aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
130s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

4616 voiceadequovl.exe
1872 voiceadequovl.exe

pid	process
4616	voiceadequovl.exe
1872	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exevoiceadequovl.exe

pid process

4512 powershell.exe
4512 powershell.exe
1872 voiceadequovl.exe
1872 voiceadequovl.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1872 voiceadequovl.exe
Token: SeDebugPrivilege 4512 powershell.exe
Token: SeDebugPrivilege 1908 powershell.exe

pid	process
4512	powershell.exe
4512	powershell.exe
1872	voiceadequovl.exe
1872	voiceadequovl.exe

description	pid	process
Token: SeDebugPrivilege	1872	voiceadequovl.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 3608 wrote to memory of 4616	3608	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 3608 wrote to memory of 4616	3608	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 3608 wrote to memory of 4616	3608	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4616 wrote to memory of 1872	4616	voiceadequovl.exe	voiceadequovl.exe
PID 4616 wrote to memory of 1872	4616	voiceadequovl.exe	voiceadequovl.exe
PID 4616 wrote to memory of 1872	4616	voiceadequovl.exe	voiceadequovl.exe
PID 1872 wrote to memory of 4512	1872	voiceadequovl.exe	powershell.exe
PID 1872 wrote to memory of 4512	1872	voiceadequovl.exe	powershell.exe
PID 1872 wrote to memory of 4512	1872	voiceadequovl.exe	powershell.exe
PID 1872 wrote to memory of 3524	1872	voiceadequovl.exe	cmd.exe
PID 1872 wrote to memory of 3524	1872	voiceadequovl.exe	cmd.exe
PID 1872 wrote to memory of 3524	1872	voiceadequovl.exe	cmd.exe
PID 3524 wrote to memory of 1908	3524	cmd.exe	powershell.exe
PID 3524 wrote to memory of 1908	3524	cmd.exe	powershell.exe
PID 3524 wrote to memory of 1908	3524	cmd.exe	powershell.exe
PID 1872 wrote to memory of 2544	1872	voiceadequovl.exe	voiceadequovl.exe
PID 1872 wrote to memory of 2544	1872	voiceadequovl.exe	voiceadequovl.exe
PID 1872 wrote to memory of 2544	1872	voiceadequovl.exe	voiceadequovl.exe
PID 1872 wrote to memory of 2616	1872	voiceadequovl.exe	voiceadequovl.exe
PID 1872 wrote to memory of 2616	1872	voiceadequovl.exe	voiceadequovl.exe
PID 1872 wrote to memory of 2616	1872	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4616
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4512
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3524
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:2544
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:2616
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1116
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:4848
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1208
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:3132
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1188
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:4336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
0727a17bc9349de27270d725a7751890

SHA1
7fa69253c0ef0e712facc8150b4f5da4acc32ff3

SHA256
01b7108776614a9df22f1b2a881771ef624c0ba132bea48e44129920568f66ac

SHA512
b90cd733eccd76c54e94ee45ff5f841f237e0fa3ac6496876a4a7ad4e3663cb3d48431229083359985b862d2ffe943744b088bcf5c69fb17d97bd04b6e34e12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
369.8MB

MD5
14a9737eb666769fee7c28a00eb14e82

SHA1
ab8f2279f13a546fc32233a4da0855660fb07ec0

SHA256
a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a

SHA512
973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
369.8MB

MD5
14a9737eb666769fee7c28a00eb14e82

SHA1
ab8f2279f13a546fc32233a4da0855660fb07ec0

SHA256
a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a

SHA512
973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
80.8MB

MD5
48f2875c3ad8c02c8e9061d67d922f36

SHA1
b55546db0626583e6fe7bb2feeb343f10b8fcfad

SHA256
24f3300e9a5cc6ce36dabe07bd748c731ddd84221a96f82e6e50c739e26a6777

SHA512
2f5ff5bd0eae15bf94f80da7689c4a3d66225d80f81fb025b0cdad95359a8814cde11774929525f9f921a30cf615045bead268b3ff4f80da49dbe25d9cdc9590

