aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2023, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 2 IoCs

pid	Process
4940	voiceadequovl.exe
2428	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4232	powershell.exe
4232	powershell.exe
744	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	voiceadequovl.exe
Token: SeDebugPrivilege	4232	powershell.exe
Token: SeDebugPrivilege	744	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 4940	2608	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	82
PID 2608 wrote to memory of 4940	2608	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	82
PID 2608 wrote to memory of 4940	2608	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	82
PID 4940 wrote to memory of 2428	4940	voiceadequovl.exe	90
PID 4940 wrote to memory of 2428	4940	voiceadequovl.exe	90
PID 4940 wrote to memory of 2428	4940	voiceadequovl.exe	90
PID 2428 wrote to memory of 4232	2428	voiceadequovl.exe	92
PID 2428 wrote to memory of 4232	2428	voiceadequovl.exe	92
PID 2428 wrote to memory of 4232	2428	voiceadequovl.exe	92
PID 2428 wrote to memory of 2272	2428	voiceadequovl.exe	94
PID 2428 wrote to memory of 2272	2428	voiceadequovl.exe	94
PID 2428 wrote to memory of 2272	2428	voiceadequovl.exe	94
PID 2272 wrote to memory of 744	2272	cmd.exe	96
PID 2272 wrote to memory of 744	2272	cmd.exe	96
PID 2272 wrote to memory of 744	2272	cmd.exe	96
PID 2428 wrote to memory of 3436	2428	voiceadequovl.exe	97
PID 2428 wrote to memory of 3436	2428	voiceadequovl.exe	97
PID 2428 wrote to memory of 3436	2428	voiceadequovl.exe	97

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:3436
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:3968
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:3960
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:2260
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:2632
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:3764
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1160
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:3664
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:3636
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:4892
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:3016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
1229c0f4bf698982a7270d6c2b0b8cf2

SHA1
35fc2930af3ae7f65739df3f1b9b740c6ef75a9f

SHA256
1c5b5118ffdc09def2d97a99d69ad0ed9f7e2fe5cf1b754e168856948dd70e89

SHA512
f122e521a25322cdc7be93fe6f75d7f9380186f1ae0d92e5613f78c513638fe03af1157d980654f80d3ee3aa000a5c834f86c99450e54362ba11715fb2749191

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
369.8MB

MD5
14a9737eb666769fee7c28a00eb14e82

SHA1
ab8f2279f13a546fc32233a4da0855660fb07ec0

SHA256
a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a

SHA512
973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
369.8MB

MD5
14a9737eb666769fee7c28a00eb14e82

SHA1
ab8f2279f13a546fc32233a4da0855660fb07ec0

SHA256
a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a

SHA512
973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
14.7MB

MD5
27b402ac3b1973d6d1686622aa72335f

SHA1
a203105186f310936b4d4d01acdd563ea1270a9d

SHA256
70d17914d3c328aaf1ad52def13dbc874cc233c5c125df9fbe9db33dcdea9b56

SHA512
2882b107406ba765588c17e94acaf98cec70072adb218beb58759bdf5940676ae4bb2c2b8abd6c58281bac1d52b557a221278b2defad9b1bf65f42aa605f9166

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
16.4MB

MD5
1ca6d5284e8bd0d5d6be84f53ffc895b

SHA1
e3458b4091596bf2e3391782ef6f7449ca4d019c

SHA256
3f6fcd0ab8e3ab7f4dc7dea582874d01bdd3c825bd4c1003ab7c73a682e99134

SHA512
8b4e4239e3353a7ba422147dcef63130ef55651342a7a7b1f6b0cb427bbc46fe34633daec6b20d4e86610f2626a21ec22174289d8c7b24a3d777c3b5752e373e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
15.7MB

MD5
5b0eacbdcd2e9dedd6c0b270bce60d58

SHA1
b4b83affe55e9e4669dfc5f4870f463c9f16d6bf

SHA256
8d7f928399399504c69d17202ca01e9cc60515eedef7735f6e9f02d093f4e904

SHA512
30e43ca474554d3de72bcf366f5ce08cba4eab4e8590a2f237a8842140b81b48cbaf6a668cbdcef54a1dd975104c1cea837c0238d1dabcca0f5bc988b9f60b22

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
14.6MB

MD5
dabab2091d1c00edc48ea60b0a7a6375

SHA1
b6e935b01548d5b86ed202d3d1976244a22d17a5

SHA256
8241199c476a0789862f7ac440e4d96eb83c5cf60f2dcb536ee535c71e604776

SHA512
245d854570808901134084ae08153e4c951f35cfeb1d282246d7cc82be6faed35ef2fb0585fed34803366ec994e59a0eb2bd04d6882192182fc9576d4f9b431e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
15.8MB

MD5
f1de4519b83c72278ed1e303b93520e5

SHA1
08dca1c47551437174220acd6fcbe0dd99b2c250

SHA256
9f6ed88eaa3081b67d113148d1baadba8d8d3ed83d162aae87cb1f9f180139f8

SHA512
e2dc1d3b8b343507fae25e6208cadd7355c3a9fa6cf4a4402945c76f767b06423d33cfa16fff349b5f0cdfc5229cc49e84b6e4a18ebdee8f0c46349edb8ec29e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
15.2MB

MD5
9305230305716490498c624e0f2a80c5

SHA1
75218f12c6b02eca0a2f2f28d7a01817d913bf0b

SHA256
c356b517550363de477f5d7e61d88d86633f7a7ee8ccda3b850845be59430035

SHA512
e913434b3ac7c8337115c45a046e7c64f7eec580a5292e37c6e5188a72858084ef8fca814a1c75f1c514cd9d8c247a74bc192d90f09005e6de110440b7597cc1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
14.6MB

MD5
1d5fbd0408a07bb9ffeae195a962e9b7

SHA1
a48a8f16bbddf848971c523c5a5e8f87478302d4

SHA256
5c7517fc4d98a70a1f513a638225fc5fae6e45e24ee887bcb74babd0e88e5051

SHA512
3f7b1d96adf100651f2892d2bccc6a7059a0f5256ca7e129bc0182667d23903e7aa58430bca205151bec2eecb56e880891b3202f79ca12de0a572a97666d1d6f

Download Submit
memory/744-170-0x00000000070E0000-0x0000000007112000-memory.dmp

Filesize
200KB

Download
memory/744-180-0x0000000007600000-0x0000000007608000-memory.dmp

Filesize
32KB

Download
memory/744-179-0x0000000007620000-0x000000000763A000-memory.dmp

Filesize
104KB

Download
memory/744-177-0x0000000006030000-0x000000000603E000-memory.dmp

Filesize
56KB

Download
memory/744-175-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/744-174-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/744-171-0x00000000703C0000-0x000000007040C000-memory.dmp

Filesize
304KB

Download
memory/744-172-0x00000000065E0000-0x00000000065FE000-memory.dmp

Filesize
120KB

Download
memory/2428-139-0x00000000059B0000-0x00000000059D2000-memory.dmp

Filesize
136KB

Download
memory/2428-138-0x00000000009E0000-0x0000000001154000-memory.dmp

Filesize
7.5MB

Download
memory/3764-173-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3764-168-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3764-165-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4232-143-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/4232-144-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/4232-142-0x0000000005360000-0x0000000005988000-memory.dmp

Filesize
6.2MB

Download
memory/4232-145-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/4232-147-0x00000000066B0000-0x00000000066CA000-memory.dmp

Filesize
104KB

Download
memory/4232-146-0x0000000007840000-0x0000000007EBA000-memory.dmp

Filesize
6.5MB

Download
memory/4232-141-0x0000000002BE0000-0x0000000002C16000-memory.dmp

Filesize
216KB

Download