aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

4932 voiceadequovl.exe
4752 voiceadequovl.exe
4832 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4932	voiceadequovl.exe
4752	voiceadequovl.exe
4832	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 4752 set thread context of 4832 4752 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

364 powershell.exe
364 powershell.exe
3412 powershell.exe
3412 powershell.exe

description	pid	process	target process
PID 4752 set thread context of 4832	4752	voiceadequovl.exe	voiceadequovl.exe

pid	process
364	powershell.exe
364	powershell.exe
3412	powershell.exe
3412	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4752	voiceadequovl.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	3412	powershell.exe
Token: SeIncreaseQuotaPrivilege	2372	wmic.exe
Token: SeSecurityPrivilege	2372	wmic.exe
Token: SeTakeOwnershipPrivilege	2372	wmic.exe
Token: SeLoadDriverPrivilege	2372	wmic.exe
Token: SeSystemProfilePrivilege	2372	wmic.exe
Token: SeSystemtimePrivilege	2372	wmic.exe
Token: SeProfSingleProcessPrivilege	2372	wmic.exe
Token: SeIncBasePriorityPrivilege	2372	wmic.exe
Token: SeCreatePagefilePrivilege	2372	wmic.exe
Token: SeBackupPrivilege	2372	wmic.exe
Token: SeRestorePrivilege	2372	wmic.exe
Token: SeShutdownPrivilege	2372	wmic.exe
Token: SeDebugPrivilege	2372	wmic.exe
Token: SeSystemEnvironmentPrivilege	2372	wmic.exe
Token: SeRemoteShutdownPrivilege	2372	wmic.exe
Token: SeUndockPrivilege	2372	wmic.exe
Token: SeManageVolumePrivilege	2372	wmic.exe
Token: 33	2372	wmic.exe
Token: 34	2372	wmic.exe
Token: 35	2372	wmic.exe
Token: 36	2372	wmic.exe
Token: SeIncreaseQuotaPrivilege	2372	wmic.exe
Token: SeSecurityPrivilege	2372	wmic.exe
Token: SeTakeOwnershipPrivilege	2372	wmic.exe
Token: SeLoadDriverPrivilege	2372	wmic.exe
Token: SeSystemProfilePrivilege	2372	wmic.exe
Token: SeSystemtimePrivilege	2372	wmic.exe
Token: SeProfSingleProcessPrivilege	2372	wmic.exe
Token: SeIncBasePriorityPrivilege	2372	wmic.exe
Token: SeCreatePagefilePrivilege	2372	wmic.exe
Token: SeBackupPrivilege	2372	wmic.exe
Token: SeRestorePrivilege	2372	wmic.exe
Token: SeShutdownPrivilege	2372	wmic.exe
Token: SeDebugPrivilege	2372	wmic.exe
Token: SeSystemEnvironmentPrivilege	2372	wmic.exe
Token: SeRemoteShutdownPrivilege	2372	wmic.exe
Token: SeUndockPrivilege	2372	wmic.exe
Token: SeManageVolumePrivilege	2372	wmic.exe
Token: 33	2372	wmic.exe
Token: 34	2372	wmic.exe
Token: 35	2372	wmic.exe
Token: 36	2372	wmic.exe
Token: SeIncreaseQuotaPrivilege	4244	WMIC.exe
Token: SeSecurityPrivilege	4244	WMIC.exe
Token: SeTakeOwnershipPrivilege	4244	WMIC.exe
Token: SeLoadDriverPrivilege	4244	WMIC.exe
Token: SeSystemProfilePrivilege	4244	WMIC.exe
Token: SeSystemtimePrivilege	4244	WMIC.exe
Token: SeProfSingleProcessPrivilege	4244	WMIC.exe
Token: SeIncBasePriorityPrivilege	4244	WMIC.exe
Token: SeCreatePagefilePrivilege	4244	WMIC.exe
Token: SeBackupPrivilege	4244	WMIC.exe
Token: SeRestorePrivilege	4244	WMIC.exe
Token: SeShutdownPrivilege	4244	WMIC.exe
Token: SeDebugPrivilege	4244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4244	WMIC.exe
Token: SeRemoteShutdownPrivilege	4244	WMIC.exe
Token: SeUndockPrivilege	4244	WMIC.exe
Token: SeManageVolumePrivilege	4244	WMIC.exe
Token: 33	4244	WMIC.exe
Token: 34	4244	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 5056 wrote to memory of 4932	5056	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 5056 wrote to memory of 4932	5056	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 5056 wrote to memory of 4932	5056	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4932 wrote to memory of 4752	4932	voiceadequovl.exe	voiceadequovl.exe
PID 4932 wrote to memory of 4752	4932	voiceadequovl.exe	voiceadequovl.exe
PID 4932 wrote to memory of 4752	4932	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 364	4752	voiceadequovl.exe	powershell.exe
PID 4752 wrote to memory of 364	4752	voiceadequovl.exe	powershell.exe
PID 4752 wrote to memory of 364	4752	voiceadequovl.exe	powershell.exe
PID 4752 wrote to memory of 3968	4752	voiceadequovl.exe	cmd.exe
PID 4752 wrote to memory of 3968	4752	voiceadequovl.exe	cmd.exe
PID 4752 wrote to memory of 3968	4752	voiceadequovl.exe	cmd.exe
PID 3968 wrote to memory of 3412	3968	cmd.exe	powershell.exe
PID 3968 wrote to memory of 3412	3968	cmd.exe	powershell.exe
PID 3968 wrote to memory of 3412	3968	cmd.exe	powershell.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4752 wrote to memory of 4832	4752	voiceadequovl.exe	voiceadequovl.exe
PID 4832 wrote to memory of 2372	4832	voiceadequovl.exe	wmic.exe
PID 4832 wrote to memory of 2372	4832	voiceadequovl.exe	wmic.exe
PID 4832 wrote to memory of 2372	4832	voiceadequovl.exe	wmic.exe
PID 4832 wrote to memory of 1744	4832	voiceadequovl.exe	cmd.exe
PID 4832 wrote to memory of 1744	4832	voiceadequovl.exe	cmd.exe
PID 4832 wrote to memory of 1744	4832	voiceadequovl.exe	cmd.exe
PID 1744 wrote to memory of 4244	1744	cmd.exe	WMIC.exe
PID 1744 wrote to memory of 4244	1744	cmd.exe	WMIC.exe
PID 1744 wrote to memory of 4244	1744	cmd.exe	WMIC.exe
PID 4832 wrote to memory of 2632	4832	voiceadequovl.exe	cmd.exe
PID 4832 wrote to memory of 2632	4832	voiceadequovl.exe	cmd.exe
PID 4832 wrote to memory of 2632	4832	voiceadequovl.exe	cmd.exe
PID 2632 wrote to memory of 4040	2632	cmd.exe	WMIC.exe
PID 2632 wrote to memory of 4040	2632	cmd.exe	WMIC.exe
PID 2632 wrote to memory of 4040	2632	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:364
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4832
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d55708f524ad20f7667ea648834dc5e4

SHA1
cd2098687980d6ad1a7c9920137a4ba3adb33eb1

SHA256
b9c0f29915c4248d29851ae01ee2dca41cca9cd00c364773004f03eee197631c

SHA512
ecff98b278cb5ebdf4c8e371306ca246eb5fc8ccd2cb1ca06029dfa87e875e7155dcdc436ac7c99c2e672e92da1dbb00ed614a2297f488c6366d057ee149baca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
357.9MB

MD5
1e227bacc822184e779269133dcdb98e

SHA1
7ce176d151fc693c9fcdcdbfd4f94df569c8eff4

SHA256
a9644f45948e070130c240121c79d18859a187b2c666b8dc16606ee9b2f6bc17

SHA512
ca90bd6bbe8e5ac949bdcb1c6953a82b37af012ba72e00211671b16882bd502d5353d606725d1cdd4bd22ed8b8be56ad92bf2afe7c8c49bb1aadfd4e3af17b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
361.7MB

MD5
7c6a4e1eb6e6ddd7617c99de6d69ae81

SHA1
1da1799bd13763a4c95b8dac08bf18a9734b9d1d

SHA256
1f14389c2c095be76bce5dd6ab7e75c4c1a90095adaad5fcf4094b940f1074ca

SHA512
5d426feac13a630950a9d5b4a6826636486e70aad53c33a8e2c6c5fcfbbd05ecdddd0993c27cbaba580943084c7b9c9fd04190973f050327dedd3da1de4709f1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
298.2MB

