aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

C2

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

4328 voiceadequovl.exe
4816 voiceadequovl.exe
4444 voiceadequovl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4328	voiceadequovl.exe
4816	voiceadequovl.exe
4444	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 4816 set thread context of 4444 4816 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1444 powershell.exe
1444 powershell.exe
1332 powershell.exe
1332 powershell.exe

description	pid	process	target process
PID 4816 set thread context of 4444	4816	voiceadequovl.exe	voiceadequovl.exe

pid	process
1444	powershell.exe
1444	powershell.exe
1332	powershell.exe
1332	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4816	voiceadequovl.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeIncreaseQuotaPrivilege	3544	wmic.exe
Token: SeSecurityPrivilege	3544	wmic.exe
Token: SeTakeOwnershipPrivilege	3544	wmic.exe
Token: SeLoadDriverPrivilege	3544	wmic.exe
Token: SeSystemProfilePrivilege	3544	wmic.exe
Token: SeSystemtimePrivilege	3544	wmic.exe
Token: SeProfSingleProcessPrivilege	3544	wmic.exe
Token: SeIncBasePriorityPrivilege	3544	wmic.exe
Token: SeCreatePagefilePrivilege	3544	wmic.exe
Token: SeBackupPrivilege	3544	wmic.exe
Token: SeRestorePrivilege	3544	wmic.exe
Token: SeShutdownPrivilege	3544	wmic.exe
Token: SeDebugPrivilege	3544	wmic.exe
Token: SeSystemEnvironmentPrivilege	3544	wmic.exe
Token: SeRemoteShutdownPrivilege	3544	wmic.exe
Token: SeUndockPrivilege	3544	wmic.exe
Token: SeManageVolumePrivilege	3544	wmic.exe
Token: 33	3544	wmic.exe
Token: 34	3544	wmic.exe
Token: 35	3544	wmic.exe
Token: 36	3544	wmic.exe
Token: SeIncreaseQuotaPrivilege	3544	wmic.exe
Token: SeSecurityPrivilege	3544	wmic.exe
Token: SeTakeOwnershipPrivilege	3544	wmic.exe
Token: SeLoadDriverPrivilege	3544	wmic.exe
Token: SeSystemProfilePrivilege	3544	wmic.exe
Token: SeSystemtimePrivilege	3544	wmic.exe
Token: SeProfSingleProcessPrivilege	3544	wmic.exe
Token: SeIncBasePriorityPrivilege	3544	wmic.exe
Token: SeCreatePagefilePrivilege	3544	wmic.exe
Token: SeBackupPrivilege	3544	wmic.exe
Token: SeRestorePrivilege	3544	wmic.exe
Token: SeShutdownPrivilege	3544	wmic.exe
Token: SeDebugPrivilege	3544	wmic.exe
Token: SeSystemEnvironmentPrivilege	3544	wmic.exe
Token: SeRemoteShutdownPrivilege	3544	wmic.exe
Token: SeUndockPrivilege	3544	wmic.exe
Token: SeManageVolumePrivilege	3544	wmic.exe
Token: 33	3544	wmic.exe
Token: 34	3544	wmic.exe
Token: 35	3544	wmic.exe
Token: 36	3544	wmic.exe
Token: SeIncreaseQuotaPrivilege	3136	WMIC.exe
Token: SeSecurityPrivilege	3136	WMIC.exe
Token: SeTakeOwnershipPrivilege	3136	WMIC.exe
Token: SeLoadDriverPrivilege	3136	WMIC.exe
Token: SeSystemProfilePrivilege	3136	WMIC.exe
Token: SeSystemtimePrivilege	3136	WMIC.exe
Token: SeProfSingleProcessPrivilege	3136	WMIC.exe
Token: SeIncBasePriorityPrivilege	3136	WMIC.exe
Token: SeCreatePagefilePrivilege	3136	WMIC.exe
Token: SeBackupPrivilege	3136	WMIC.exe
Token: SeRestorePrivilege	3136	WMIC.exe
Token: SeShutdownPrivilege	3136	WMIC.exe
Token: SeDebugPrivilege	3136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3136	WMIC.exe
Token: SeRemoteShutdownPrivilege	3136	WMIC.exe
Token: SeUndockPrivilege	3136	WMIC.exe
Token: SeManageVolumePrivilege	3136	WMIC.exe
Token: 33	3136	WMIC.exe
Token: 34	3136	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 3044 wrote to memory of 4328	3044	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 3044 wrote to memory of 4328	3044	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 3044 wrote to memory of 4328	3044	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4328 wrote to memory of 4816	4328	voiceadequovl.exe	voiceadequovl.exe
PID 4328 wrote to memory of 4816	4328	voiceadequovl.exe	voiceadequovl.exe
PID 4328 wrote to memory of 4816	4328	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 1444	4816	voiceadequovl.exe	powershell.exe
PID 4816 wrote to memory of 1444	4816	voiceadequovl.exe	powershell.exe
PID 4816 wrote to memory of 1444	4816	voiceadequovl.exe	powershell.exe
PID 4816 wrote to memory of 4280	4816	voiceadequovl.exe	cmd.exe
PID 4816 wrote to memory of 4280	4816	voiceadequovl.exe	cmd.exe
PID 4816 wrote to memory of 4280	4816	voiceadequovl.exe	cmd.exe
PID 4280 wrote to memory of 1332	4280	cmd.exe	powershell.exe
PID 4280 wrote to memory of 1332	4280	cmd.exe	powershell.exe
PID 4280 wrote to memory of 1332	4280	cmd.exe	powershell.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4816 wrote to memory of 4444	4816	voiceadequovl.exe	voiceadequovl.exe
PID 4444 wrote to memory of 3544	4444	voiceadequovl.exe	wmic.exe
PID 4444 wrote to memory of 3544	4444	voiceadequovl.exe	wmic.exe
PID 4444 wrote to memory of 3544	4444	voiceadequovl.exe	wmic.exe
PID 4444 wrote to memory of 3500	4444	voiceadequovl.exe	cmd.exe
PID 4444 wrote to memory of 3500	4444	voiceadequovl.exe	cmd.exe
PID 4444 wrote to memory of 3500	4444	voiceadequovl.exe	cmd.exe
PID 3500 wrote to memory of 3136	3500	cmd.exe	WMIC.exe
PID 3500 wrote to memory of 3136	3500	cmd.exe	WMIC.exe
PID 3500 wrote to memory of 3136	3500	cmd.exe	WMIC.exe
PID 4444 wrote to memory of 3200	4444	voiceadequovl.exe	cmd.exe
PID 4444 wrote to memory of 3200	4444	voiceadequovl.exe	cmd.exe
PID 4444 wrote to memory of 3200	4444	voiceadequovl.exe	cmd.exe
PID 3200 wrote to memory of 2720	3200	cmd.exe	WMIC.exe
PID 3200 wrote to memory of 2720	3200	cmd.exe	WMIC.exe
PID 3200 wrote to memory of 2720	3200	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4280
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3500
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3200
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:2720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
46454aa0aa68b4cb68f86a20d32fbc94

