aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
131s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1780-66-0x00000000063B0000-0x0000000006750000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
876	voiceadequovl.exe
1780	voiceadequovl.exe
1520	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
876	voiceadequovl.exe
876	voiceadequovl.exe
876	voiceadequovl.exe
876	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1780 set thread context of 1520	1780	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1292	powershell.exe
1324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	voiceadequovl.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeIncreaseQuotaPrivilege	1216	wmic.exe
Token: SeSecurityPrivilege	1216	wmic.exe
Token: SeTakeOwnershipPrivilege	1216	wmic.exe
Token: SeLoadDriverPrivilege	1216	wmic.exe
Token: SeSystemProfilePrivilege	1216	wmic.exe
Token: SeSystemtimePrivilege	1216	wmic.exe
Token: SeProfSingleProcessPrivilege	1216	wmic.exe
Token: SeIncBasePriorityPrivilege	1216	wmic.exe
Token: SeCreatePagefilePrivilege	1216	wmic.exe
Token: SeBackupPrivilege	1216	wmic.exe
Token: SeRestorePrivilege	1216	wmic.exe
Token: SeShutdownPrivilege	1216	wmic.exe
Token: SeDebugPrivilege	1216	wmic.exe
Token: SeSystemEnvironmentPrivilege	1216	wmic.exe
Token: SeRemoteShutdownPrivilege	1216	wmic.exe
Token: SeUndockPrivilege	1216	wmic.exe
Token: SeManageVolumePrivilege	1216	wmic.exe
Token: 33	1216	wmic.exe
Token: 34	1216	wmic.exe
Token: 35	1216	wmic.exe
Token: SeIncreaseQuotaPrivilege	1216	wmic.exe
Token: SeSecurityPrivilege	1216	wmic.exe
Token: SeTakeOwnershipPrivilege	1216	wmic.exe
Token: SeLoadDriverPrivilege	1216	wmic.exe
Token: SeSystemProfilePrivilege	1216	wmic.exe
Token: SeSystemtimePrivilege	1216	wmic.exe
Token: SeProfSingleProcessPrivilege	1216	wmic.exe
Token: SeIncBasePriorityPrivilege	1216	wmic.exe
Token: SeCreatePagefilePrivilege	1216	wmic.exe
Token: SeBackupPrivilege	1216	wmic.exe
Token: SeRestorePrivilege	1216	wmic.exe
Token: SeShutdownPrivilege	1216	wmic.exe
Token: SeDebugPrivilege	1216	wmic.exe
Token: SeSystemEnvironmentPrivilege	1216	wmic.exe
Token: SeRemoteShutdownPrivilege	1216	wmic.exe
Token: SeUndockPrivilege	1216	wmic.exe
Token: SeManageVolumePrivilege	1216	wmic.exe
Token: 33	1216	wmic.exe
Token: 34	1216	wmic.exe
Token: 35	1216	wmic.exe
Token: SeIncreaseQuotaPrivilege	880	WMIC.exe
Token: SeSecurityPrivilege	880	WMIC.exe
Token: SeTakeOwnershipPrivilege	880	WMIC.exe
Token: SeLoadDriverPrivilege	880	WMIC.exe
Token: SeSystemProfilePrivilege	880	WMIC.exe
Token: SeSystemtimePrivilege	880	WMIC.exe
Token: SeProfSingleProcessPrivilege	880	WMIC.exe
Token: SeIncBasePriorityPrivilege	880	WMIC.exe
Token: SeCreatePagefilePrivilege	880	WMIC.exe
Token: SeBackupPrivilege	880	WMIC.exe
Token: SeRestorePrivilege	880	WMIC.exe
Token: SeShutdownPrivilege	880	WMIC.exe
Token: SeDebugPrivilege	880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	880	WMIC.exe
Token: SeRemoteShutdownPrivilege	880	WMIC.exe
Token: SeUndockPrivilege	880	WMIC.exe
Token: SeManageVolumePrivilege	880	WMIC.exe
Token: 33	880	WMIC.exe
Token: 34	880	WMIC.exe
Token: 35	880	WMIC.exe
Token: SeIncreaseQuotaPrivilege	880	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 876	584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 584 wrote to memory of 876	584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 584 wrote to memory of 876	584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 584 wrote to memory of 876	584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 876 wrote to memory of 1780	876	voiceadequovl.exe	29
PID 876 wrote to memory of 1780	876	voiceadequovl.exe	29
PID 876 wrote to memory of 1780	876	voiceadequovl.exe	29
PID 876 wrote to memory of 1780	876	voiceadequovl.exe	29
PID 1780 wrote to memory of 1292	1780	voiceadequovl.exe	30
PID 1780 wrote to memory of 1292	1780	voiceadequovl.exe	30
PID 1780 wrote to memory of 1292	1780	voiceadequovl.exe	30
PID 1780 wrote to memory of 1292	1780	voiceadequovl.exe	30
PID 1780 wrote to memory of 300	1780	voiceadequovl.exe	32
PID 1780 wrote to memory of 300	1780	voiceadequovl.exe	32
PID 1780 wrote to memory of 300	1780	voiceadequovl.exe	32
PID 1780 wrote to memory of 300	1780	voiceadequovl.exe	32
PID 300 wrote to memory of 1324	300	cmd.exe	34
PID 300 wrote to memory of 1324	300	cmd.exe	34
PID 300 wrote to memory of 1324	300	cmd.exe	34
PID 300 wrote to memory of 1324	300	cmd.exe	34
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1780 wrote to memory of 1520	1780	voiceadequovl.exe	35
PID 1520 wrote to memory of 1216	1520	voiceadequovl.exe	36
PID 1520 wrote to memory of 1216	1520	voiceadequovl.exe	36
PID 1520 wrote to memory of 1216	1520	voiceadequovl.exe	36
PID 1520 wrote to memory of 1216	1520	voiceadequovl.exe	36
PID 1520 wrote to memory of 1904	1520	voiceadequovl.exe	39
PID 1520 wrote to memory of 1904	1520	voiceadequovl.exe	39
PID 1520 wrote to memory of 1904	1520	voiceadequovl.exe	39
PID 1520 wrote to memory of 1904	1520	voiceadequovl.exe	39
PID 1904 wrote to memory of 880	1904	cmd.exe	41
PID 1904 wrote to memory of 880	1904	cmd.exe	41
PID 1904 wrote to memory of 880	1904	cmd.exe	41
PID 1904 wrote to memory of 880	1904	cmd.exe	41
PID 1520 wrote to memory of 1668	1520	voiceadequovl.exe	42
PID 1520 wrote to memory of 1668	1520	voiceadequovl.exe	42
PID 1520 wrote to memory of 1668	1520	voiceadequovl.exe	42
PID 1520 wrote to memory of 1668	1520	voiceadequovl.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1292
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:300
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1668
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
317.4MB

MD5
500174a4b2a3fffbc90a75e48d2afbe1

SHA1
8d67ecedcb45a00e3da21fd59adedd6b5c7826dc

SHA256
86a1d1df2cf80129046cdb7c6530b5ef85d6fd8afe6e69f4b7f1216c07fc5403

SHA512
df192b607fbc55b9fb65f3054b799d2d9df0e09c52a12b4f0eb35c5b95a0299f1a5ad081860a8f388d1e31953cec4f8b5142c034cc7bf32bd2fcedc13993301b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
313.4MB

MD5
d96ad924539904ca7a4ba66a20ed78c4

SHA1
b124fe46ecbd0d5cb37b157de20d8b098af028a1

SHA256
83d53e2c2458f4f7c833aab23620182507b300a9be3ec4aee2f6dd5264f2d48e

SHA512
b81886148d1a90cd1cd939ad3c02a7e49fa9df0ad1d6ca79c2bb74c75e0e114099a4f648d8fb58694279855c4f2809f5d4b862492491b4237691ced917a80949

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7c488cca3dc3f3af64c5208a13df1629

SHA1
66d39a474268bee204d484c7b82f053238290d71

SHA256
94e6002ee5b3c3dc1bdd1eacc2ffa5d510bcf490ccbacdb34b85ae5c86758b56

SHA512
bcb5a0cffa7c1429de1a51ad74d10eac28a97f9e66e64aec2485ac544fe18e772f96f3762ebbc205592e4782b5a4ab802af863194347df4058f901f4c1194f65

