aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
56s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2023, 01:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

pid	Process
1804	voiceadequovl.exe
3408	voiceadequovl.exe
4960	voiceadequovl.exe
4804	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3408 set thread context of 4804	3408	voiceadequovl.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2792	powershell.exe
2792	powershell.exe
3408	voiceadequovl.exe
3408	voiceadequovl.exe
2800	powershell.exe
2800	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3408	voiceadequovl.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeIncreaseQuotaPrivilege	4356	wmic.exe
Token: SeSecurityPrivilege	4356	wmic.exe
Token: SeTakeOwnershipPrivilege	4356	wmic.exe
Token: SeLoadDriverPrivilege	4356	wmic.exe
Token: SeSystemProfilePrivilege	4356	wmic.exe
Token: SeSystemtimePrivilege	4356	wmic.exe
Token: SeProfSingleProcessPrivilege	4356	wmic.exe
Token: SeIncBasePriorityPrivilege	4356	wmic.exe
Token: SeCreatePagefilePrivilege	4356	wmic.exe
Token: SeBackupPrivilege	4356	wmic.exe
Token: SeRestorePrivilege	4356	wmic.exe
Token: SeShutdownPrivilege	4356	wmic.exe
Token: SeDebugPrivilege	4356	wmic.exe
Token: SeSystemEnvironmentPrivilege	4356	wmic.exe
Token: SeRemoteShutdownPrivilege	4356	wmic.exe
Token: SeUndockPrivilege	4356	wmic.exe
Token: SeManageVolumePrivilege	4356	wmic.exe
Token: 33	4356	wmic.exe
Token: 34	4356	wmic.exe
Token: 35	4356	wmic.exe
Token: 36	4356	wmic.exe
Token: SeIncreaseQuotaPrivilege	4356	wmic.exe
Token: SeSecurityPrivilege	4356	wmic.exe
Token: SeTakeOwnershipPrivilege	4356	wmic.exe
Token: SeLoadDriverPrivilege	4356	wmic.exe
Token: SeSystemProfilePrivilege	4356	wmic.exe
Token: SeSystemtimePrivilege	4356	wmic.exe
Token: SeProfSingleProcessPrivilege	4356	wmic.exe
Token: SeIncBasePriorityPrivilege	4356	wmic.exe
Token: SeCreatePagefilePrivilege	4356	wmic.exe
Token: SeBackupPrivilege	4356	wmic.exe
Token: SeRestorePrivilege	4356	wmic.exe
Token: SeShutdownPrivilege	4356	wmic.exe
Token: SeDebugPrivilege	4356	wmic.exe
Token: SeSystemEnvironmentPrivilege	4356	wmic.exe
Token: SeRemoteShutdownPrivilege	4356	wmic.exe
Token: SeUndockPrivilege	4356	wmic.exe
Token: SeManageVolumePrivilege	4356	wmic.exe
Token: 33	4356	wmic.exe
Token: 34	4356	wmic.exe
Token: 35	4356	wmic.exe
Token: 36	4356	wmic.exe
Token: SeIncreaseQuotaPrivilege	4156	WMIC.exe
Token: SeSecurityPrivilege	4156	WMIC.exe
Token: SeTakeOwnershipPrivilege	4156	WMIC.exe
Token: SeLoadDriverPrivilege	4156	WMIC.exe
Token: SeSystemProfilePrivilege	4156	WMIC.exe
Token: SeSystemtimePrivilege	4156	WMIC.exe
Token: SeProfSingleProcessPrivilege	4156	WMIC.exe
Token: SeIncBasePriorityPrivilege	4156	WMIC.exe
Token: SeCreatePagefilePrivilege	4156	WMIC.exe
Token: SeBackupPrivilege	4156	WMIC.exe
Token: SeRestorePrivilege	4156	WMIC.exe
Token: SeShutdownPrivilege	4156	WMIC.exe
Token: SeDebugPrivilege	4156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4156	WMIC.exe
Token: SeRemoteShutdownPrivilege	4156	WMIC.exe
Token: SeUndockPrivilege	4156	WMIC.exe
Token: SeManageVolumePrivilege	4156	WMIC.exe
Token: 33	4156	WMIC.exe
Token: 34	4156	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 1804	1368	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	84
PID 1368 wrote to memory of 1804	1368	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	84
PID 1368 wrote to memory of 1804	1368	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	84
PID 1804 wrote to memory of 3408	1804	voiceadequovl.exe	88
PID 1804 wrote to memory of 3408	1804	voiceadequovl.exe	88
PID 1804 wrote to memory of 3408	1804	voiceadequovl.exe	88
PID 3408 wrote to memory of 2792	3408	voiceadequovl.exe	91
PID 3408 wrote to memory of 2792	3408	voiceadequovl.exe	91
PID 3408 wrote to memory of 2792	3408	voiceadequovl.exe	91
PID 3408 wrote to memory of 3896	3408	voiceadequovl.exe	96
PID 3408 wrote to memory of 3896	3408	voiceadequovl.exe	96
PID 3408 wrote to memory of 3896	3408	voiceadequovl.exe	96
PID 3896 wrote to memory of 2800	3896	cmd.exe	98
PID 3896 wrote to memory of 2800	3896	cmd.exe	98
PID 3896 wrote to memory of 2800	3896	cmd.exe	98
PID 3408 wrote to memory of 4960	3408	voiceadequovl.exe	99
PID 3408 wrote to memory of 4960	3408	voiceadequovl.exe	99
PID 3408 wrote to memory of 4960	3408	voiceadequovl.exe	99
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 3408 wrote to memory of 4804	3408	voiceadequovl.exe	100
PID 4804 wrote to memory of 4356	4804	voiceadequovl.exe	101
PID 4804 wrote to memory of 4356	4804	voiceadequovl.exe	101
PID 4804 wrote to memory of 4356	4804	voiceadequovl.exe	101
PID 4804 wrote to memory of 2508	4804	voiceadequovl.exe	103
PID 4804 wrote to memory of 2508	4804	voiceadequovl.exe	103
PID 4804 wrote to memory of 2508	4804	voiceadequovl.exe	103
PID 2508 wrote to memory of 4156	2508	cmd.exe	105
PID 2508 wrote to memory of 4156	2508	cmd.exe	105
PID 2508 wrote to memory of 4156	2508	cmd.exe	105
PID 4804 wrote to memory of 4948	4804	voiceadequovl.exe	106
PID 4804 wrote to memory of 4948	4804	voiceadequovl.exe	106
PID 4804 wrote to memory of 4948	4804	voiceadequovl.exe	106
PID 4948 wrote to memory of 4652	4948	cmd.exe	108
PID 4948 wrote to memory of 4652	4948	cmd.exe	108
PID 4948 wrote to memory of 4652	4948	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2792
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:4960
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b0562cf7717426e0f8d5378f68967667

