aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2023, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 3 IoCs

pid	Process
3752	voiceadequovl.exe
4320	voiceadequovl.exe
2728	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 2728	4320	voiceadequovl.exe	95

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2528	powershell.exe
2528	powershell.exe
4212	powershell.exe
4212	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4320	voiceadequovl.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeIncreaseQuotaPrivilege	4952	wmic.exe
Token: SeSecurityPrivilege	4952	wmic.exe
Token: SeTakeOwnershipPrivilege	4952	wmic.exe
Token: SeLoadDriverPrivilege	4952	wmic.exe
Token: SeSystemProfilePrivilege	4952	wmic.exe
Token: SeSystemtimePrivilege	4952	wmic.exe
Token: SeProfSingleProcessPrivilege	4952	wmic.exe
Token: SeIncBasePriorityPrivilege	4952	wmic.exe
Token: SeCreatePagefilePrivilege	4952	wmic.exe
Token: SeBackupPrivilege	4952	wmic.exe
Token: SeRestorePrivilege	4952	wmic.exe
Token: SeShutdownPrivilege	4952	wmic.exe
Token: SeDebugPrivilege	4952	wmic.exe
Token: SeSystemEnvironmentPrivilege	4952	wmic.exe
Token: SeRemoteShutdownPrivilege	4952	wmic.exe
Token: SeUndockPrivilege	4952	wmic.exe
Token: SeManageVolumePrivilege	4952	wmic.exe
Token: 33	4952	wmic.exe
Token: 34	4952	wmic.exe
Token: 35	4952	wmic.exe
Token: 36	4952	wmic.exe
Token: SeIncreaseQuotaPrivilege	4952	wmic.exe
Token: SeSecurityPrivilege	4952	wmic.exe
Token: SeTakeOwnershipPrivilege	4952	wmic.exe
Token: SeLoadDriverPrivilege	4952	wmic.exe
Token: SeSystemProfilePrivilege	4952	wmic.exe
Token: SeSystemtimePrivilege	4952	wmic.exe
Token: SeProfSingleProcessPrivilege	4952	wmic.exe
Token: SeIncBasePriorityPrivilege	4952	wmic.exe
Token: SeCreatePagefilePrivilege	4952	wmic.exe
Token: SeBackupPrivilege	4952	wmic.exe
Token: SeRestorePrivilege	4952	wmic.exe
Token: SeShutdownPrivilege	4952	wmic.exe
Token: SeDebugPrivilege	4952	wmic.exe
Token: SeSystemEnvironmentPrivilege	4952	wmic.exe
Token: SeRemoteShutdownPrivilege	4952	wmic.exe
Token: SeUndockPrivilege	4952	wmic.exe
Token: SeManageVolumePrivilege	4952	wmic.exe
Token: 33	4952	wmic.exe
Token: 34	4952	wmic.exe
Token: 35	4952	wmic.exe
Token: 36	4952	wmic.exe
Token: SeIncreaseQuotaPrivilege	4708	WMIC.exe
Token: SeSecurityPrivilege	4708	WMIC.exe
Token: SeTakeOwnershipPrivilege	4708	WMIC.exe
Token: SeLoadDriverPrivilege	4708	WMIC.exe
Token: SeSystemProfilePrivilege	4708	WMIC.exe
Token: SeSystemtimePrivilege	4708	WMIC.exe
Token: SeProfSingleProcessPrivilege	4708	WMIC.exe
Token: SeIncBasePriorityPrivilege	4708	WMIC.exe
Token: SeCreatePagefilePrivilege	4708	WMIC.exe
Token: SeBackupPrivilege	4708	WMIC.exe
Token: SeRestorePrivilege	4708	WMIC.exe
Token: SeShutdownPrivilege	4708	WMIC.exe
Token: SeDebugPrivilege	4708	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4708	WMIC.exe
Token: SeRemoteShutdownPrivilege	4708	WMIC.exe
Token: SeUndockPrivilege	4708	WMIC.exe
Token: SeManageVolumePrivilege	4708	WMIC.exe
Token: 33	4708	WMIC.exe
Token: 34	4708	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 3752	2124	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 2124 wrote to memory of 3752	2124	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 2124 wrote to memory of 3752	2124	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	81
PID 3752 wrote to memory of 4320	3752	voiceadequovl.exe	85
PID 3752 wrote to memory of 4320	3752	voiceadequovl.exe	85
PID 3752 wrote to memory of 4320	3752	voiceadequovl.exe	85
PID 4320 wrote to memory of 2528	4320	voiceadequovl.exe	91
PID 4320 wrote to memory of 2528	4320	voiceadequovl.exe	91
PID 4320 wrote to memory of 2528	4320	voiceadequovl.exe	91
PID 4320 wrote to memory of 4196	4320	voiceadequovl.exe	93
PID 4320 wrote to memory of 4196	4320	voiceadequovl.exe	93
PID 4320 wrote to memory of 4196	4320	voiceadequovl.exe	93
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4320 wrote to memory of 2728	4320	voiceadequovl.exe	95
PID 4196 wrote to memory of 4212	4196	cmd.exe	96
PID 4196 wrote to memory of 4212	4196	cmd.exe	96
PID 4196 wrote to memory of 4212	4196	cmd.exe	96
PID 2728 wrote to memory of 4952	2728	voiceadequovl.exe	98
PID 2728 wrote to memory of 4952	2728	voiceadequovl.exe	98
PID 2728 wrote to memory of 4952	2728	voiceadequovl.exe	98
PID 2728 wrote to memory of 4424	2728	voiceadequovl.exe	99
PID 2728 wrote to memory of 4424	2728	voiceadequovl.exe	99
PID 2728 wrote to memory of 4424	2728	voiceadequovl.exe	99
PID 4424 wrote to memory of 4708	4424	cmd.exe	101
PID 4424 wrote to memory of 4708	4424	cmd.exe	101
PID 4424 wrote to memory of 4708	4424	cmd.exe	101
PID 2728 wrote to memory of 1612	2728	voiceadequovl.exe	102
PID 2728 wrote to memory of 1612	2728	voiceadequovl.exe	102
PID 2728 wrote to memory of 1612	2728	voiceadequovl.exe	102
PID 1612 wrote to memory of 3960	1612	cmd.exe	104
PID 1612 wrote to memory of 3960	1612	cmd.exe	104
PID 1612 wrote to memory of 3960	1612	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:3960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
0cbf23f9dc9d717a22fb845917c317b3

SHA1
47b6b523aa1a233cbdd98e4e7e3cec924f174494

SHA256
1afa6ad1ee06727e99e641f86c4d8f086e8ee00e8bf0a42147a773f88c5f13e6

SHA512
a8955272be65ee65654d2714f686424c6e668b49142034d892f6b96b6ff35015ab509ce5f49d05334ceb7b181c130582044c471bd01ef895d48250b212f420b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
254.8MB

MD5
42a20409cb8083181c90eebc5b621ead

SHA1
5c92815aac7a107d6b967546e3abe21907e1390b

SHA256
09ce4b56cd5fd88c5e00b5572591ae4327729dd1d4f8aeeb922a681912554f56

SHA512
eefd5fbd6d9cc28b090c86aba2b8f2d11edda70fdef87a9db78b634c515fbf75c18270506841df5028aef0f923b73a941b59defd1f256a32c081f4cbc06dfc79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
239.1MB

MD5
5032e2dbbf84435367b639fd3470c0b7

SHA1
54c7484cdf96bfba9aa7c6bfdcf743045c8bb643

SHA256
109103ec6b6b3b1f2a19234978b6ed35c31efbec27b6f5ae326e88a1f3624435

SHA512
b731a1be74b4cd4ea6ee2df6463d087c8955d63a864f8e4758fdce1169966c4f087f9095ead48d215ecdfc6affb48d5e7a1d326656169c7b94aa491a2bc2fa75

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
251.6MB

MD5
c70aafbfb35ddd431ae47fd0feffcca0

SHA1
f850a0e8ea9deb141ec210f8bf51fff828f9d097

SHA256
7616249e2f59fed347eaf7b538ee53609b2ab31c6f303188d60b423df7a720f4

SHA512
b7b145c3ac1eca3bb77e16f56d980b4dca18eea046eb6bfb4d95d8c7a297675886001e68c914bc4f3a32aa0700f385c0170c642e7d2213967f5886257642f03a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
251.0MB

MD5
cb54da575f142a41f0eb4cb77dcb125e

SHA1
42151dd8d0e60d5b98cf90c4172328db5ebaf43c

SHA256
35fe3446e14ca6f2d2ec0b87cf5989facd0c2734b50573f6708a3b223980fcfe

SHA512
3d3d5c96ab4c55f0928fa6bd18f277239df050835be2251e821b4a46357b0df60d839b2a2e6a3778a6f09719e510a53efabed9d8770238a9b929a2407c4219f2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
194.6MB

MD5
15dec54b1514511b582a0c652e8ea21e

SHA1
21a65fd2886113eb409d7678e1fb9c4fae15f00f

SHA256
e86bd080b3c972310d053ce628c1aa8842f84addd789933fc27ab2d982dbb04a

SHA512
83c7b8db938ebafcd29f845f3a362721b06c7df92b9b8e7d96ab379e53ce149eab71f9dd63e8180ee7b424b9422c4562af5acfecf3373f3201759e141f4f8bfa

Download Submit
memory/2528-142-0x00000000051E0000-0x0000000005808000-memory.dmp

Filesize
6.2MB

Download
memory/2528-143-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/2528-144-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/2528-145-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/2528-147-0x0000000006630000-0x000000000664A000-memory.dmp

Filesize
104KB

Download
memory/2528-146-0x0000000007980000-0x0000000007FFA000-memory.dmp

Filesize
6.5MB

Download
memory/2528-141-0x0000000004B50000-0x0000000004B86000-memory.dmp

Filesize
216KB

Download
memory/2728-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2728-150-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2728-156-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2728-173-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2728-172-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4212-161-0x0000000070B60000-0x0000000070BAC000-memory.dmp

Filesize
304KB

Download
memory/4212-169-0x0000000006410000-0x000000000641E000-memory.dmp

Filesize
56KB

Download
memory/4212-162-0x0000000006680000-0x000000000669E000-memory.dmp

Filesize
120KB

Download
memory/4212-163-0x0000000007470000-0x000000000747A000-memory.dmp

Filesize
40KB

Download
memory/4212-171-0x0000000007610000-0x0000000007618000-memory.dmp

Filesize
32KB

Download
memory/4212-165-0x00000000076B0000-0x0000000007746000-memory.dmp

Filesize
600KB

Download
memory/4212-170-0x0000000007630000-0x000000000764A000-memory.dmp

Filesize
104KB

Download
memory/4212-160-0x00000000066A0000-0x00000000066D2000-memory.dmp

Filesize
200KB

Download
memory/4320-138-0x0000000000B10000-0x0000000001284000-memory.dmp

Filesize
7.5MB

Download
memory/4320-139-0x00000000071F0000-0x0000000007212000-memory.dmp

Filesize
136KB

Download