aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
132s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

4492 voiceadequovl.exe
4780 voiceadequovl.exe
2752 voiceadequovl.exe
2420 voiceadequovl.exe

pid	process
4492	voiceadequovl.exe
4780	voiceadequovl.exe
2752	voiceadequovl.exe
2420	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 4780 set thread context of 2420 4780 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exevoiceadequovl.exepowershell.exe

pid process

236 powershell.exe
236 powershell.exe
4780 voiceadequovl.exe
4780 voiceadequovl.exe
2204 powershell.exe
2204 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4780 voiceadequovl.exe
Token: SeDebugPrivilege 236 powershell.exe
Token: SeDebugPrivilege 2204 powershell.exe

description	pid	process	target process
PID 4780 set thread context of 2420	4780	voiceadequovl.exe	voiceadequovl.exe

pid	process
236	powershell.exe
236	powershell.exe
4780	voiceadequovl.exe
4780	voiceadequovl.exe
2204	powershell.exe
2204	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4780	voiceadequovl.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 4424 wrote to memory of 4492	4424	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4424 wrote to memory of 4492	4424	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4424 wrote to memory of 4492	4424	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 4492 wrote to memory of 4780	4492	voiceadequovl.exe	voiceadequovl.exe
PID 4492 wrote to memory of 4780	4492	voiceadequovl.exe	voiceadequovl.exe
PID 4492 wrote to memory of 4780	4492	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 236	4780	voiceadequovl.exe	powershell.exe
PID 4780 wrote to memory of 236	4780	voiceadequovl.exe	powershell.exe
PID 4780 wrote to memory of 236	4780	voiceadequovl.exe	powershell.exe
PID 4780 wrote to memory of 3752	4780	voiceadequovl.exe	cmd.exe
PID 4780 wrote to memory of 3752	4780	voiceadequovl.exe	cmd.exe
PID 4780 wrote to memory of 3752	4780	voiceadequovl.exe	cmd.exe
PID 3752 wrote to memory of 2204	3752	cmd.exe	powershell.exe
PID 3752 wrote to memory of 2204	3752	cmd.exe	powershell.exe
PID 3752 wrote to memory of 2204	3752	cmd.exe	powershell.exe
PID 4780 wrote to memory of 2752	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2752	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2752	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe
PID 4780 wrote to memory of 2420	4780	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:2752

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:2420

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:3932

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:4020

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
0f53674af0c42551f18bc45e0b21bf4c

SHA1
2a9020c08a5ffddc575f47aa0a6cb3b2afc16105

SHA256
3a3d70d7800b5170d3112cfdc66b3b8a021c167f8e33eb1e10235d6aec961c4e

SHA512
a3209e5ce88836811c39a15713d74c4cf868da3c2da9fc8b0f52a3e1ab3ffde1cf9e3cbf6b8c2c2f9507c25d8a4a1d58c9b8c846dcc2bf8626bcae0ef71cf457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
208d2469370832897fbe3952e371c80f

SHA1
e7e4e48d860126134e79cd9a2ba3fc74488df3c9

SHA256
37234ff5ea2f915d219e3c0b0e9fec7bfcac02e5d9518400d6267edca922427d

SHA512
8231aa6f479c3f2cabd9ec1ddcdde5289f9a6120134c7b2443db0f3f52130ab7836ba6cc314acc2227887c0431c4232ea5619c7f4e435bc8e4ad5db0e2f0381f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
369.8MB

MD5
14a9737eb666769fee7c28a00eb14e82

SHA1
ab8f2279f13a546fc32233a4da0855660fb07ec0

SHA256
a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a

SHA512
973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
369.8MB

MD5
14a9737eb666769fee7c28a00eb14e82

SHA1
ab8f2279f13a546fc32233a4da0855660fb07ec0

SHA256
a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a

SHA512
973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
157.7MB

MD5
ba93392c90e163d76c64a9a077b2eb8b

SHA1
96984be6f4f5bdd24553bbd49c10e260173f427e

SHA256
2d05af1cd4a944f9cbdc925d3f28d26f6c69560b9e4d4c35702cfd7153498d4a

SHA512
34e39e7d7882943bf3fc72d2f5019404a5b5670cc44e1f08ddfb3b7915c7735762a45895b65b10fb4422e3fb51ebde81b52f58230f3e3c0cdb6241cdb8f15fee

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
155.9MB

MD5
b43330c2ebf5c08a767a26ffbafd2e6f

SHA1
8d1f0588cf331bd83cec78b46cdc25d8ce8e475b

SHA256
ce61366a060cb40503740c5cdd350e8b03a6e8084071372f9259c4868f6ae133

SHA512
8fb7c218bdc13db5f9d8018e4bd77544fde665ed9767bcb1c3b865784411e5939e07de11258e0aa707f39e89a5aaa2f6271c2f2002f0877c4dac357e3c3c473d

Download Submit
memory/236-141-0x0000000002410000-0x0000000002446000-memory.dmp

Filesize
216KB

Download
memory/236-140-0x0000000000000000-mapping.dmp

Download
memory/236-143-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/236-144-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/236-145-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

Filesize
120KB

Download
memory/236-146-0x00000000073C0000-0x0000000007A3A000-memory.dmp

Filesize
6.5MB

Download
memory/236-147-0x0000000006100000-0x000000000611A000-memory.dmp

Filesize
104KB

Download
memory/236-142-0x0000000004EA0000-0x00000000054C8000-memory.dmp

Filesize
6.2MB

Download
memory/1468-169-0x0000000000000000-mapping.dmp

Download
memory/2160-166-0x0000000000000000-mapping.dmp

Download
memory/2204-164-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/2204-170-0x0000000007620000-0x00000000076B6000-memory.dmp

Filesize
600KB

Download
memory/2204-167-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/2204-149-0x0000000000000000-mapping.dmp

Download
memory/2204-163-0x0000000073430000-0x000000007347C000-memory.dmp

Filesize
304KB

Download
memory/2204-162-0x0000000006610000-0x0000000006642000-memory.dmp

Filesize
200KB

Download
memory/2420-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2420-158-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2420-153-0x0000000000000000-mapping.dmp

Download
memory/2420-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2752-151-0x0000000000000000-mapping.dmp

Download
memory/3752-148-0x0000000000000000-mapping.dmp

Download
memory/3932-165-0x0000000000000000-mapping.dmp

Download
memory/4020-168-0x0000000000000000-mapping.dmp

Download
memory/4032-160-0x0000000000000000-mapping.dmp

Download
memory/4492-132-0x0000000000000000-mapping.dmp

Download
memory/4780-138-0x0000000000CC0000-0x0000000001434000-memory.dmp

Filesize
7.5MB

Download
memory/4780-135-0x0000000000000000-mapping.dmp

Download
memory/4780-139-0x0000000007380000-0x00000000073A2000-memory.dmp

Filesize
136KB

Download