aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
114s
max time network
156s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/844-66-0x0000000006460000-0x0000000006800000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1432 voiceadequovl.exe
844 voiceadequovl.exe
1704 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1432 voiceadequovl.exe
1432 voiceadequovl.exe
1432 voiceadequovl.exe
1432 voiceadequovl.exe

pid	process
1432	voiceadequovl.exe
844	voiceadequovl.exe
1704	voiceadequovl.exe

pid	process
1432	voiceadequovl.exe
1432	voiceadequovl.exe
1432	voiceadequovl.exe
1432	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 844 set thread context of 1704 844 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1476 powershell.exe
1012 powershell.exe

description	pid	process	target process
PID 844 set thread context of 1704	844	voiceadequovl.exe	voiceadequovl.exe

pid	process
1476	powershell.exe
1012	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	844	voiceadequovl.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeIncreaseQuotaPrivilege	812	wmic.exe
Token: SeSecurityPrivilege	812	wmic.exe
Token: SeTakeOwnershipPrivilege	812	wmic.exe
Token: SeLoadDriverPrivilege	812	wmic.exe
Token: SeSystemProfilePrivilege	812	wmic.exe
Token: SeSystemtimePrivilege	812	wmic.exe
Token: SeProfSingleProcessPrivilege	812	wmic.exe
Token: SeIncBasePriorityPrivilege	812	wmic.exe
Token: SeCreatePagefilePrivilege	812	wmic.exe
Token: SeBackupPrivilege	812	wmic.exe
Token: SeRestorePrivilege	812	wmic.exe
Token: SeShutdownPrivilege	812	wmic.exe
Token: SeDebugPrivilege	812	wmic.exe
Token: SeSystemEnvironmentPrivilege	812	wmic.exe
Token: SeRemoteShutdownPrivilege	812	wmic.exe
Token: SeUndockPrivilege	812	wmic.exe
Token: SeManageVolumePrivilege	812	wmic.exe
Token: 33	812	wmic.exe
Token: 34	812	wmic.exe
Token: 35	812	wmic.exe
Token: SeIncreaseQuotaPrivilege	812	wmic.exe
Token: SeSecurityPrivilege	812	wmic.exe
Token: SeTakeOwnershipPrivilege	812	wmic.exe
Token: SeLoadDriverPrivilege	812	wmic.exe
Token: SeSystemProfilePrivilege	812	wmic.exe
Token: SeSystemtimePrivilege	812	wmic.exe
Token: SeProfSingleProcessPrivilege	812	wmic.exe
Token: SeIncBasePriorityPrivilege	812	wmic.exe
Token: SeCreatePagefilePrivilege	812	wmic.exe
Token: SeBackupPrivilege	812	wmic.exe
Token: SeRestorePrivilege	812	wmic.exe
Token: SeShutdownPrivilege	812	wmic.exe
Token: SeDebugPrivilege	812	wmic.exe
Token: SeSystemEnvironmentPrivilege	812	wmic.exe
Token: SeRemoteShutdownPrivilege	812	wmic.exe
Token: SeUndockPrivilege	812	wmic.exe
Token: SeManageVolumePrivilege	812	wmic.exe
Token: 33	812	wmic.exe
Token: 34	812	wmic.exe
Token: 35	812	wmic.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exevoiceadequovl.exe

description	pid	process	target process
PID 1792 wrote to memory of 1432	1792	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1792 wrote to memory of 1432	1792	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1792 wrote to memory of 1432	1792	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1792 wrote to memory of 1432	1792	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1432 wrote to memory of 844	1432	voiceadequovl.exe	voiceadequovl.exe
PID 1432 wrote to memory of 844	1432	voiceadequovl.exe	voiceadequovl.exe
PID 1432 wrote to memory of 844	1432	voiceadequovl.exe	voiceadequovl.exe
PID 1432 wrote to memory of 844	1432	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1476	844	voiceadequovl.exe	powershell.exe
PID 844 wrote to memory of 1476	844	voiceadequovl.exe	powershell.exe
PID 844 wrote to memory of 1476	844	voiceadequovl.exe	powershell.exe
PID 844 wrote to memory of 1476	844	voiceadequovl.exe	powershell.exe
PID 844 wrote to memory of 872	844	voiceadequovl.exe	cmd.exe
PID 844 wrote to memory of 872	844	voiceadequovl.exe	cmd.exe
PID 844 wrote to memory of 872	844	voiceadequovl.exe	cmd.exe
PID 844 wrote to memory of 872	844	voiceadequovl.exe	cmd.exe
PID 872 wrote to memory of 1012	872	cmd.exe	powershell.exe
PID 872 wrote to memory of 1012	872	cmd.exe	powershell.exe
PID 872 wrote to memory of 1012	872	cmd.exe	powershell.exe
PID 872 wrote to memory of 1012	872	cmd.exe	powershell.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1704	844	voiceadequovl.exe	voiceadequovl.exe
PID 1704 wrote to memory of 812	1704	voiceadequovl.exe	wmic.exe
PID 1704 wrote to memory of 812	1704	voiceadequovl.exe	wmic.exe
PID 1704 wrote to memory of 812	1704	voiceadequovl.exe	wmic.exe
PID 1704 wrote to memory of 812	1704	voiceadequovl.exe	wmic.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:608

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:336

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
df5b8bb1bbb97a60b1e68d2122f61f33

SHA1
1853e1bd23611e341b9295d578f2d2ab7dcadc2d

SHA256
f7872c5495856b9fcfdd577e06d04d9fb3cf4ecbd538f8a4e5ee045ed91c6062

SHA512
673ad195cc86fc5cd9f726925bad48b770a14a0ace55ab36f3d2de6f38ce778e220ac815fafa14cdb44538ee96cef94d543da98e7bc27431bb1ee44df818aca6

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
263.4MB

MD5
c26c1b256f0c886deb8bf4dc16c037bc

SHA1
8035226c9e66de18b136945d5e0e7df8f24febbb

SHA256
ee4e4285238f761eacb5905ef1a4d621bcef5baf33c92234a763db4ab78a22cd

SHA512
bd49034b601eed72882a8b5342db8af1be85c2714acb9a3af40167c27914f13e2181f5ed4eeaaa5b44950d436cd8d37947242615a6803f340b2650be5fc25ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
266.6MB

MD5
67facaca45c9360c98d1dffdb30dcce3

SHA1
79067980293e9c5d345a857c8b30b7487a3c5030

SHA256
dd2053cee41a295ed3f32d66c84307291e092fb7c736413be4f50f8b9520cc1f

SHA512
b474089a76587bbe64e76a6f429fbfc96b94dcdf0c505b53fc91dfe70dba0cdf1e9070b33cc5fd8cec7dcac7a7370e2641063bb38ef244c54670fe0aede4fd76

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
118.4MB

MD5
0a23b4ee6441468c80ce052882ec4252

SHA1
e4236b36e5053f3b3f19f3a2465a287dbd73129d

SHA256
4e8e8b5310babe2f64ed537edb9da38020af3432154a954922525bea2fce43d8

SHA512
7f86951ffe70cee083c042bc41c0c69d65f9e0d4617960b9fd68b368b79cea98a6b7bbefc7b79ab7cd4aa3b3233b624742f3e3c2d0a3e947f0daf7b068f14947

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
265.8MB

MD5
3eb7eb351b6a9cdd68ba6d2afaf31295

SHA1
2f2fb4da1f06bace90b435019da9811cbc8cc71c

SHA256
c58f2acdae34b4827f91e8ea31bded8bb13cc93ed59a26a3f1ac8999a6b2be2d

SHA512
3b4e7a091baa7d25399ed5b2c3e72ba79c9c11fd9d9e831c703cc2f2e58d647019b7e0ba31d3255ea97d360d970c3db403e30617f199a1010297ec026d0d411b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
265.2MB

MD5
76bff958d8297a99ec1a78217477da42

SHA1
4e1e0b394b08bdd905b7ab594f5f63651128657b

SHA256
8a3a1fe0dc57521b9696126708a99132837f0eeda47f23f9ea7c4f485d1a4483

SHA512
b6432c6671ef86375a981f16a3a398bf1aabb04a7e1c725fddd77acb644a0637f67bf4c91dc70a1e0a6388d4660bfeb827118fc3ab6aa23423e4155d64b28415

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
258.9MB

MD5
64d7c1c3b58492311446c15b9d5e979e

SHA1
cfd1b1ddb49159d073ef204c4b3ab402f6f23472

SHA256
15f1949df5aed468ae63c5e53fde356f75a2927801f7760f820e8e4898ecdba4

SHA512
2d35a50b38102f3de62cc5e79a2adad867c97e2956d7c47f63e13fb7461c84dafc72dbddc7465d4a50cd8f30fa21ff4963911a5939da468a0853febb3454ac41

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
261.1MB

MD5
830aed7062a4fc8cc82db090aeb8e58c

SHA1
2fcc23a6b89739989cacfd064dce6c08bc3e7fda

SHA256
c6dc34be88d041bb56bdc3229bb3d3286f62fc8fca6cf351599a31c3fcad57f2

SHA512
3dad4e972e55563e50311c756a0eee6e8c0fc1478dc0d3c89ec62315da9e3100013d857b1cb3bdaca272d7e1b4f0073ddd6c83c4576d4854900c531c27275de2

Download Submit
memory/336-99-0x0000000000000000-mapping.dmp

Download
memory/608-97-0x0000000000000000-mapping.dmp

Download
memory/812-95-0x0000000000000000-mapping.dmp

Download
memory/844-62-0x0000000000000000-mapping.dmp

Download
memory/844-66-0x0000000006460000-0x0000000006800000-memory.dmp

Filesize
3.6MB

Download
memory/844-65-0x0000000000F10000-0x0000000001684000-memory.dmp

Filesize
7.5MB

Download
memory/844-73-0x00000000053F0000-0x0000000005562000-memory.dmp

Filesize
1.4MB

Download
memory/872-72-0x0000000000000000-mapping.dmp

Download
memory/1012-96-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1012-74-0x0000000000000000-mapping.dmp

Download
memory/1012-85-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1220-100-0x0000000000000000-mapping.dmp

Download
memory/1432-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1432-54-0x0000000000000000-mapping.dmp

Download
memory/1476-69-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-71-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-67-0x0000000000000000-mapping.dmp

Download
memory/1476-70-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/1704-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-90-0x0000000000464C20-mapping.dmp

Download
memory/1704-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1704-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-98-0x0000000000000000-mapping.dmp

Download