aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

4352 voiceadequovl.exe
2992 voiceadequovl.exe
4076 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4352	voiceadequovl.exe
2992	voiceadequovl.exe
4076	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 2992 set thread context of 4076 2992 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1680 powershell.exe
1680 powershell.exe
4552 powershell.exe
4552 powershell.exe

description	pid	process	target process
PID 2992 set thread context of 4076	2992	voiceadequovl.exe	voiceadequovl.exe

pid	process
1680	powershell.exe
1680	powershell.exe
4552	powershell.exe
4552	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2992	voiceadequovl.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeIncreaseQuotaPrivilege	3948	wmic.exe
Token: SeSecurityPrivilege	3948	wmic.exe
Token: SeTakeOwnershipPrivilege	3948	wmic.exe
Token: SeLoadDriverPrivilege	3948	wmic.exe
Token: SeSystemProfilePrivilege	3948	wmic.exe
Token: SeSystemtimePrivilege	3948	wmic.exe
Token: SeProfSingleProcessPrivilege	3948	wmic.exe
Token: SeIncBasePriorityPrivilege	3948	wmic.exe
Token: SeCreatePagefilePrivilege	3948	wmic.exe
Token: SeBackupPrivilege	3948	wmic.exe
Token: SeRestorePrivilege	3948	wmic.exe
Token: SeShutdownPrivilege	3948	wmic.exe
Token: SeDebugPrivilege	3948	wmic.exe
Token: SeSystemEnvironmentPrivilege	3948	wmic.exe
Token: SeRemoteShutdownPrivilege	3948	wmic.exe
Token: SeUndockPrivilege	3948	wmic.exe
Token: SeManageVolumePrivilege	3948	wmic.exe
Token: 33	3948	wmic.exe
Token: 34	3948	wmic.exe
Token: 35	3948	wmic.exe
Token: 36	3948	wmic.exe
Token: SeIncreaseQuotaPrivilege	3948	wmic.exe
Token: SeSecurityPrivilege	3948	wmic.exe
Token: SeTakeOwnershipPrivilege	3948	wmic.exe
Token: SeLoadDriverPrivilege	3948	wmic.exe
Token: SeSystemProfilePrivilege	3948	wmic.exe
Token: SeSystemtimePrivilege	3948	wmic.exe
Token: SeProfSingleProcessPrivilege	3948	wmic.exe
Token: SeIncBasePriorityPrivilege	3948	wmic.exe
Token: SeCreatePagefilePrivilege	3948	wmic.exe
Token: SeBackupPrivilege	3948	wmic.exe
Token: SeRestorePrivilege	3948	wmic.exe
Token: SeShutdownPrivilege	3948	wmic.exe
Token: SeDebugPrivilege	3948	wmic.exe
Token: SeSystemEnvironmentPrivilege	3948	wmic.exe
Token: SeRemoteShutdownPrivilege	3948	wmic.exe
Token: SeUndockPrivilege	3948	wmic.exe
Token: SeManageVolumePrivilege	3948	wmic.exe
Token: 33	3948	wmic.exe
Token: 34	3948	wmic.exe
Token: 35	3948	wmic.exe
Token: 36	3948	wmic.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe
Token: 33	2484	WMIC.exe
Token: 34	2484	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 4964 wrote to memory of 4352	4964	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4964 wrote to memory of 4352	4964	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4964 wrote to memory of 4352	4964	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4352 wrote to memory of 2992	4352	voiceadequovl.exe	voiceadequovl.exe
PID 4352 wrote to memory of 2992	4352	voiceadequovl.exe	voiceadequovl.exe
PID 4352 wrote to memory of 2992	4352	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 1680	2992	voiceadequovl.exe	powershell.exe
PID 2992 wrote to memory of 1680	2992	voiceadequovl.exe	powershell.exe
PID 2992 wrote to memory of 1680	2992	voiceadequovl.exe	powershell.exe
PID 2992 wrote to memory of 2848	2992	voiceadequovl.exe	cmd.exe
PID 2992 wrote to memory of 2848	2992	voiceadequovl.exe	cmd.exe
PID 2992 wrote to memory of 2848	2992	voiceadequovl.exe	cmd.exe
PID 2848 wrote to memory of 4552	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 4552	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 4552	2848	cmd.exe	powershell.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 2992 wrote to memory of 4076	2992	voiceadequovl.exe	voiceadequovl.exe
PID 4076 wrote to memory of 3948	4076	voiceadequovl.exe	wmic.exe
PID 4076 wrote to memory of 3948	4076	voiceadequovl.exe	wmic.exe
PID 4076 wrote to memory of 3948	4076	voiceadequovl.exe	wmic.exe
PID 4076 wrote to memory of 4064	4076	voiceadequovl.exe	cmd.exe
PID 4076 wrote to memory of 4064	4076	voiceadequovl.exe	cmd.exe
PID 4076 wrote to memory of 4064	4076	voiceadequovl.exe	cmd.exe
PID 4064 wrote to memory of 2484	4064	cmd.exe	WMIC.exe
PID 4064 wrote to memory of 2484	4064	cmd.exe	WMIC.exe
PID 4064 wrote to memory of 2484	4064	cmd.exe	WMIC.exe
PID 4076 wrote to memory of 2416	4076	voiceadequovl.exe	cmd.exe
PID 4076 wrote to memory of 2416	4076	voiceadequovl.exe	cmd.exe
PID 4076 wrote to memory of 2416	4076	voiceadequovl.exe	cmd.exe
PID 2416 wrote to memory of 4720	2416	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 4720	2416	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 4720	2416	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:4064

