3532-172-0x00000000071F0000-0x000000000720A000-memory.dmp

Filesize
104KB

Download
memory/4892-138-0x0000000000A30000-0x00000000011A4000-memory.dmp

Filesize
7.5MB

Download
memory/4892-139-0x00000000070F0000-0x0000000007112000-memory.dmp

Filesize
136KB

Download