SHA1
3ecd4856dd77ac105fa6e28f4fa1973ac8b47d4a

SHA256
1a19fae62f562693ce0fc495dbb001ee380b1eaba7ba011c62f9ed353fd79739

SHA512
7f24820f97a8002d2b475d54f15e7b1e74643ac7e0486430af1466e12b76384f330d2f0a6215ad2cf7b734095f8919ae6f624d3c80ea6b18d875939821d0b9cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
294.8MB

MD5
8ed83ebe7a96f3eceed99c5cbe7cfbf9

SHA1
8b99dbed1b73e875669a305de6a71b751b1472a7

SHA256
458095f8317548e7d918db535a22de3dac839b10e85772fefd4b01f01ecfe9de

SHA512
ffc125ded61a929ee8bd11a5d08227b47942d65e1335bddbe5f4e5414d66afaaf0bb42a4fd9c29b0861b78ca91ed180fdda868f1883dc7fd483c33fed47438f6

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
291.3MB

MD5
46ca46f99c5dcad43f56c385356834ab

SHA1
42c2acf297f67d4595798e7746d311026d2f2af8

SHA256
088611e32abc17a37c098c9cf4ca5a7951175ce2fb7fb57ee676d0bc01aae114

SHA512
0195a6901cc3fac2349282e3775127027592c62d595d4a2abef81339452365cb70c5fe205df63e26e028d149b56b947ef7588e8277bc1ae07634a0585b62bc71

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
212.1MB

MD5
d405ef9bed4d8bd6f36ead525a94de2e

SHA1
26ae4e72ac0f6152953d461fee4ffb5568285c26

SHA256
b45edd10838730c2e5b13d399ff5601be9df8d7dd00395806dbdb03741b0367a

SHA512
2dff42741d99595a9c46ef27d8565a0a96dbaa71cadbb489a503ebf9ff72e0fd7d55563854331cb76f8c2e9403ca51bf5e34661310510b839c4a439320528e35

Download Submit
memory/1332-164-0x0000000007260000-0x00000000072F6000-memory.dmp

Filesize
600KB

Download
memory/1332-162-0x0000000007000000-0x000000000700A000-memory.dmp

Filesize
40KB

Download
memory/1332-161-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/1332-160-0x0000000073EE0000-0x0000000073F2C000-memory.dmp

Filesize
304KB

Download
memory/1332-159-0x0000000006250000-0x0000000006282000-memory.dmp

Filesize
200KB

Download
memory/1332-149-0x0000000000000000-mapping.dmp

Download
memory/1332-169-0x0000000005AF0000-0x0000000005AFE000-memory.dmp

Filesize
56KB

Download
memory/1332-170-0x00000000071C0000-0x00000000071DA000-memory.dmp

Filesize
104KB

Download
memory/1332-171-0x00000000071A0000-0x00000000071A8000-memory.dmp

Filesize
32KB

Download
memory/1444-142-0x0000000005080000-0x00000000056A8000-memory.dmp

Filesize
6.2MB

Download
memory/1444-144-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/1444-147-0x0000000006320000-0x000000000633A000-memory.dmp

Filesize
104KB

Download
memory/1444-140-0x0000000000000000-mapping.dmp

Download
memory/1444-141-0x0000000004890000-0x00000000048C6000-memory.dmp

Filesize
216KB

Download
memory/1444-146-0x0000000007670000-0x0000000007CEA000-memory.dmp

Filesize
6.5MB

Download
memory/1444-143-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/1444-145-0x0000000005E20000-0x0000000005E3E000-memory.dmp

Filesize
120KB

Download
memory/2720-168-0x0000000000000000-mapping.dmp

Download
memory/3136-166-0x0000000000000000-mapping.dmp

Download
memory/3200-167-0x0000000000000000-mapping.dmp

Download
memory/3500-165-0x0000000000000000-mapping.dmp

Download
memory/3544-163-0x0000000000000000-mapping.dmp

Download
memory/4280-148-0x0000000000000000-mapping.dmp

Download
memory/4328-132-0x0000000000000000-mapping.dmp

Download
memory/4444-155-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4444-152-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4444-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4444-151-0x0000000000000000-mapping.dmp

Download
memory/4444-172-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4816-139-0x0000000006770000-0x0000000006792000-memory.dmp

Filesize
136KB

Download
memory/4816-138-0x00000000000B0000-0x0000000000824000-memory.dmp

Filesize
7.5MB

Download
memory/4816-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads