aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
72s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2023 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	voiceadequovl.exe

Executes dropped EXE 4 IoCs

pid	Process
1992	voiceadequovl.exe
4972	voiceadequovl.exe
60	voiceadequovl.exe
4288	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4972 set thread context of 4288	4972	voiceadequovl.exe	96

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4068	powershell.exe
4068	powershell.exe
4972	voiceadequovl.exe
4972	voiceadequovl.exe
4492	powershell.exe
4492	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	voiceadequovl.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemProfilePrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeProfSingleProcessPrivilege	1568	wmic.exe
Token: SeIncBasePriorityPrivilege	1568	wmic.exe
Token: SeCreatePagefilePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeDebugPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeRemoteShutdownPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe
Token: SeManageVolumePrivilege	1568	wmic.exe
Token: 33	1568	wmic.exe
Token: 34	1568	wmic.exe
Token: 35	1568	wmic.exe
Token: 36	1568	wmic.exe
Token: SeIncreaseQuotaPrivilege	1568	wmic.exe
Token: SeSecurityPrivilege	1568	wmic.exe
Token: SeTakeOwnershipPrivilege	1568	wmic.exe
Token: SeLoadDriverPrivilege	1568	wmic.exe
Token: SeSystemProfilePrivilege	1568	wmic.exe
Token: SeSystemtimePrivilege	1568	wmic.exe
Token: SeProfSingleProcessPrivilege	1568	wmic.exe
Token: SeIncBasePriorityPrivilege	1568	wmic.exe
Token: SeCreatePagefilePrivilege	1568	wmic.exe
Token: SeBackupPrivilege	1568	wmic.exe
Token: SeRestorePrivilege	1568	wmic.exe
Token: SeShutdownPrivilege	1568	wmic.exe
Token: SeDebugPrivilege	1568	wmic.exe
Token: SeSystemEnvironmentPrivilege	1568	wmic.exe
Token: SeRemoteShutdownPrivilege	1568	wmic.exe
Token: SeUndockPrivilege	1568	wmic.exe
Token: SeManageVolumePrivilege	1568	wmic.exe
Token: 33	1568	wmic.exe
Token: 34	1568	wmic.exe
Token: 35	1568	wmic.exe
Token: 36	1568	wmic.exe
Token: SeIncreaseQuotaPrivilege	4536	WMIC.exe
Token: SeSecurityPrivilege	4536	WMIC.exe
Token: SeTakeOwnershipPrivilege	4536	WMIC.exe
Token: SeLoadDriverPrivilege	4536	WMIC.exe
Token: SeSystemProfilePrivilege	4536	WMIC.exe
Token: SeSystemtimePrivilege	4536	WMIC.exe
Token: SeProfSingleProcessPrivilege	4536	WMIC.exe
Token: SeIncBasePriorityPrivilege	4536	WMIC.exe
Token: SeCreatePagefilePrivilege	4536	WMIC.exe
Token: SeBackupPrivilege	4536	WMIC.exe
Token: SeRestorePrivilege	4536	WMIC.exe
Token: SeShutdownPrivilege	4536	WMIC.exe
Token: SeDebugPrivilege	4536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4536	WMIC.exe
Token: SeRemoteShutdownPrivilege	4536	WMIC.exe
Token: SeUndockPrivilege	4536	WMIC.exe
Token: SeManageVolumePrivilege	4536	WMIC.exe
Token: 33	4536	WMIC.exe
Token: 34	4536	WMIC.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 1992	2016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	79
PID 2016 wrote to memory of 1992	2016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	79
PID 2016 wrote to memory of 1992	2016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	79
PID 1992 wrote to memory of 4972	1992	voiceadequovl.exe	80
PID 1992 wrote to memory of 4972	1992	voiceadequovl.exe	80
PID 1992 wrote to memory of 4972	1992	voiceadequovl.exe	80
PID 4972 wrote to memory of 4068	4972	voiceadequovl.exe	82
PID 4972 wrote to memory of 4068	4972	voiceadequovl.exe	82
PID 4972 wrote to memory of 4068	4972	voiceadequovl.exe	82
PID 4972 wrote to memory of 1880	4972	voiceadequovl.exe	92
PID 4972 wrote to memory of 1880	4972	voiceadequovl.exe	92
PID 4972 wrote to memory of 1880	4972	voiceadequovl.exe	92
PID 1880 wrote to memory of 4492	1880	cmd.exe	94
PID 1880 wrote to memory of 4492	1880	cmd.exe	94
PID 1880 wrote to memory of 4492	1880	cmd.exe	94
PID 4972 wrote to memory of 60	4972	voiceadequovl.exe	95
PID 4972 wrote to memory of 60	4972	voiceadequovl.exe	95
PID 4972 wrote to memory of 60	4972	voiceadequovl.exe	95
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4972 wrote to memory of 4288	4972	voiceadequovl.exe	96
PID 4288 wrote to memory of 1568	4288	voiceadequovl.exe	97
PID 4288 wrote to memory of 1568	4288	voiceadequovl.exe	97
PID 4288 wrote to memory of 1568	4288	voiceadequovl.exe	97
PID 4288 wrote to memory of 4828	4288	voiceadequovl.exe	100
PID 4288 wrote to memory of 4828	4288	voiceadequovl.exe	100
PID 4288 wrote to memory of 4828	4288	voiceadequovl.exe	100
PID 4828 wrote to memory of 4536	4828	cmd.exe	101
PID 4828 wrote to memory of 4536	4828	cmd.exe	101
PID 4828 wrote to memory of 4536	4828	cmd.exe	101
PID 4288 wrote to memory of 3592	4288	voiceadequovl.exe	102
PID 4288 wrote to memory of 3592	4288	voiceadequovl.exe	102
PID 4288 wrote to memory of 3592	4288	voiceadequovl.exe	102
PID 3592 wrote to memory of 2268	3592	cmd.exe	104
PID 3592 wrote to memory of 2268	3592	cmd.exe	104
PID 3592 wrote to memory of 2268	3592	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4068
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4492
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:60
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3592
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:2268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
40bf0736bce232ab3e168ea9704c3558

SHA1
a83d5d1d8514abceb2ce3418b494074e9fcda23c

SHA256
7064903d60b825182e89001415ba4316cf5281c97172fcc6d3940c3cd21bf27e

SHA512
96d2e3a764db2175857738c2a4cf5bb7fd37d751b1caf870a83a64825cb53ab16c22311ab1bcf6729454effa893a49aeb3948092762f87c06b471ddabf02ce49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
303.0MB

MD5
48ee5edb2974c06fc5af235bdeb3e489

SHA1
8b82d81923d52c76c1220362bed120869c83c656

SHA256
6eecacad82f8a407b4fb022dfe47cbae13c9a630983e4eaf4d5cd51b229e1c00

SHA512
b154a1f63431eb6f21139c19949a3add75ec8a65cc055f24459dad41800326befc5d695cb8d196931abde39d881d2b3e4ba4a6add33e32f2c4f90d6e35256420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
279.8MB

MD5
4e7429276e461a79828d1eca7a8e04a8

SHA1
7cbfd956bc215ef14115401411e6be1e5620354a

SHA256
77dac723396b234cf38d6327b41552cdbd1a51d81ca93c21e49ad56db09b925b

SHA512
74aec0826d5625d94e14ac124b78059b0174ebf3f976eeb6e14fb377b234e4ef7369a945a04e726f143943aaebd44b9584a6d6493e7fa48bc4ded077117b2214

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
284.9MB

MD5
b46be1bb891854dd4bef806200aac21f

SHA1
79253ff265da78c7e770e530762c46d841a75968

SHA256
cb79d6d81178f9a696d63d52ee99d2a9d46c6a6374f22be240d8b196f081d990

SHA512
ea7afb4accf9d80128f0b3af06cb6c0f1cc065729b90af33422c2cc37623c31d291a2e68dbd35c218382fc329ed4d39e7bf0ccc1e8461d6ecf80c5948e1332cb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
280.9MB

MD5
305c639ae8068a7d8aac08a90fe4f461

SHA1
aebab3115e65be9134675a895cd76b42c6fe3e8c

SHA256
5d56239178be45cf5592323699eae8e6c3088f77a38d50de81e22bbe6166e8cc

SHA512
aac888f7bfa424a8fff1fdc0286555df2bdd45d92dfcb5a35b9fe17b4988bd2a874fe1ce357e343c20be090f5dd89e10ecbacdfdc71e531357b7d17d54cea54d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
185.9MB

MD5
80784bd74def26e6b0d44fd47ce8bbf1

SHA1
0ef46b873e04476daed1230a5792e3332f40dedc

SHA256
83764093bfacca6d868fe73f2df968d61ffa3800ada9d9c004c6624bedd65895

SHA512
4ecf4eabd735d0af25d7783a4c1ce71f228cde0f40b910d82369c547d7ffea35882348d45489c28feecc0389a662bf47cf932990ce6e9507cfa1ccbfe0da159b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
188.1MB

MD5
422543257d3fad82e38d8a6e5aeb9045

SHA1
1da98e6eb03cbd88ce86939ae3f24c1b0b9d8376

SHA256
1c53643537a39d8ac5143c9e8bc2e1cee3489faf8c82bb60c4baf3413a35b00e

SHA512
16deedbf02cc3665de6c4d5712ea2efc85c2b3b16b6b4ed3f77a1a7fb11d9342b31ccd12b1e22a6ecb1d464dfb33146e8b007af218e28cc16693f1c584793bfe

Download Submit
memory/4068-142-0x0000000004D10000-0x0000000005338000-memory.dmp

Filesize
6.2MB

Download
memory/4068-143-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/4068-147-0x0000000005FE0000-0x0000000005FFA000-memory.dmp

Filesize
104KB

Download
memory/4068-146-0x0000000007140000-0x00000000077BA000-memory.dmp

Filesize
6.5MB

Download
memory/4068-145-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

Filesize
120KB

Download
memory/4068-144-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/4068-141-0x0000000004540000-0x0000000004576000-memory.dmp

Filesize
216KB

Download
memory/4288-159-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4288-174-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4288-154-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4288-157-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4288-175-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/4492-162-0x0000000007300000-0x0000000007332000-memory.dmp

Filesize
200KB

Download
memory/4492-163-0x00000000737E0000-0x000000007382C000-memory.dmp

Filesize
304KB

Download
memory/4492-164-0x00000000072C0000-0x00000000072DE000-memory.dmp

Filesize
120KB

Download
memory/4492-165-0x0000000007720000-0x000000000772A000-memory.dmp

Filesize
40KB

Download
memory/4492-171-0x00000000076F0000-0x00000000076FE000-memory.dmp

Filesize
56KB

Download
memory/4492-168-0x0000000007910000-0x00000000079A6000-memory.dmp

Filesize
600KB

Download
memory/4492-173-0x00000000078B0000-0x00000000078B8000-memory.dmp

Filesize
32KB

Download
memory/4492-172-0x00000000078C0000-0x00000000078DA000-memory.dmp

Filesize
104KB

Download
memory/4972-138-0x0000000000360000-0x0000000000AD4000-memory.dmp

Filesize
7.5MB

Download
memory/4972-139-0x0000000006A20000-0x0000000006A42000-memory.dmp

Filesize
136KB

Download