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
86.2MB

MD5
7047ea58e69afaafeda66aa0f076d025

SHA1
dd79f07f939eb02c50d48f97b1159cbd6f81898b

SHA256
418eec33ec200cbdd31117a15465d64ca11a08b65379c52698281b45241e51bd

SHA512
7bf0958f80254814fc2188f343211ad2a44a2c720731e5bd84f29308d269194f4d81c6b999ecbd814bd002948d3064a8224d4aa63e3aa0dba43708c2c0e9902b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
78.9MB

MD5
c374faf0940155de6fe73e2fc1def833

SHA1
a0b87d170873c3849a7c59ba29b7726892f486b1

SHA256
ed4a27dd32811c2d4064133071d029db6debbbec2241ed7e6236c2f149bb1c8f

SHA512
0aa8127211d9a9cd6ec628de9ea4d39fe88abe91d410175b600a08ea7bff527f7e9ff66ba33ad1668006215aab35b120276ac0955d53fa7aa0dbcfbafbe4c50e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
86.2MB

MD5
0c6651defc328e07e0a08cb1e0e72897

SHA1
a771df1be2f4de32f2065e999055effa75acd4fd

SHA256
6a6a21c25e899abf844af1f400f48c61dc82f613c722d1871abfb2c569be72f5

SHA512
324ba799c0f11d8ecb5fbe308fb0f85e8ccf87f689e8898d0b24daebb20102caaaf48378250dbda5feb2bcff24e9e13b97f8ce04771a015a37e377ec31ddccbb

Download Submit
memory/1116-155-0x0000000000000000-mapping.dmp

Download
memory/1188-173-0x0000000000000000-mapping.dmp

Download
memory/1208-164-0x0000000000000000-mapping.dmp

Download
memory/1872-139-0x0000000002EB0000-0x0000000002ED2000-memory.dmp

Filesize
136KB

Download
memory/1872-138-0x0000000000100000-0x0000000000874000-memory.dmp

Filesize
7.5MB

Download
memory/1872-135-0x0000000000000000-mapping.dmp

Download
memory/1908-166-0x0000000006890000-0x00000000068C2000-memory.dmp

Filesize
200KB

Download
memory/1908-168-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/1908-170-0x0000000007660000-0x000000000766A000-memory.dmp

Filesize
40KB

Download
memory/1908-167-0x0000000075100000-0x000000007514C000-memory.dmp

Filesize
304KB

Download
memory/1908-172-0x00000000078A0000-0x0000000007936000-memory.dmp

Filesize
600KB

Download
memory/1908-149-0x0000000000000000-mapping.dmp

Download
memory/2544-151-0x0000000000000000-mapping.dmp

Download
memory/2616-153-0x0000000000000000-mapping.dmp

Download
memory/3020-171-0x0000000000000000-mapping.dmp

Download
memory/3132-169-0x0000000000000000-mapping.dmp

Download
memory/3524-148-0x0000000000000000-mapping.dmp

Download
memory/4336-174-0x0000000000000000-mapping.dmp

Download
memory/4512-142-0x00000000059D0000-0x0000000005FF8000-memory.dmp

Filesize
6.2MB

Download
memory/4512-147-0x0000000006CB0000-0x0000000006CCA000-memory.dmp

Filesize
104KB

Download
memory/4512-146-0x0000000007F40000-0x00000000085BA000-memory.dmp

Filesize
6.5MB

Download
memory/4512-145-0x0000000005640000-0x000000000565E000-memory.dmp

Filesize
120KB

Download
memory/4512-144-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/4512-143-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/4512-141-0x0000000005310000-0x0000000005346000-memory.dmp

Filesize
216KB

Download
memory/4512-140-0x0000000000000000-mapping.dmp

Download
memory/4616-132-0x0000000000000000-mapping.dmp

Download
memory/4848-163-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4848-161-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4848-157-0x0000000000000000-mapping.dmp

Download
memory/4848-158-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download