aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

C2

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

voiceadequovl.exevoiceadequovl.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

3392 voiceadequovl.exe
332 voiceadequovl.exe
2356 voiceadequovl.exe

pid	process
3392	voiceadequovl.exe
332	voiceadequovl.exe
2356	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 332 set thread context of 2356 332 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

5068 powershell.exe
5068 powershell.exe
656 powershell.exe
656 powershell.exe

description	pid	process	target process
PID 332 set thread context of 2356	332	voiceadequovl.exe	voiceadequovl.exe

pid	process
5068	powershell.exe
5068	powershell.exe
656	powershell.exe
656	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	332	voiceadequovl.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeIncreaseQuotaPrivilege	1712	wmic.exe
Token: SeSecurityPrivilege	1712	wmic.exe
Token: SeTakeOwnershipPrivilege	1712	wmic.exe
Token: SeLoadDriverPrivilege	1712	wmic.exe
Token: SeSystemProfilePrivilege	1712	wmic.exe
Token: SeSystemtimePrivilege	1712	wmic.exe
Token: SeProfSingleProcessPrivilege	1712	wmic.exe
Token: SeIncBasePriorityPrivilege	1712	wmic.exe
Token: SeCreatePagefilePrivilege	1712	wmic.exe
Token: SeBackupPrivilege	1712	wmic.exe
Token: SeRestorePrivilege	1712	wmic.exe
Token: SeShutdownPrivilege	1712	wmic.exe
Token: SeDebugPrivilege	1712	wmic.exe
Token: SeSystemEnvironmentPrivilege	1712	wmic.exe
Token: SeRemoteShutdownPrivilege	1712	wmic.exe
Token: SeUndockPrivilege	1712	wmic.exe
Token: SeManageVolumePrivilege	1712	wmic.exe
Token: 33	1712	wmic.exe
Token: 34	1712	wmic.exe
Token: 35	1712	wmic.exe
Token: 36	1712	wmic.exe
Token: SeIncreaseQuotaPrivilege	1712	wmic.exe
Token: SeSecurityPrivilege	1712	wmic.exe
Token: SeTakeOwnershipPrivilege	1712	wmic.exe
Token: SeLoadDriverPrivilege	1712	wmic.exe
Token: SeSystemProfilePrivilege	1712	wmic.exe
Token: SeSystemtimePrivilege	1712	wmic.exe
Token: SeProfSingleProcessPrivilege	1712	wmic.exe
Token: SeIncBasePriorityPrivilege	1712	wmic.exe
Token: SeCreatePagefilePrivilege	1712	wmic.exe
Token: SeBackupPrivilege	1712	wmic.exe
Token: SeRestorePrivilege	1712	wmic.exe
Token: SeShutdownPrivilege	1712	wmic.exe
Token: SeDebugPrivilege	1712	wmic.exe
Token: SeSystemEnvironmentPrivilege	1712	wmic.exe
Token: SeRemoteShutdownPrivilege	1712	wmic.exe
Token: SeUndockPrivilege	1712	wmic.exe
Token: SeManageVolumePrivilege	1712	wmic.exe
Token: 33	1712	wmic.exe
Token: 34	1712	wmic.exe
Token: 35	1712	wmic.exe
Token: 36	1712	wmic.exe
Token: SeIncreaseQuotaPrivilege	1160	WMIC.exe
Token: SeSecurityPrivilege	1160	WMIC.exe
Token: SeTakeOwnershipPrivilege	1160	WMIC.exe
Token: SeLoadDriverPrivilege	1160	WMIC.exe
Token: SeSystemProfilePrivilege	1160	WMIC.exe
Token: SeSystemtimePrivilege	1160	WMIC.exe
Token: SeProfSingleProcessPrivilege	1160	WMIC.exe
Token: SeIncBasePriorityPrivilege	1160	WMIC.exe
Token: SeCreatePagefilePrivilege	1160	WMIC.exe
Token: SeBackupPrivilege	1160	WMIC.exe
Token: SeRestorePrivilege	1160	WMIC.exe
Token: SeShutdownPrivilege	1160	WMIC.exe
Token: SeDebugPrivilege	1160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1160	WMIC.exe
Token: SeRemoteShutdownPrivilege	1160	WMIC.exe
Token: SeUndockPrivilege	1160	WMIC.exe
Token: SeManageVolumePrivilege	1160	WMIC.exe
Token: 33	1160	WMIC.exe
Token: 34	1160	WMIC.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.execmd.execmd.exe

description	pid	process	target process
PID 2952 wrote to memory of 3392	2952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2952 wrote to memory of 3392	2952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2952 wrote to memory of 3392	2952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 3392 wrote to memory of 332	3392	voiceadequovl.exe	voiceadequovl.exe
PID 3392 wrote to memory of 332	3392	voiceadequovl.exe	voiceadequovl.exe
PID 3392 wrote to memory of 332	3392	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 5068	332	voiceadequovl.exe	powershell.exe
PID 332 wrote to memory of 5068	332	voiceadequovl.exe	powershell.exe
PID 332 wrote to memory of 5068	332	voiceadequovl.exe	powershell.exe
PID 332 wrote to memory of 3988	332	voiceadequovl.exe	cmd.exe
PID 332 wrote to memory of 3988	332	voiceadequovl.exe	cmd.exe
PID 332 wrote to memory of 3988	332	voiceadequovl.exe	cmd.exe
PID 3988 wrote to memory of 656	3988	cmd.exe	powershell.exe
PID 3988 wrote to memory of 656	3988	cmd.exe	powershell.exe
PID 3988 wrote to memory of 656	3988	cmd.exe	powershell.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 332 wrote to memory of 2356	332	voiceadequovl.exe	voiceadequovl.exe
PID 2356 wrote to memory of 1712	2356	voiceadequovl.exe	wmic.exe
PID 2356 wrote to memory of 1712	2356	voiceadequovl.exe	wmic.exe
PID 2356 wrote to memory of 1712	2356	voiceadequovl.exe	wmic.exe
PID 2356 wrote to memory of 4672	2356	voiceadequovl.exe	cmd.exe
PID 2356 wrote to memory of 4672	2356	voiceadequovl.exe	cmd.exe
PID 2356 wrote to memory of 4672	2356	voiceadequovl.exe	cmd.exe
PID 4672 wrote to memory of 1160	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 1160	4672	cmd.exe	WMIC.exe
PID 4672 wrote to memory of 1160	4672	cmd.exe	WMIC.exe
PID 2356 wrote to memory of 1556	2356	voiceadequovl.exe	cmd.exe
PID 2356 wrote to memory of 1556	2356	voiceadequovl.exe	cmd.exe
PID 2356 wrote to memory of 1556	2356	voiceadequovl.exe	cmd.exe
PID 1556 wrote to memory of 3532	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 3532	1556	cmd.exe	WMIC.exe
PID 1556 wrote to memory of 3532	1556	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3392

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:3532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
02cba24eccfb70e066c56c36256bd745

SHA1
463a35f200c5542c164f8d3ccfffa559e2b635ba

SHA256
d3d4993949d0dfe4d6a4b77a9529cb2de52f0781787f7ed11fd4ee81e86567f0

SHA512
ee97eca912feed2f065b8c0f038297a58e6fda7b55869b4e7b9a6b8e476e2df7adf1f47e440fb966c5c74763fd98eea70f4d256b94394f4ad656b836f45a8aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
310.6MB

MD5
29fcdcd25910e727ae875cdc3c08c3de

SHA1
5bd0efaec8d9550b45cbae84f7e429412de6c3a1

SHA256
db1fbc37eaea21864e4a9bbb25e6024c40b6fd71cdd644238ab6b4342d82c17b

SHA512
65eb0658ec76a8d2d14042e6a81b1dddad5da57b7f2cea7b58fe24afc51d65a962a789b7f777ab6fb7af3618aef5b227509f20b36d24a8d9895d9b05fcb61360

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
321.1MB

MD5
57f0ac0e1398fedad90aa92235eadec3

SHA1
75f963bec845d986f7a35249a67e9181604e0369

SHA256
2af94064d166d5136e7261c77d87c5c5a0302a5e5635ac75bf9ea72c31080f52

SHA512
0de78dbb555c2567c1ffa4cc6463b3f25f9dc7a1da8724311c3d52cb3f5d732fa1f97224d2b0f31c5b5a18798012dcc7b96c87a82e4f8f989feb9329ac8ccb99

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
288.3MB

MD5
6eb3fa6117ffcab2a87558a173181d52

SHA1
026e112a66c32c48ebbb97879235c24e6c277961

SHA256
23d19f88c43ee8d7372a592c5ddadff894d985963e3cc027ba36d36c01218b9a

SHA512
5cb02bd2ef9abc1acecebb2f44b26657722c31198f7da322e235fd697cdb5ffd1e80ff3d6ae5ad51c8ebf71c181729614775f66d6b70ea48181ace50ab58666e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
301.7MB

MD5
b200607d742414e70594299b5a012e96

SHA1
3891472758333132c3ba940043bd623162d6649d

SHA256
38204848a4492eb986c6b4641228fd9a4bb6d602b070b03a7d4ce57d6b8c8cdf

SHA512
70a71aef5c22c89d5765e4c244ccf7b1344a06cd6e9c6d53dc2dd9e397eea8afcdcb2ae521e86b2345dc865aa82845b41b285acf20a5eb342f50f02970882bc7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
135.6MB

MD5
62188fc7d2ed4b3dbbf10bb5e0bf605b

SHA1
f2bebe340d6f17b62b51f32dfbde72286d90dc9d

SHA256
7d6a5fbe4eea7d68cf6dcbe5bc79e1520c7274e0ed225dba9799508f4b8ebed9

SHA512
3ebc4b8b76f51482974b5a885291bb52fd314faaa865d0289b233b65ca7718948dc84d8315c17692351bda265c8686c8970e144f8184e87a08a083d0c2cc656b

Download Submit
memory/332-135-0x0000000000000000-mapping.dmp

Download
memory/332-138-0x00000000008D0000-0x0000000001044000-memory.dmp

Filesize
7.5MB

Download
memory/332-139-0x0000000006E60000-0x0000000006E82000-memory.dmp

Filesize
136KB

Download
memory/656-169-0x0000000005B50000-0x0000000005B5E000-memory.dmp

Filesize
56KB

Download
memory/656-165-0x00000000072B0000-0x0000000007346000-memory.dmp

Filesize
600KB

Download
memory/656-163-0x0000000007070000-0x000000000707A000-memory.dmp

Filesize
40KB

Download
memory/656-160-0x0000000075B10000-0x0000000075B5C000-memory.dmp

Filesize
304KB

Download
memory/656-149-0x0000000000000000-mapping.dmp

Download
memory/656-161-0x0000000006290000-0x00000000062AE000-memory.dmp

Filesize
120KB

Download
memory/656-159-0x0000000006CB0000-0x0000000006CE2000-memory.dmp

Filesize
200KB

Download
memory/656-170-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/656-171-0x00000000071F0000-0x00000000071F8000-memory.dmp

Filesize
32KB

Download
memory/1160-166-0x0000000000000000-mapping.dmp

Download
memory/1556-167-0x0000000000000000-mapping.dmp

Download
memory/1712-162-0x0000000000000000-mapping.dmp

Download
memory/2356-152-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2356-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2356-155-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2356-151-0x0000000000000000-mapping.dmp

Download
memory/2356-172-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/3392-132-0x0000000000000000-mapping.dmp

Download
memory/3532-168-0x0000000000000000-mapping.dmp

Download
memory/3988-148-0x0000000000000000-mapping.dmp

Download
memory/4672-164-0x0000000000000000-mapping.dmp

Download
memory/5068-145-0x0000000005080000-0x000000000509E000-memory.dmp

Filesize
120KB

Download
memory/5068-144-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/5068-143-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/5068-146-0x0000000007990000-0x000000000800A000-memory.dmp

Filesize
6.5MB

Download
memory/5068-142-0x0000000005580000-0x0000000005BA8000-memory.dmp

Filesize
6.2MB

Download
memory/5068-141-0x0000000002D50000-0x0000000002D86000-memory.dmp

Filesize
216KB

Download
memory/5068-140-0x0000000000000000-mapping.dmp

Download
memory/5068-147-0x0000000006830000-0x000000000684A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads