Aurora — Technical Analysis (Windows)

This report is a full technical teardown of the Aurora ransomware Windows x64 sample: it details sample hashes, static/imports analysis, thread architecture, per-file ChaCha20 encryption with RSA-4096 key-wrap, intermittent/resume-safe chunking, SMB share enumeration, privilege escalation (SeBackup/SeRestore and SeTakeOwnership fallback), shadow-copy deletion via cmd shell-outs, and IOCs (hashes, Tor payment onion, ransom note filename, unique footer magic). The binary contains no network exfiltration code, but the ransom note claims data theft; the combination of aggressive file scope, ACL rewriting, and resume-safe operation makes recovery difficult and poses a high operational risk to infected environments.