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:4720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
c74427c043bea9cdb6e608b4a03fee8f

SHA1
491e76a2d2238f9dfb7e9cbbaccd63374b4afc0e

SHA256
e914d792652d8c41397fa5f083368cabf90665bcc0b971f8cd0175e68792db34

SHA512
aec01c1cbf71d3b26bdfbd1a36cdb4012d4bca85d77e430cf1c7c14caa561ace94bdc26015d5b6014b4a2f0e4d28328a592f89e0133650205b1fb877843fa9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
329.5MB

MD5
9615379a6594fc53787b8f8010271f17

SHA1
a26b28ce92ffd1203f449660b4ccdd0313238595

SHA256
3a36472842cc825b171b73c7cdc594ef9d75852d2b0d3eb55881c4f261dfe7ca

SHA512
6ee05b596d07039a7a7c04d0cf12175a4784321847df7503b0ed2c732af078d9d7cc8a6ebe0d599d4ef6b43cc8631eeb03c3bb52310998fdb88a363497de4a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
329.0MB

MD5
c35fe6646759afbc26df4a4279099a71

SHA1
484497ea48669606ac46d2473ca50d5a442f747e

SHA256
bf9d318a5f3d1713e79138202b5d03de59f36a79053bc55c079fe59efb2bcf04

SHA512
1a701f84a42e7899495fe4a915217d69c6d8c03f62638ef8f875d1b3bd9ce6178be6e2d3cd4a6892b5fe531bac45073028d429c531d2cd22325973061eab9c2e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
303.9MB

MD5
964750f45003e69c4d6c78a23f5eacf2

SHA1
8680f3ae88ef5f9e9a800b99912a8f49c9059f68

SHA256
8327deacb5eb8b901f82f3e0c88581c60cd77aa619aa5c1bc86bf310e6e5033d

SHA512
4c7e83af9754b08c514376d5ba29255d13753c7f75093fe13ef5c87cdc168f83efeafd94ac552113255da9be8961a79e6f3496f916706c919ea96ad403156931

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
309.4MB

MD5
ead1cadad67b946e26cadf245dfd6b70

SHA1
2b1faa70dc3605668e4333ed7c8f7fc4df6cc5de

SHA256
4af75367d561731549481a04dcdeeed30eadcf0be1bce8545b1a351ff9d154f1

SHA512
64f39c0da86f21219decb28f6afefe31b648fd6069858a008bf2630f928baeab9e94102d7ed88b59a9422f72eb1fd290e37f2b64bd1ab689fed4670f02f766d9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
221.6MB

MD5
7fad85a51a95f2b2695ed1bf86f787f4

SHA1
3188deea2cf708931445751ab604164c063fe595

SHA256
de6b66c0584abf8cdb354fd2cfe041d051a7ce802d5521bd8d563a8e6530fbe4

SHA512
e7d1535e798aa47880c896e51dfd0f4dd08c836dfcecc122d24d0e6ec72dbc6db89b26bb78a7e1ce92f54a5424434c3ac385e0a7a7865a0674f8a9d548cf3f50

Download Submit
memory/1680-144-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/1680-147-0x0000000006270000-0x000000000628A000-memory.dmp

Filesize
104KB

Download
memory/1680-142-0x0000000005050000-0x0000000005678000-memory.dmp

Filesize
6.2MB

Download
memory/1680-143-0x0000000004FC0000-0x0000000005026000-memory.dmp

Filesize
408KB

Download
memory/1680-140-0x0000000000000000-mapping.dmp

Download
memory/1680-145-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/1680-146-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/1680-141-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/2416-171-0x0000000000000000-mapping.dmp

Download
memory/2484-170-0x0000000000000000-mapping.dmp

Download
memory/2848-148-0x0000000000000000-mapping.dmp

Download
memory/2992-139-0x0000000007460000-0x0000000007482000-memory.dmp

Filesize
136KB

Download
memory/2992-138-0x0000000000DA0000-0x0000000001514000-memory.dmp

Filesize
7.5MB

Download
memory/2992-135-0x0000000000000000-mapping.dmp

Download
memory/3948-168-0x0000000000000000-mapping.dmp

Download
memory/4064-169-0x0000000000000000-mapping.dmp

Download
memory/4076-152-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4076-167-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4076-173-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4076-151-0x0000000000000000-mapping.dmp

Download
memory/4076-158-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4076-155-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4352-132-0x0000000000000000-mapping.dmp

Download
memory/4552-162-0x0000000007BF0000-0x0000000007BFA000-memory.dmp

Filesize
40KB

Download
memory/4552-165-0x0000000007DC0000-0x0000000007DDA000-memory.dmp

Filesize
104KB

Download
memory/4552-166-0x0000000007D80000-0x0000000007D88000-memory.dmp

Filesize
32KB

Download
memory/4552-164-0x00000000066B0000-0x00000000066BE000-memory.dmp

Filesize
56KB

Download
memory/4552-163-0x0000000007E40000-0x0000000007ED6000-memory.dmp

Filesize
600KB

Download
memory/4552-161-0x0000000006D90000-0x0000000006DAE000-memory.dmp

Filesize
120KB

Download
memory/4552-160-0x0000000075640000-0x000000007568C000-memory.dmp

Filesize
304KB

Download
memory/4552-149-0x0000000000000000-mapping.dmp

Download
memory/4552-159-0x0000000006DF0000-0x0000000006E22000-memory.dmp

Filesize
200KB

Download
memory/4720-172-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads