aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
63s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 6 IoCs

pid	Process
2524	voiceadequovl.exe
2132	voiceadequovl.exe
4732	voiceadequovl.exe
4276	voiceadequovl.exe
5096	voiceadequovl.exe
4436	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2132 set thread context of 4436	2132	voiceadequovl.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
696	powershell.exe
696	powershell.exe
2132	voiceadequovl.exe
2132	voiceadequovl.exe
2132	voiceadequovl.exe
2132	voiceadequovl.exe
1084	powershell.exe
2132	voiceadequovl.exe
2132	voiceadequovl.exe
1084	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2132	voiceadequovl.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeIncreaseQuotaPrivilege	3932	wmic.exe
Token: SeSecurityPrivilege	3932	wmic.exe
Token: SeTakeOwnershipPrivilege	3932	wmic.exe
Token: SeLoadDriverPrivilege	3932	wmic.exe
Token: SeSystemProfilePrivilege	3932	wmic.exe
Token: SeSystemtimePrivilege	3932	wmic.exe
Token: SeProfSingleProcessPrivilege	3932	wmic.exe
Token: SeIncBasePriorityPrivilege	3932	wmic.exe
Token: SeCreatePagefilePrivilege	3932	wmic.exe
Token: SeBackupPrivilege	3932	wmic.exe
Token: SeRestorePrivilege	3932	wmic.exe
Token: SeShutdownPrivilege	3932	wmic.exe
Token: SeDebugPrivilege	3932	wmic.exe
Token: SeSystemEnvironmentPrivilege	3932	wmic.exe
Token: SeRemoteShutdownPrivilege	3932	wmic.exe
Token: SeUndockPrivilege	3932	wmic.exe
Token: SeManageVolumePrivilege	3932	wmic.exe
Token: 33	3932	wmic.exe
Token: 34	3932	wmic.exe
Token: 35	3932	wmic.exe
Token: 36	3932	wmic.exe
Token: SeIncreaseQuotaPrivilege	3932	wmic.exe
Token: SeSecurityPrivilege	3932	wmic.exe
Token: SeTakeOwnershipPrivilege	3932	wmic.exe
Token: SeLoadDriverPrivilege	3932	wmic.exe
Token: SeSystemProfilePrivilege	3932	wmic.exe
Token: SeSystemtimePrivilege	3932	wmic.exe
Token: SeProfSingleProcessPrivilege	3932	wmic.exe
Token: SeIncBasePriorityPrivilege	3932	wmic.exe
Token: SeCreatePagefilePrivilege	3932	wmic.exe
Token: SeBackupPrivilege	3932	wmic.exe
Token: SeRestorePrivilege	3932	wmic.exe
Token: SeShutdownPrivilege	3932	wmic.exe
Token: SeDebugPrivilege	3932	wmic.exe
Token: SeSystemEnvironmentPrivilege	3932	wmic.exe
Token: SeRemoteShutdownPrivilege	3932	wmic.exe
Token: SeUndockPrivilege	3932	wmic.exe
Token: SeManageVolumePrivilege	3932	wmic.exe
Token: 33	3932	wmic.exe
Token: 34	3932	wmic.exe
Token: 35	3932	wmic.exe
Token: 36	3932	wmic.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 2524	5116	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 5116 wrote to memory of 2524	5116	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 5116 wrote to memory of 2524	5116	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 2524 wrote to memory of 2132	2524	voiceadequovl.exe	82
PID 2524 wrote to memory of 2132	2524	voiceadequovl.exe	82
PID 2524 wrote to memory of 2132	2524	voiceadequovl.exe	82
PID 2132 wrote to memory of 696	2132	voiceadequovl.exe	84
PID 2132 wrote to memory of 696	2132	voiceadequovl.exe	84
PID 2132 wrote to memory of 696	2132	voiceadequovl.exe	84
PID 2132 wrote to memory of 960	2132	voiceadequovl.exe	93
PID 2132 wrote to memory of 960	2132	voiceadequovl.exe	93
PID 2132 wrote to memory of 960	2132	voiceadequovl.exe	93
PID 960 wrote to memory of 1084	960	cmd.exe	95
PID 960 wrote to memory of 1084	960	cmd.exe	95
PID 960 wrote to memory of 1084	960	cmd.exe	95
PID 2132 wrote to memory of 4732	2132	voiceadequovl.exe	99
PID 2132 wrote to memory of 4732	2132	voiceadequovl.exe	99
PID 2132 wrote to memory of 4732	2132	voiceadequovl.exe	99
PID 2132 wrote to memory of 4276	2132	voiceadequovl.exe	96
PID 2132 wrote to memory of 4276	2132	voiceadequovl.exe	96
PID 2132 wrote to memory of 4276	2132	voiceadequovl.exe	96
PID 2132 wrote to memory of 5096	2132	voiceadequovl.exe	97
PID 2132 wrote to memory of 5096	2132	voiceadequovl.exe	97
PID 2132 wrote to memory of 5096	2132	voiceadequovl.exe	97
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 2132 wrote to memory of 4436	2132	voiceadequovl.exe	98
PID 4436 wrote to memory of 3932	4436	voiceadequovl.exe	100
PID 4436 wrote to memory of 3932	4436	voiceadequovl.exe	100
PID 4436 wrote to memory of 3932	4436	voiceadequovl.exe	100