MD5
b542a9aa218feeb8a20c636e514151e6

SHA1
c74b981914a59278ce507822ef3302f42ec1a446

SHA256
746988aab6213de3f769afc69bef85604afa3901b8dd1d3915b2f968451c2a5b

SHA512
5ad78475b7cb28b10b5f8a5a64d86af92fa64d186d506a67fe06fe601c00b0dfbd95f2b2a8925508604b3b67e8967796cfbfd0df831f1841e218560d73986c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
322.7MB

MD5
4a37923ef6cb704cc6f4f610e5515ec7

SHA1
a6dfc6f36be7882f7a41534d9bf7f93239cbc8fd

SHA256
f08b7a8601828cefad02a5821c5a40d8cd7e98d37ae509f8ab0fa2d3ccd45900

SHA512
e56fccacb278b48cde350a691c98b7a3978505b9a4fc56f29f17a14afcb9b8ab46db130155efb6b29e83b4ba154640e76593139ed48043f38f85ab316f69f9d3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
159.6MB

MD5
65913b08d91b544c74e20f9157ff36ca

SHA1
6f006894563a4a7ca41056b65327cb5659ceecbd

SHA256
1ebcc47fc52c1f015f5cee56e0d11f6483d80e6f794fab4432166d7c5ed8f5d4

SHA512
d0985a4fe4c2a908a8505e4c59cde9e4fdb1c41a0d70f2b41634da54264e2eae7f686c953b425b99136b581d9d69000d595f37358272821880269368d6e76698

Download Submit
memory/364-140-0x0000000000000000-mapping.dmp

Download
memory/364-141-0x0000000003090000-0x00000000030C6000-memory.dmp

Filesize
216KB

Download
memory/364-142-0x00000000057A0000-0x0000000005DC8000-memory.dmp

Filesize
6.2MB

Download
memory/364-143-0x0000000005ED0000-0x0000000005F36000-memory.dmp

Filesize
408KB

Download
memory/364-144-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/364-145-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/364-146-0x0000000007CC0000-0x000000000833A000-memory.dmp

Filesize
6.5MB

Download
memory/364-147-0x0000000006B40000-0x0000000006B5A000-memory.dmp

Filesize
104KB

Download
memory/1744-164-0x0000000000000000-mapping.dmp

Download
memory/2372-162-0x0000000000000000-mapping.dmp

Download
memory/2632-167-0x0000000000000000-mapping.dmp

Download
memory/3412-163-0x0000000007120000-0x000000000712A000-memory.dmp

Filesize
40KB

Download
memory/3412-165-0x0000000007370000-0x0000000007406000-memory.dmp

Filesize
600KB

Download
memory/3412-171-0x00000000072B0000-0x00000000072B8000-memory.dmp

Filesize
32KB

Download
memory/3412-170-0x00000000072D0000-0x00000000072EA000-memory.dmp

Filesize
104KB

Download
memory/3412-169-0x0000000005BF0000-0x0000000005BFE000-memory.dmp

Filesize
56KB

Download
memory/3412-149-0x0000000000000000-mapping.dmp

Download
memory/3412-159-0x0000000006D40000-0x0000000006D72000-memory.dmp

Filesize
200KB

Download
memory/3412-160-0x00000000739E0000-0x0000000073A2C000-memory.dmp

Filesize
304KB

Download
memory/3412-161-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/3968-148-0x0000000000000000-mapping.dmp

Download
memory/4040-168-0x0000000000000000-mapping.dmp

Download
memory/4244-166-0x0000000000000000-mapping.dmp

Download
memory/4752-138-0x00000000007B0000-0x0000000000F24000-memory.dmp

Filesize
7.5MB

Download
memory/4752-139-0x0000000006E70000-0x0000000006E92000-memory.dmp

Filesize
136KB

Download
memory/4752-135-0x0000000000000000-mapping.dmp

Download
memory/4832-152-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4832-156-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4832-155-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4832-151-0x0000000000000000-mapping.dmp

Download
memory/4832-172-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4932-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads