aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
62s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

pid	Process
2784	voiceadequovl.exe
1340	voiceadequovl.exe
2660	voiceadequovl.exe
2376	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 2376	1340	voiceadequovl.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
632	powershell.exe
632	powershell.exe
1340	voiceadequovl.exe
1340	voiceadequovl.exe
4192	powershell.exe
4192	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	voiceadequovl.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeIncreaseQuotaPrivilege	4616	wmic.exe
Token: SeSecurityPrivilege	4616	wmic.exe
Token: SeTakeOwnershipPrivilege	4616	wmic.exe
Token: SeLoadDriverPrivilege	4616	wmic.exe
Token: SeSystemProfilePrivilege	4616	wmic.exe
Token: SeSystemtimePrivilege	4616	wmic.exe
Token: SeProfSingleProcessPrivilege	4616	wmic.exe
Token: SeIncBasePriorityPrivilege	4616	wmic.exe
Token: SeCreatePagefilePrivilege	4616	wmic.exe
Token: SeBackupPrivilege	4616	wmic.exe
Token: SeRestorePrivilege	4616	wmic.exe
Token: SeShutdownPrivilege	4616	wmic.exe
Token: SeDebugPrivilege	4616	wmic.exe
Token: SeSystemEnvironmentPrivilege	4616	wmic.exe
Token: SeRemoteShutdownPrivilege	4616	wmic.exe
Token: SeUndockPrivilege	4616	wmic.exe
Token: SeManageVolumePrivilege	4616	wmic.exe
Token: 33	4616	wmic.exe
Token: 34	4616	wmic.exe
Token: 35	4616	wmic.exe
Token: 36	4616	wmic.exe
Token: SeIncreaseQuotaPrivilege	4616	wmic.exe
Token: SeSecurityPrivilege	4616	wmic.exe
Token: SeTakeOwnershipPrivilege	4616	wmic.exe
Token: SeLoadDriverPrivilege	4616	wmic.exe
Token: SeSystemProfilePrivilege	4616	wmic.exe
Token: SeSystemtimePrivilege	4616	wmic.exe
Token: SeProfSingleProcessPrivilege	4616	wmic.exe
Token: SeIncBasePriorityPrivilege	4616	wmic.exe
Token: SeCreatePagefilePrivilege	4616	wmic.exe
Token: SeBackupPrivilege	4616	wmic.exe
Token: SeRestorePrivilege	4616	wmic.exe
Token: SeShutdownPrivilege	4616	wmic.exe
Token: SeDebugPrivilege	4616	wmic.exe
Token: SeSystemEnvironmentPrivilege	4616	wmic.exe
Token: SeRemoteShutdownPrivilege	4616	wmic.exe
Token: SeUndockPrivilege	4616	wmic.exe
Token: SeManageVolumePrivilege	4616	wmic.exe
Token: 33	4616	wmic.exe
Token: 34	4616	wmic.exe
Token: 35	4616	wmic.exe
Token: 36	4616	wmic.exe
Token: SeIncreaseQuotaPrivilege	2044	WMIC.exe
Token: SeSecurityPrivilege	2044	WMIC.exe
Token: SeTakeOwnershipPrivilege	2044	WMIC.exe
Token: SeLoadDriverPrivilege	2044	WMIC.exe
Token: SeSystemProfilePrivilege	2044	WMIC.exe
Token: SeSystemtimePrivilege	2044	WMIC.exe
Token: SeProfSingleProcessPrivilege	2044	WMIC.exe
Token: SeIncBasePriorityPrivilege	2044	WMIC.exe
Token: SeCreatePagefilePrivilege	2044	WMIC.exe
Token: SeBackupPrivilege	2044	WMIC.exe
Token: SeRestorePrivilege	2044	WMIC.exe
Token: SeShutdownPrivilege	2044	WMIC.exe
Token: SeDebugPrivilege	2044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2044	WMIC.exe
Token: SeRemoteShutdownPrivilege	2044	WMIC.exe
Token: SeUndockPrivilege	2044	WMIC.exe
Token: SeManageVolumePrivilege	2044	WMIC.exe
Token: 33	2044	WMIC.exe
Token: 34	2044	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2784	1200	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	79
PID 1200 wrote to memory of 2784	1200	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	79
PID 1200 wrote to memory of 2784	1200	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	79
PID 2784 wrote to memory of 1340	2784	voiceadequovl.exe	80
PID 2784 wrote to memory of 1340	2784	voiceadequovl.exe	80
PID 2784 wrote to memory of 1340	2784	voiceadequovl.exe	80
PID 1340 wrote to memory of 632	1340	voiceadequovl.exe	82
PID 1340 wrote to memory of 632	1340	voiceadequovl.exe	82
PID 1340 wrote to memory of 632	1340	voiceadequovl.exe	82
PID 1340 wrote to memory of 1664	1340	voiceadequovl.exe	92
PID 1340 wrote to memory of 1664	1340	voiceadequovl.exe	92
PID 1340 wrote to memory of 1664	1340	voiceadequovl.exe	92
PID 1664 wrote to memory of 4192	1664	cmd.exe	94
PID 1664 wrote to memory of 4192	1664	cmd.exe	94
PID 1664 wrote to memory of 4192	1664	cmd.exe	94
PID 1340 wrote to memory of 2660	1340	voiceadequovl.exe	95
PID 1340 wrote to memory of 2660	1340	voiceadequovl.exe	95
PID 1340 wrote to memory of 2660	1340	voiceadequovl.exe	95
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 1340 wrote to memory of 2376	1340	voiceadequovl.exe	96
PID 2376 wrote to memory of 4616	2376	voiceadequovl.exe	97
PID 2376 wrote to memory of 4616	2376	voiceadequovl.exe	97
PID 2376 wrote to memory of 4616	2376	voiceadequovl.exe	97
PID 2376 wrote to memory of 1736	2376	voiceadequovl.exe	101
PID 2376 wrote to memory of 1736	2376	voiceadequovl.exe	101
PID 2376 wrote to memory of 1736	2376	voiceadequovl.exe	101
PID 1736 wrote to memory of 2044	1736	cmd.exe	100
PID 1736 wrote to memory of 2044	1736	cmd.exe	100
PID 1736 wrote to memory of 2044	1736	cmd.exe	100
PID 2376 wrote to memory of 2644	2376	voiceadequovl.exe	103
PID 2376 wrote to memory of 2644	2376	voiceadequovl.exe	103
PID 2376 wrote to memory of 2644	2376	voiceadequovl.exe	103
PID 2644 wrote to memory of 3836	2644	cmd.exe	104
PID 2644 wrote to memory of 3836	2644	cmd.exe	104
PID 2644 wrote to memory of 3836	2644	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1200
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:632
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:2660
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1736
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:3836

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
f67f311203f9bfa7636628e791ca927b

SHA1
35b50d70ad1c7fa605d6763c340187d97206e832

SHA256
0639c7bfb9946ca00cac965b54df75800cc50c38f9e12f68407cc2e78f560c51

SHA512
ec2f87ac92ca636718004e395b249e68f0872008a39028fa943d27cfa2651c49b01e11476b3e33a29970f0a1032db31c45a57c8cfad90bb9ac5e6cdb409c75ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
187.4MB

MD5
0db6a539c9352baac6a2949642da4f11

SHA1
067dd602757cab492bd87eca84fb207056e8e41e

SHA256
7930a4ccc656ea82df158cffe510a59780be01a37308dbedb5b2613135defd47

SHA512
47ac8945c8783c6945c0f715de019c72c881046c6e76af5c7bc2ec2f27586875f3bf9970b9d18e42865e074cf448f1e2d8a70d44db8414613cc6e1541153de7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
184.9MB

MD5
c622b49b510cbb7cad015dd58e562240

SHA1
c1eb6305603141705fd84c9d1d9d3b4c7796a495

SHA256
98a91f5de5b18dac103fc72d9cc184cbf67a1a1a70f84ccd6d4351e5f6636749

SHA512
2cc9c999a13027197cc069dc3f3a69b536504909ae59cdb055a669e7ac25b55f3f942bebad7a1f2887de392a6a03a131574b1db4eabf495a90aa9970c65758f0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
175.9MB

MD5
7ddbecf7990491367409396d9adef62c

SHA1
b966270f8833c41f3c2c278127ac273ff5c3a481

SHA256
22475c16d5b1ed24ab0226ee60889175fa5681985256e32aed76847ad6e8a1b4

SHA512
4b79fbaeeba881bc57cec6857ad692a213421d4ee2bd02d1f140a269d56fb0708507142ada2c01bbe24c177a9480316496345ec5f1178da9d40866e25b7ab36c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
189.2MB

MD5
2c152e01b12641d9cb6ba6ef298d6a7e

SHA1
51b2636e9d941066d638ce35758d9ec6a89e6474

SHA256
b96cb082355e87153e19e9225158c0c1a9fe5e10282f523371c6203ca7303ece

SHA512
cbdd01721a60c26aed90e354016e2dfc62dae189b0dfdbc96f5e81c102d431ad94913a6601016442353ad91d042a2b2986da026179f686e59aae7d8912072483

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
140.9MB

MD5
f720f9bcfab8a31717b012986861adb6

SHA1
cc110c3508550f4c82157bed85b81d642b1811ce

SHA256
dcddcb1bb8b3325bbbd3f37ac6907ac5b8efa108d4604cc2897e3d240a33247b

SHA512
004a342ecfa039771cee30e85b1b706d7b1fbbf4ccba183d6ee1f6103ab84a58ed6f8d1fec8173846b6b4f58820dc3689a17c4e061b83eda68b78fb49d875ba7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
146.5MB

MD5
381a4d075f13acb47bb5aa171432dbdf

SHA1
4041ac69eb642dd26c8c953b29c4e2f37132e3b3

SHA256
f84b2329dbfc61a8e29ea4a5be33cdf63787a7c62d20edb0b112ce70ca978e0a

SHA512
8912d3827f2ae036ff6f787d659c7b150997ecc069377e3e68e1cf5ae7a404d104e0e0332c518b71b9a4d57359776dcd212af63f11356ed883a9e9d16b6399fe

Download Submit
memory/632-142-0x0000000005410000-0x0000000005A38000-memory.dmp

Filesize
6.2MB

Download
memory/632-143-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/632-144-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/632-145-0x0000000006250000-0x000000000626E000-memory.dmp

Filesize
120KB

Download
memory/632-147-0x0000000006730000-0x000000000674A000-memory.dmp

Filesize
104KB

Download
memory/632-146-0x0000000007AA0000-0x000000000811A000-memory.dmp

Filesize
6.5MB

Download
memory/632-141-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

Filesize
216KB

Download
memory/1340-139-0x00000000073D0000-0x00000000073F2000-memory.dmp

Filesize
136KB

Download
memory/1340-138-0x0000000000D10000-0x0000000001484000-memory.dmp

Filesize
7.5MB

Download
memory/2376-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2376-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2376-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2376-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4192-166-0x0000000007A50000-0x0000000007AE6000-memory.dmp

Filesize
600KB

Download
memory/4192-164-0x0000000007830000-0x000000000783A000-memory.dmp

Filesize
40KB

Download
memory/4192-163-0x00000000073F0000-0x000000000740E000-memory.dmp

Filesize
120KB

Download
memory/4192-162-0x0000000075550000-0x000000007559C000-memory.dmp

Filesize
304KB

Download
memory/4192-171-0x00000000062E0000-0x00000000062EE000-memory.dmp

Filesize
56KB

Download
memory/4192-172-0x00000000079D0000-0x00000000079EA000-memory.dmp

Filesize
104KB

Download
memory/4192-173-0x00000000079B0000-0x00000000079B8000-memory.dmp

Filesize
32KB

Download
memory/4192-161-0x0000000007430000-0x0000000007462000-memory.dmp

Filesize
200KB

Download