aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
53s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

pid	Process
4028	voiceadequovl.exe
2436	voiceadequovl.exe
656	voiceadequovl.exe
3460	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2436 set thread context of 3460	2436	voiceadequovl.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2608	powershell.exe
2608	powershell.exe
2436	voiceadequovl.exe
2436	voiceadequovl.exe
2476	powershell.exe
2476	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2436	voiceadequovl.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeIncreaseQuotaPrivilege	488	wmic.exe
Token: SeSecurityPrivilege	488	wmic.exe
Token: SeTakeOwnershipPrivilege	488	wmic.exe
Token: SeLoadDriverPrivilege	488	wmic.exe
Token: SeSystemProfilePrivilege	488	wmic.exe
Token: SeSystemtimePrivilege	488	wmic.exe
Token: SeProfSingleProcessPrivilege	488	wmic.exe
Token: SeIncBasePriorityPrivilege	488	wmic.exe
Token: SeCreatePagefilePrivilege	488	wmic.exe
Token: SeBackupPrivilege	488	wmic.exe
Token: SeRestorePrivilege	488	wmic.exe
Token: SeShutdownPrivilege	488	wmic.exe
Token: SeDebugPrivilege	488	wmic.exe
Token: SeSystemEnvironmentPrivilege	488	wmic.exe
Token: SeRemoteShutdownPrivilege	488	wmic.exe
Token: SeUndockPrivilege	488	wmic.exe
Token: SeManageVolumePrivilege	488	wmic.exe
Token: 33	488	wmic.exe
Token: 34	488	wmic.exe
Token: 35	488	wmic.exe
Token: 36	488	wmic.exe
Token: SeIncreaseQuotaPrivilege	488	wmic.exe
Token: SeSecurityPrivilege	488	wmic.exe
Token: SeTakeOwnershipPrivilege	488	wmic.exe
Token: SeLoadDriverPrivilege	488	wmic.exe
Token: SeSystemProfilePrivilege	488	wmic.exe
Token: SeSystemtimePrivilege	488	wmic.exe
Token: SeProfSingleProcessPrivilege	488	wmic.exe
Token: SeIncBasePriorityPrivilege	488	wmic.exe
Token: SeCreatePagefilePrivilege	488	wmic.exe
Token: SeBackupPrivilege	488	wmic.exe
Token: SeRestorePrivilege	488	wmic.exe
Token: SeShutdownPrivilege	488	wmic.exe
Token: SeDebugPrivilege	488	wmic.exe
Token: SeSystemEnvironmentPrivilege	488	wmic.exe
Token: SeRemoteShutdownPrivilege	488	wmic.exe
Token: SeUndockPrivilege	488	wmic.exe
Token: SeManageVolumePrivilege	488	wmic.exe
Token: 33	488	wmic.exe
Token: 34	488	wmic.exe
Token: 35	488	wmic.exe
Token: 36	488	wmic.exe
Token: SeIncreaseQuotaPrivilege	1844	WMIC.exe
Token: SeSecurityPrivilege	1844	WMIC.exe
Token: SeTakeOwnershipPrivilege	1844	WMIC.exe
Token: SeLoadDriverPrivilege	1844	WMIC.exe
Token: SeSystemProfilePrivilege	1844	WMIC.exe
Token: SeSystemtimePrivilege	1844	WMIC.exe
Token: SeProfSingleProcessPrivilege	1844	WMIC.exe
Token: SeIncBasePriorityPrivilege	1844	WMIC.exe
Token: SeCreatePagefilePrivilege	1844	WMIC.exe
Token: SeBackupPrivilege	1844	WMIC.exe
Token: SeRestorePrivilege	1844	WMIC.exe
Token: SeShutdownPrivilege	1844	WMIC.exe
Token: SeDebugPrivilege	1844	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1844	WMIC.exe
Token: SeRemoteShutdownPrivilege	1844	WMIC.exe
Token: SeUndockPrivilege	1844	WMIC.exe
Token: SeManageVolumePrivilege	1844	WMIC.exe
Token: 33	1844	WMIC.exe
Token: 34	1844	WMIC.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 4028	3664	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 3664 wrote to memory of 4028	3664	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 3664 wrote to memory of 4028	3664	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 4028 wrote to memory of 2436	4028	voiceadequovl.exe	82
PID 4028 wrote to memory of 2436	4028	voiceadequovl.exe	82
PID 4028 wrote to memory of 2436	4028	voiceadequovl.exe	82
PID 2436 wrote to memory of 2608	2436	voiceadequovl.exe	84
PID 2436 wrote to memory of 2608	2436	voiceadequovl.exe	84
PID 2436 wrote to memory of 2608	2436	voiceadequovl.exe	84
PID 2436 wrote to memory of 4800	2436	voiceadequovl.exe	93
PID 2436 wrote to memory of 4800	2436	voiceadequovl.exe	93
PID 2436 wrote to memory of 4800	2436	voiceadequovl.exe	93
PID 4800 wrote to memory of 2476	4800	cmd.exe	95
PID 4800 wrote to memory of 2476	4800	cmd.exe	95
PID 4800 wrote to memory of 2476	4800	cmd.exe	95
PID 2436 wrote to memory of 656	2436	voiceadequovl.exe	96
PID 2436 wrote to memory of 656	2436	voiceadequovl.exe	96
PID 2436 wrote to memory of 656	2436	voiceadequovl.exe	96
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 2436 wrote to memory of 3460	2436	voiceadequovl.exe	97
PID 3460 wrote to memory of 488	3460	voiceadequovl.exe	98
PID 3460 wrote to memory of 488	3460	voiceadequovl.exe	98
PID 3460 wrote to memory of 488	3460	voiceadequovl.exe	98
PID 3460 wrote to memory of 2932	3460	voiceadequovl.exe	101
PID 3460 wrote to memory of 2932	3460	voiceadequovl.exe	101
PID 3460 wrote to memory of 2932	3460	voiceadequovl.exe	101
PID 2932 wrote to memory of 1844	2932	cmd.exe	102
PID 2932 wrote to memory of 1844	2932	cmd.exe	102
PID 2932 wrote to memory of 1844	2932	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:656
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:488
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:4228
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
2fa4887b148fcf0a096b2fd6325d5b07