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:960
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:4276
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:5096
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:2252
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:4088
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:3236
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1684
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:4732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
5d17cd4016745c621485b70b6bceb220

SHA1
5350cc417607d5b6dfb289f1225f78ba1cd80c39

SHA256
4d515690e1c7f8c4c21c2e82904a0399e252c1e39b95fe9e942e999167a1f6db

SHA512
df6c16a825427ff081578f7ad61d69a09d8f1ed88ec2897907d1c46d6492c15ecfe6eedb651691e5f5207853da640ea707392f9faf60cf841dc5b41e532f3f56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
335.4MB

MD5
7cf2c658444399ac8d941205e5d8d9fa

SHA1
38ed65a18bed55dfb52407dbbbb7996c093a77f6

SHA256
e1a4121693797589ae9692a36ad272c8014389b87a0c75399f9f0b528c430b1c

SHA512
eb8d31d63c3e945727074b3f526f896b49ca88a6539ec1d9d8928dc8bb05d141243becc1edda58c55c9443338d63b94d49dfb71e851992d896aee717b295117e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
292.9MB

MD5
c5ffeb61f563d0aa4b1e4331ae802694

SHA1
3678c339eda1c0911472d09f372dd85e5215ad04

SHA256
5b4da4825079080923780f8b4251a36454a780a1d89de8cc46bb8c519abe2ad0

SHA512
f8545235f74f65f2eb57236a318d0234e0d24dc6d24b7918aae5c6da00c24caee1b97756c131fb3e1f3df170158fe25219b25281ef6661fd27b3601397540dec

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.9MB

MD5
f0249ecd7d3fae39a17ed9eda55ae8c4

SHA1
47f6fd344d1c30c9836c18ffe3021e6f903d40bc

SHA256
50005026ec51f2b7647b900245a7f28d92faa0771cad46a8984a9cdbff66f5e3

SHA512
bc37f8923eba466af59064c72c2746adec47fb96e7587c2de8d416b987cbb7d89e8d77c52b57e6fc90dd04feee8bb5c15b3622eaf5e714651005f108d2f733c2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
234.8MB

MD5
d1566014d81dec1e3111d38fee4d2853

SHA1
afdb9f89eca600518e4b9283653577a3fda57676

SHA256
954bd5f4b4ff75d9427e975a373bf44d7b4487c9d1fc90c59b970ebc0d5c0fe5

SHA512
452785418863cb786ef429ae417ac50c4321e10826958b3a0cbf43895f58ba00b377580a455457d24b906dee797fbe3b6c3c6ab164e9b792e50995c95a7b8bbf

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
211.8MB

MD5
9ed9651d012f3848dbdb36caf1be23e7

SHA1
940bd78348e453bdf0a56c8fbdb17e3d5365a526

SHA256
d09f066049fd3414c578612d7a41c7cba3be38d41ec250eb17644b36043b1d02

SHA512
d9e1fb6ca800203c7a53d9a28c146dabcd14d02fad97427d22ac002cc413bd84b487ad6793275567c5427fb5a85fae1211d6e2e7951decb5099d163db3ac1eb5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
231.4MB

MD5
e5209db00fddaef1e1f3ecaed07e0e0d

SHA1
03f93dd969dad06fb6737e30fbae2ed61e6dcc5b

SHA256
b7fee327fd5e89191338053d9c6f28593f3a623bf00252c4f5027d62af517674

SHA512
9a5ccec56f5e33276cfc76617f232974154694a52d85944e80eade84118144f9e624725051ee3c99bcabcd9504564f59be2327de37777490ae921ce4741cc5a7

Download Submit
memory/696-142-0x0000000005D90000-0x00000000063B8000-memory.dmp

Filesize
6.2MB

Download
memory/696-144-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/696-145-0x00000000068A0000-0x00000000068BE000-memory.dmp

Filesize
120KB

Download
memory/696-146-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/696-147-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/696-143-0x0000000005A80000-0x0000000005AE6000-memory.dmp

Filesize
408KB

Download
memory/696-141-0x0000000002F60000-0x0000000002F96000-memory.dmp

Filesize
216KB

Download
memory/1084-166-0x0000000073DC0000-0x0000000073E0C000-memory.dmp

Filesize
304KB

Download
memory/1084-165-0x00000000069C0000-0x00000000069F2000-memory.dmp

Filesize
200KB

Download
memory/1084-177-0x0000000007A30000-0x0000000007A38000-memory.dmp

Filesize
32KB

Download
memory/1084-176-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/1084-174-0x0000000007870000-0x000000000787E000-memory.dmp

Filesize
56KB

Download
memory/1084-169-0x0000000007890000-0x000000000789A000-memory.dmp

Filesize
40KB

Download
memory/1084-167-0x0000000006960000-0x000000000697E000-memory.dmp

Filesize
120KB

Download
memory/1084-170-0x0000000007A90000-0x0000000007B26000-memory.dmp

Filesize
600KB

Download
memory/2132-138-0x0000000000810000-0x0000000000F84000-memory.dmp

Filesize
7.5MB

Download
memory/2132-139-0x0000000006ED0000-0x0000000006EF2000-memory.dmp

Filesize
136KB

Download
memory/4436-163-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4436-161-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4436-158-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4436-178-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download