SHA1
aa87e1cf5e0549d94e357ac9d59428caf72ab4b1

SHA256
aa6a23a0187dfb21199ac77d7fcbfb9d072d6ea2a5afce6423b7ba0acd205550

SHA512
b5839c4b110162907f7d614429f703f6a590720dd5cb2c9f91fea7368fd591e3beeecd56635757c0ea8a2cdf76c767cb8a853404ada274395eb1ecc364e31d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
253.2MB

MD5
d1bf960b148f8a72c5f68e4f3e08f868

SHA1
51619b4bb816b0e528be685bd5f00e593d7f802a

SHA256
b51951143066f605fa0ed5cb9acb38c68e8a8ad09c0e18edde35ea273ab1cd93

SHA512
84b6630c06f38d8b5822a05ab3c8b8e14b1cfd7ea92b27208047b1cd92f52ee425cb444deea654a561639ae7849213eceb5056cf72362abc2631a05741052ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
249.1MB

MD5
a541299db67e787c139af97bdf1f4d9c

SHA1
d67e97dbf7dcbb69588bf6263e66d436b8dd11d7

SHA256
28e78502d52ce117b23263b8dad4259b6c08d34edc8ac11bacc8faa9c9ba49ff

SHA512
7e9acf6b5b95e1b42b77f1489b9ee2b620257b239da0d0aa9ff3c35861d7700a5da859909917825cc7521060a045021097c530a83ec53e378a98097ea8fdc1ee

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
231.9MB

MD5
12030647845a3cb23a5a8b25aacec720

SHA1
2ddd9b38ebd1bdad10a906c3714dd238d630125f

SHA256
b3ebe403a689aa53abe2194f5738fca137e1f730ddb39d95351e5dbc16c85eb1

SHA512
6ae679d0f9c5e7cd2fc4ba48e37ca86aec38e9e47739aefc95fb9fe2c245f7f6de2989717a56943fff4ac4d12e13de0118d8a7650f78de9c6f94c7cf487ea9c1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
244.2MB

MD5
bcec1ecf3640a76540f56553eed125ae

SHA1
fa9a2d233a0d83d3a6681414852b4d583295638a

SHA256
70bc9d5dd4a2a52b47645508523a5686dc229885822b3d404aaba3f0a49da6dc

SHA512
ef8f1802845a1b2c4f0cbfc0e627d10ec9aa47148042f28dbdfeaddaa86590105f65f1e8f2d89bf47b7ead04f7ec43dabd8f7e49e08c3e8ea9136bb71c805865

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
141.1MB

MD5
61d1b2da42323ff223b6370832190c35

SHA1
14523d22d11062e456465d8ddfa8cd9ba0d8f5fa

SHA256
d841ce31fc7c53e17e2e43c96681cbbcbfd0d8a6182c8f4010b725045c483281

SHA512
114fa880b1cef1b4c61e4fc6f400948549b512062057018a6ed8ab627a538b3e7a0e27f3733c2d450619c4509c0723554dbf5d2f49850fcee0472c1447987e92

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
134.6MB

MD5
1565807274587c21ee02429e18e57299

SHA1
3767a8c2250bfe013a882b9d11f71d643ab8b7d8

SHA256
28d74fc6076f71633738bba6cd4a8155f64a16faf40ac5dd4d037f177ca5dae4

SHA512
7815c98f2a1fabe8f46e7f9b66156853c49724f2da22202186bf1cb6f8c724ca71fbe3233b8fe5d5907af9020f177fb034d056c11563e9af8b57a5fd202e05e8

Download Submit
memory/2792-142-0x0000000005050000-0x0000000005678000-memory.dmp

Filesize
6.2MB

Download
memory/2792-143-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/2792-145-0x0000000005F90000-0x0000000005FAE000-memory.dmp

Filesize
120KB

Download
memory/2792-146-0x00000000077E0000-0x0000000007E5A000-memory.dmp

Filesize
6.5MB

Download
memory/2792-147-0x00000000064B0000-0x00000000064CA000-memory.dmp

Filesize
104KB

Download
memory/2792-144-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/2792-141-0x00000000049E0000-0x0000000004A16000-memory.dmp

Filesize
216KB

Download
memory/2800-173-0x00000000077B0000-0x00000000077B8000-memory.dmp

Filesize
32KB

Download
memory/2800-172-0x00000000077D0000-0x00000000077EA000-memory.dmp

Filesize
104KB

Download
memory/2800-171-0x0000000007760000-0x000000000776E000-memory.dmp

Filesize
56KB

Download
memory/2800-168-0x0000000007870000-0x0000000007906000-memory.dmp

Filesize
600KB

Download
memory/2800-165-0x00000000075A0000-0x00000000075AA000-memory.dmp

Filesize
40KB

Download
memory/2800-164-0x0000000006790000-0x00000000067AE000-memory.dmp

Filesize
120KB

Download
memory/2800-162-0x0000000006840000-0x0000000006872000-memory.dmp

Filesize
200KB

Download
memory/2800-163-0x0000000075320000-0x000000007536C000-memory.dmp

Filesize
304KB

Download
memory/3408-139-0x0000000007370000-0x0000000007392000-memory.dmp

Filesize
136KB

Download
memory/3408-138-0x0000000000B70000-0x00000000012E4000-memory.dmp

Filesize
7.5MB

Download
memory/4804-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4804-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4804-158-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4804-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download