SHA1
ea0b839559eee756fb229d41a7e910d065f6e550

SHA256
e0158fc8f5a61f448fd9876f381577c39efd56caec9acb0888df96f59760218d

SHA512
4300655d860c48b64bdf8efa690b2b9e8770edc5aa757b742e914afc2db45f9e98b7735de6e6be2972493152c35135c6e18f10f858d16986c43f6d3eff5d9f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
175.9MB

MD5
484439d76ee8c267ae132084e36aac77

SHA1
61befb9e3a96a7767b7856a57ec242c6a192ee6f

SHA256
fea25c376b159292ba7dc8888d06118760ce30de9ddf05d3f753d955a01e26e2

SHA512
69b0c321b7c64bd36fb8cb6a82ed279345579b478ba71baf6c6a1cd5f96ef2dce0f850039eeecc9552924203b1e355b5283f4c0c60f64d46dadf16385f2eadb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
173.7MB

MD5
f73c86c44d1b626e53c484baafd4940a

SHA1
a737378698c6bc4a45674c0950565bd871729d85

SHA256
c382e769292eed8a0127c2cc22d102f7a60558e36771519c6efff6d6cf760daf

SHA512
4bccfac8a447abe8cf118d79b363d06f25a258464e07a88cf3bea40be0f35dbc68a82c4c964ecb880321f72719e3bf154944ca85398a21cd1b1d0fbabb8d117e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
170.8MB

MD5
1894e5149ba0ecd8840a2c6df73d7566

SHA1
cd3942b5c6f3b2bc74145e8db4b56ac34601074a

SHA256
1fbb20069114cf94dc755bce66c6d8219ccba067e900895d20c5be9860eb3407

SHA512
46ef72e96d40b59f217401aa30d206bbe83d9f31bcda5386d0b806a9292f5fe5f67aa6bc39f6596e53eaaf06e6e78c694eddd2e362127d2f72f758c80ec74acb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
165.5MB

MD5
31bc3c30b47c0f32f304957fc3c737e6

SHA1
72e62f264428fe90ea53a013a47f8be676eec42d

SHA256
1fe0a68145675cfce92cd8f55c72d71dcf14f3d77f87ec9e33b7287b25ccb75f

SHA512
e7ceb2bbb8d2648e3ed9d790062548259762597827295fa60ef96df48be3ffb2896162b2b638575e58eed0d0006cf4ba47847f4659ef5c03bfd74ad654615709

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
104.4MB

MD5
da81688fde7a9877788455302dec0c56

SHA1
71a0b146e73fffbcbc96e0f913bfa410a5e346fe

SHA256
7c640ec660cbe51a445204b3dc5e9b4a94a63db02448c0684e0a78980507cebe

SHA512
6bdfe0f566a9e2d9d3d70060649ff8f3a5c847e0d1ce41007de294ec904aba046c1f99705ea82a00506dca55055d99b1068fa80bf948724392b282ab35374217

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
102.4MB

MD5
add70628e9dfa72dda4c4b6bdee0f515

SHA1
f6656cfdb92c580ae144528ce55c0c258640c5e2

SHA256
4bc11f650fd363fa83e84bc5e68c3ca0492cb1b96cc3c0e9829e2b98cc45ccd7

SHA512
760f0d97ce4a4b7aa2e9bcbf84868eb44a0f70f2b9da575643211bcb183e50a434997579c03eee421e27ed22e25b4fc73b87ecc3df6cf71782e2066edd707b43

Download Submit
memory/2436-139-0x0000000006AA0000-0x0000000006AC2000-memory.dmp

Filesize
136KB

Download
memory/2436-138-0x00000000003E0000-0x0000000000B54000-memory.dmp

Filesize
7.5MB

Download
memory/2476-167-0x00000000071E0000-0x0000000007276000-memory.dmp

Filesize
600KB

Download
memory/2476-165-0x0000000006FA0000-0x0000000006FAA000-memory.dmp

Filesize
40KB

Download
memory/2476-171-0x0000000005AB0000-0x0000000005ABE000-memory.dmp

Filesize
56KB

Download
memory/2476-163-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/2476-172-0x0000000007160000-0x000000000717A000-memory.dmp

Filesize
104KB

Download
memory/2476-162-0x0000000075540000-0x000000007558C000-memory.dmp

Filesize
304KB

Download
memory/2476-161-0x00000000061E0000-0x0000000006212000-memory.dmp

Filesize
200KB

Download
memory/2476-173-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/2608-142-0x00000000059C0000-0x0000000005FE8000-memory.dmp

Filesize
6.2MB

Download
memory/2608-145-0x00000000068F0000-0x000000000690E000-memory.dmp

Filesize
120KB

Download
memory/2608-141-0x0000000005350000-0x0000000005386000-memory.dmp

Filesize
216KB

Download
memory/2608-143-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/2608-144-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/2608-147-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

Filesize
104KB

Download
memory/2608-146-0x0000000008140000-0x00000000087BA000-memory.dmp

Filesize
6.5MB

Download
memory/3460-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3460-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3460-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3460-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download