aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1744-66-0x00000000063C0000-0x0000000006760000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 4 IoCs

pid	Process
1136	voiceadequovl.exe
1744	voiceadequovl.exe
1512	voiceadequovl.exe
1852	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1136	voiceadequovl.exe
1136	voiceadequovl.exe
1136	voiceadequovl.exe
1136	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1852	1744	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
908	powershell.exe
1816	powershell.exe
1744	voiceadequovl.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	voiceadequovl.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeIncreaseQuotaPrivilege	1896	wmic.exe
Token: SeSecurityPrivilege	1896	wmic.exe
Token: SeTakeOwnershipPrivilege	1896	wmic.exe
Token: SeLoadDriverPrivilege	1896	wmic.exe
Token: SeSystemProfilePrivilege	1896	wmic.exe
Token: SeSystemtimePrivilege	1896	wmic.exe
Token: SeProfSingleProcessPrivilege	1896	wmic.exe
Token: SeIncBasePriorityPrivilege	1896	wmic.exe
Token: SeCreatePagefilePrivilege	1896	wmic.exe
Token: SeBackupPrivilege	1896	wmic.exe
Token: SeRestorePrivilege	1896	wmic.exe
Token: SeShutdownPrivilege	1896	wmic.exe
Token: SeDebugPrivilege	1896	wmic.exe
Token: SeSystemEnvironmentPrivilege	1896	wmic.exe
Token: SeRemoteShutdownPrivilege	1896	wmic.exe
Token: SeUndockPrivilege	1896	wmic.exe
Token: SeManageVolumePrivilege	1896	wmic.exe
Token: 33	1896	wmic.exe
Token: 34	1896	wmic.exe
Token: 35	1896	wmic.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 1136	1112	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1112 wrote to memory of 1136	1112	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1112 wrote to memory of 1136	1112	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1112 wrote to memory of 1136	1112	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1136 wrote to memory of 1744	1136	voiceadequovl.exe	28
PID 1136 wrote to memory of 1744	1136	voiceadequovl.exe	28
PID 1136 wrote to memory of 1744	1136	voiceadequovl.exe	28
PID 1136 wrote to memory of 1744	1136	voiceadequovl.exe	28
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	29
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	29
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	29
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	29
PID 1744 wrote to memory of 852	1744	voiceadequovl.exe	31
PID 1744 wrote to memory of 852	1744	voiceadequovl.exe	31
PID 1744 wrote to memory of 852	1744	voiceadequovl.exe	31
PID 1744 wrote to memory of 852	1744	voiceadequovl.exe	31
PID 852 wrote to memory of 1816	852	cmd.exe	33
PID 852 wrote to memory of 1816	852	cmd.exe	33
PID 852 wrote to memory of 1816	852	cmd.exe	33
PID 852 wrote to memory of 1816	852	cmd.exe	33
PID 1744 wrote to memory of 1512	1744	voiceadequovl.exe	35
PID 1744 wrote to memory of 1512	1744	voiceadequovl.exe	35
PID 1744 wrote to memory of 1512	1744	voiceadequovl.exe	35
PID 1744 wrote to memory of 1512	1744	voiceadequovl.exe	35
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1744 wrote to memory of 1852	1744	voiceadequovl.exe	34
PID 1852 wrote to memory of 1896	1852	voiceadequovl.exe	36
PID 1852 wrote to memory of 1896	1852	voiceadequovl.exe	36
PID 1852 wrote to memory of 1896	1852	voiceadequovl.exe	36
PID 1852 wrote to memory of 1896	1852	voiceadequovl.exe	36

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1556
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:1608
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1784
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1120
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fcc40303d95b33e29f5cc5dcfd8b071f

SHA1
0d28d8a77cf8339dd84d91ddad647fd26031765b

SHA256
05dbeb008dc177cae2e95baccc3e5d3e4573cac2dffa6e61274bc842713e9d12

SHA512
eaa57b8ce0d688b60dd567176d3a88a1ee0932507059b0565113299ca45a7b566f62d588529f360e44a44a2e46de854dfbc9bb64992ec8f23c9f6384161f297b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
154.4MB

MD5
2e35846dfe535694ca21b36e28cd0ed9

SHA1
16f0c049285b4c81a570b6b73f368fadaefeef31

SHA256
fe00491cec5f5c9408aa67fe89db71b64fc63188d6bde554fafd5b95efd973a5

SHA512
1295a936ea509afdb52678c88a389c0f8c284f6dd64a716fc66ef1a33dbfdac14545ed2a2e52634c6a84e1874036bdddaf0513b0a399e4d66b0f6275a219bff6

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
168.1MB

MD5
b592c5dbb7bae9677245af553181dd18

SHA1
f5c816fac6d8d57bd74fea0530e75ab019b3feb8

SHA256
293858254224902e7e996d6ab571041163b1f8a68832aae0954dd7fa3f475705

SHA512
f1f0fdbd73e05fb91134c11aa2a2408ac8737a8a1df90aab130dbff8a38286fe3cf793466842ba4e2869f54995a8ef43cda70b9bc3442f4a54ca0556ae95ae6f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
42.7MB

MD5
3ce49b9e57e19c5850363acb2812bfc6

SHA1
c4a8efee2206dba1e8cc2bdcb01cbcc648cbf85d

SHA256
382d88e1744ee248d24d167ec1e3918abb423f4a3c0f5e93c4b9682f5e69861a

SHA512
9f60890f1614a61cd9ee8eeb7303254bcacda6602e48bc596abb1fb31322b05bb9fa7e63ab7343bed43563a1c86a89a0fd71c445dff052b0ad6b27153626f131

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
41.8MB

MD5
875f9777ef6f21ce0432db270cae75cb

SHA1
179660d4158ef5f6bd9e21fc4f733de8758b397b

SHA256
9868f0e25daa0565aa910cf5a7735d3dc884a9624b45d089a6c57f502201836e

SHA512
58386019f54e282f0dcb4bd20669042e9b7d23b1b79963c01506d4c53b55867ee488ce026e83f8f4cff074342b3c89508bf12ee2d52b27fca240cc4edff787f9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
172.6MB

MD5
c22e91c873681df0bde1d13fc092c0e5

SHA1
61e57023eab8595fb8b5c7013ed583101cd65e74

SHA256
8faf0d09941410ec30239f82c30ce6017dd802e14d6301d4034bb81907c41f00

SHA512
0482fe0bb8b5b204e1e390d84dd9fc809669a20f7ac1910c1770038a882ad60d7895202db2396627a56269e96eb45fff862143692722d2b4f587d2a604e925e2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
176.5MB

MD5
17f1438d281f993ac63b919d494eb6e1

SHA1
b80c82129c45d3074c5db2a3a430f806a0cce094

SHA256
b35f6ca9d9d4a2728a6649fe23a94340587baaf57302d758ab299a3e5615a9ee

SHA512
e89ffe83d1c383c3585afa54306cbf034bca939d082645d387e273d2b46ff8e4bb66efc9fe62fea88adedfb667023407944c21f0ca3381ca6cfcbb94997b5bbb

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
169.3MB

MD5
b00fb80485b3cfe9b5d0c0ff60e71aac

SHA1
db4794cd0ee67f1a38c1692456ed9b9207fc5d3d

SHA256
f63510b55e94746bcf7f6a8e252e82f804c09cd89c675f5e4ecaf79b9a273c6e

SHA512
91d731a9befc67a6eca2367134fda11654ad42b49c2ae96a2cf9cd7686adb104a9babf47aa570b0f59b25245b40319288200ca580c48fe5c35bea969e410f607

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
174.6MB

MD5
96cfbc50fbfb1c7892877c21116763ec

SHA1
318bac30feb18dc96a98416a4ffb476b47be1210

SHA256
7a1f47908719a51d70279dffa2938e7a50d5a3b4ae9a1e881712e3cafe320498

SHA512
50e21ba46084a1bb6c0e4900c729bf591a769c42b1b321d1670ce660739d6567aef6cd2bec505ae1f3d3932ab99745ce5b92f4534b2c00089cb3581519de6cf6

Download Submit
memory/908-69-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/908-70-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/908-71-0x000000006F690000-0x000000006FC3B000-memory.dmp

Filesize
5.7MB

Download
memory/1136-56-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1744-74-0x0000000005370000-0x00000000054E2000-memory.dmp

Filesize
1.4MB

Download
memory/1744-66-0x00000000063C0000-0x0000000006760000-memory.dmp

Filesize
3.6MB

Download
memory/1744-65-0x0000000000DA0000-0x0000000001514000-memory.dmp

Filesize
7.5MB

Download
memory/1816-91-0x000000006F240000-0x000000006F7EB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-90-0x000000006F240000-0x000000006F7EB000-memory.dmp

Filesize
5.7MB

Download
memory/1852-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-102-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download