aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
58s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 6 IoCs

pid	Process
4476	voiceadequovl.exe
4648	voiceadequovl.exe
3012	voiceadequovl.exe
4540	voiceadequovl.exe
1592	voiceadequovl.exe
4116	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4648 set thread context of 4116	4648	voiceadequovl.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
752	powershell.exe
752	powershell.exe
4648	voiceadequovl.exe
4648	voiceadequovl.exe
1892	powershell.exe
4648	voiceadequovl.exe
4648	voiceadequovl.exe
4648	voiceadequovl.exe
4648	voiceadequovl.exe
1892	powershell.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	voiceadequovl.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeIncreaseQuotaPrivilege	4028	wmic.exe
Token: SeSecurityPrivilege	4028	wmic.exe
Token: SeTakeOwnershipPrivilege	4028	wmic.exe
Token: SeLoadDriverPrivilege	4028	wmic.exe
Token: SeSystemProfilePrivilege	4028	wmic.exe
Token: SeSystemtimePrivilege	4028	wmic.exe
Token: SeProfSingleProcessPrivilege	4028	wmic.exe
Token: SeIncBasePriorityPrivilege	4028	wmic.exe
Token: SeCreatePagefilePrivilege	4028	wmic.exe
Token: SeBackupPrivilege	4028	wmic.exe
Token: SeRestorePrivilege	4028	wmic.exe
Token: SeShutdownPrivilege	4028	wmic.exe
Token: SeDebugPrivilege	4028	wmic.exe
Token: SeSystemEnvironmentPrivilege	4028	wmic.exe
Token: SeRemoteShutdownPrivilege	4028	wmic.exe
Token: SeUndockPrivilege	4028	wmic.exe
Token: SeManageVolumePrivilege	4028	wmic.exe
Token: 33	4028	wmic.exe
Token: 34	4028	wmic.exe
Token: 35	4028	wmic.exe
Token: 36	4028	wmic.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 4476	1548	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	80
PID 1548 wrote to memory of 4476	1548	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	80
PID 1548 wrote to memory of 4476	1548	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	80
PID 4476 wrote to memory of 4648	4476	voiceadequovl.exe	81
PID 4476 wrote to memory of 4648	4476	voiceadequovl.exe	81
PID 4476 wrote to memory of 4648	4476	voiceadequovl.exe	81
PID 4648 wrote to memory of 752	4648	voiceadequovl.exe	84
PID 4648 wrote to memory of 752	4648	voiceadequovl.exe	84
PID 4648 wrote to memory of 752	4648	voiceadequovl.exe	84
PID 4648 wrote to memory of 1536	4648	voiceadequovl.exe	93
PID 4648 wrote to memory of 1536	4648	voiceadequovl.exe	93
PID 4648 wrote to memory of 1536	4648	voiceadequovl.exe	93
PID 1536 wrote to memory of 1892	1536	cmd.exe	94
PID 1536 wrote to memory of 1892	1536	cmd.exe	94
PID 1536 wrote to memory of 1892	1536	cmd.exe	94
PID 4648 wrote to memory of 3012	4648	voiceadequovl.exe	95
PID 4648 wrote to memory of 3012	4648	voiceadequovl.exe	95
PID 4648 wrote to memory of 3012	4648	voiceadequovl.exe	95
PID 4648 wrote to memory of 4540	4648	voiceadequovl.exe	96
PID 4648 wrote to memory of 4540	4648	voiceadequovl.exe	96
PID 4648 wrote to memory of 4540	4648	voiceadequovl.exe	96
PID 4648 wrote to memory of 1592	4648	voiceadequovl.exe	97
PID 4648 wrote to memory of 1592	4648	voiceadequovl.exe	97
PID 4648 wrote to memory of 1592	4648	voiceadequovl.exe	97
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4648 wrote to memory of 4116	4648	voiceadequovl.exe	98
PID 4116 wrote to memory of 4028	4116	voiceadequovl.exe	100
PID 4116 wrote to memory of 4028	4116	voiceadequovl.exe	100
PID 4116 wrote to memory of 4028	4116	voiceadequovl.exe	100

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:3012
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:4540
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1592
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:3348
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:3804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:2284
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:5000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
a68297592b968ee8730e4388142978e6

SHA1
1472a5455509700b10ca827d86eae28dd6e7fcbc

SHA256
5306e74cafadefbe78e1ece71be44241851089c674996b342d5c8a566be5109c

SHA512
07e89cbbdfef5f9b7e44dc910498e63a3a8fa3052760e79b89fdd8b918613bd4f3b67c09119babf6fd2691ebe28daf037c1032795f601fc726e81ff2c69447f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
332.5MB

MD5
09d15084f137ed958d0c7f88d3e7e06d

SHA1
0c2d361c702439f42e8161833f040787919c6313

SHA256
aefa17f3c82c83c82abf466c13dedbb91903feeca6a1b21ca5daaaed7266d3d2

SHA512
ae4e6634557168208d19e2452c958dda393ba493ae2ab78396f73ed503556e5cbd19c73d0d5fb23929adf0df8aa94056fbc6d246eff2241adbc683e076e3d100

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
299.4MB

MD5
798c42483d10932134e6574d09d9c1e8

SHA1
cdc512eb513ec1467cbdda2aacb361df6d4fefe0

SHA256
6b7f6d14af09fe374f8cbd44fbcda14af166cedfbd199d073e5f933ec2852f8a

SHA512
54abca8ec4178fefcec41e2430d96b88d10f6010186ba826402d9e0673605a4027edf73b5e3ca8debd0db3b4d0e2742fae0e2943d027cb74d03c4a33a1f9401e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
300.5MB

MD5
14e41e7616983190b8cf1d4f64467c12

SHA1
0b56a254192d63bfedf4d93a5331f7dff76bf7cf

SHA256
acee41c3246d076dbce0c33421d50c46f1db3055afbc2d01fcb4773c1472cacb

SHA512
9527578cad2034eeb8da170d3b87cb926292fb972abe4e8942a0a076e4db362526bf428acbe38a36325c94772aede8a15b9de1e6203c412146aa7f2aee3446a5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
297.4MB

MD5
d28e573cdbadef28fe294f6c28720afc

SHA1
27d1fa516d8e334880f60c3dc3832d12fa4e1ff1

SHA256
14b74543a3153465f5fba5f01c946bd8157b0170d454e28839fd0bceee04d780

SHA512
0dac7ea79959f80a520a457f0fb51d471c69afb0fb758b1678d484768570cec84053de125b9eeebf39cee3fd895622584decbd53a7b2b9c8005e6d9e6edbe8bf

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
201.9MB

MD5
c458b88ea5124b84aa016ae32cccb557

SHA1
44e48465beb9406febc3858abfedc14526efaa30

SHA256
8fbd98a52647c7704780793641e3626bbf5b654850ba65436e61874b73ccf5f5

SHA512
b260d369d54cfc99ae132f4357c7054fe1ba97655bb4eb74e94853513a01b7a66092d003a9e2dc2eade0e7fc916e20bacef91387a736fe48bf0fe8b3ec0a27e8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
205.6MB

MD5
83ac6b2f96197bd520f3c46d06450151

SHA1
77bdc3717e8c3c4374e47c8fb9547a89f781746c

SHA256
f5277f625014eb05823c05a3f240a92651e8ab66fd494e257dc876ad76ca81b6

SHA512
3cbab60adb99a1246ec0c4a9397fe41c6393c90f8fde7edc91df67a1c8bc39c6c587012ab2ffc7efc07c40458240f98543165440a3341cdecd62da8d0a25eea0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
156.2MB

MD5
c9bbfbc8c86c6b05e67f51b74ffb7428

SHA1
bca95472bef9840e5b2d93898aae395dc058e6e9

SHA256
7d8191ce63d735a67227019ecc4f9ba62023b7d6ae80ee68feff9f9bf6abc8e1

SHA512
fb8fe730d4890b47538a749ff931e96850e1be9274f07b1964e938f41b65f1926b2dcff7e091c1a47bc53e1646defb7c3ffbc8594e1de2810b026419b29703c2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
204.9MB

MD5
8a987112aa152f641af056c40fced2fe

SHA1
19235120f839b3682173a96c65b08a6f16336573

SHA256
c340e7b0e6ef314fbf82dee0599adb243065ec4314f046970eff6ea0e0f4291c

SHA512
ca16217ae0e8688912ab7235f7bb0e05377dbf0cbef525dd2f0d153ae4ae478feeb62bf6d819852a3a30e9af05fa9e989d935777c41cd80c7314512e8a1bcae9

Download Submit
memory/752-145-0x0000000005210000-0x0000000005838000-memory.dmp

Filesize
6.2MB

Download
memory/752-147-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/752-148-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/752-150-0x0000000006620000-0x000000000663A000-memory.dmp

Filesize
104KB

Download
memory/752-149-0x0000000007970000-0x0000000007FEA000-memory.dmp

Filesize
6.5MB

Download
memory/752-146-0x0000000005A30000-0x0000000005A96000-memory.dmp

Filesize
408KB

Download
memory/752-144-0x0000000004BA0000-0x0000000004BD6000-memory.dmp

Filesize
216KB

Download
memory/1892-170-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/1892-173-0x00000000070B0000-0x0000000007146000-memory.dmp

Filesize
600KB

Download
memory/1892-180-0x0000000006FF0000-0x0000000006FF8000-memory.dmp

Filesize
32KB

Download
memory/1892-179-0x0000000007010000-0x000000000702A000-memory.dmp

Filesize
104KB

Download
memory/1892-178-0x0000000005950000-0x000000000595E000-memory.dmp

Filesize
56KB

Download
memory/1892-171-0x0000000006E70000-0x0000000006E7A000-memory.dmp

Filesize
40KB

Download
memory/1892-169-0x0000000073680000-0x00000000736CC000-memory.dmp

Filesize
304KB

Download
memory/1892-168-0x00000000060A0000-0x00000000060D2000-memory.dmp

Filesize
200KB

Download
memory/4116-166-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4116-161-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4116-164-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4648-142-0x0000000006EB0000-0x0000000006ED2000-memory.dmp

Filesize
136KB

Download
memory/4648-141-0x00000000007E0000-0x0000000000F54000-memory.dmp

Filesize
7.5MB

Download