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
267.4MB

MD5
4e696b7da43717178bbebadabf499782

SHA1
e56e1c727ab11accd101e7e0ffbd12ee80c30d63

SHA256
53727c08c81915532a8cf7fe0c4a320fbe100048a05b579fc697090cab9ca66c

SHA512
51418cfd2425d49398a9c54d5c5a24bbda12571d96ccd870ed5e471fc68389d51db55f06e018aed2e3c2b131e84bee46150f3fae85f41e657c0b5a8ab4d6fdea

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
257.1MB

MD5
49500a871077c456cbe8e1ae2d9aace9

SHA1
b63e66b732697ca5829409c9f654e65e95024b33

SHA256
7923672c8c4cc74dd2b1b21caa524f5e1201dc69188f3cc8947cb8096aeaa8ba

SHA512
5da9404e6972012b0ecd1cd911a996d75b3cde4a4c70309c6c76e4463d51485f5a56a1ac984ec8cc17fd6e0ad4389e405db907bb47ba1ab73e77561f7eae0b35

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
102.1MB

MD5
81525b7565bd23323a746d0c4355017b

SHA1
890c1d2ba46696a60b2ab42026db73eee56eddb0

SHA256
8f002051aaaf06a531c6c23eb37aadf7af9bbac32c1ea186d5d00cce5ba484cf

SHA512
4e5db0ac4a64849e640f4603fba0f63c7a546b1512d432ed52a45974ad7964e266f4cffcfe0e84549e82d4be2b5297a84e2190a9b11aab7515b3d6ef45df0989

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
286.1MB

MD5
eb232e544a0426f7ee8293c3e1851a69

SHA1
fa8fa8f8b068b535d1e0b4cab34f79bb104c4c68

SHA256
e3b6027742327ed8415d14a5207bcb22253d1dfc4a1fb4db3e63eee1abb8c508

SHA512
1c72a6f90aef6248bf4e768822444bbcce35f8aaa0e4e962efd864bf9f91fdf65dbf870776b47dbf989ed63e0d24a27ab21c50edd14136b8a8b6e42d8550e6ed

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
277.0MB

MD5
7b2fb4025ccab83a23f16ebcaedd229a

SHA1
df50942b8847f2a1905a3be441d738952e5aafd2

SHA256
5dfe6a2277dd75a31a4cb5c3ab7428cc60e171bfb9eac30720b73e7597f899f3

SHA512
ab4feb78d7693e27d7d5f46057d783d24b2e29ae823e137b60f806df1e07e132eac870dcf95b4da7d95a44a7e8f65320242ef7a3cb178a29d22fa15317a58f48

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
282.3MB

MD5
35424a7d0b5f80991216d17968788b62

SHA1
1c0472a879f34e2f52486336ade427433b750f55

SHA256
9912e92fa25a0524ee8ae454554c4e8aaddd0de3e2f824a4a7ced89675041a4b

SHA512
a597a162b0e8798a2c5d128ceba3c1593a0f0b57df7a8774e8cfb2d39347e9ae2ac3d32ed81aba9edb770ea48d983a7ab7f935bbe69355e63a9ce1034bff43b8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.7MB

MD5
4b6a9c8cebdb8049e8cdb13b0486a092

SHA1
69b2489b75cf63d5c39ece13162169e9450b1c3e

SHA256
737316c69474ab96ac81641d6270232eeb22265bb54435a6571942f151bedc17

SHA512
78bf2aa37c21cec0c2f9e4a0b7a2d29858115c2240924677cde54673d4b0c30c34f40acdc15c6255f3ffe39b2fd44aef204369af7498f2c13a1d3b35bd76a0e4

Download Submit
memory/876-56-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1292-70-0x000000006F820000-0x000000006FDCB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-69-0x000000006F820000-0x000000006FDCB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-71-0x000000006F820000-0x000000006FDCB000-memory.dmp

Filesize
5.7MB

Download
memory/1324-88-0x000000006F7E0000-0x000000006FD8B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-78-0x000000006F7E0000-0x000000006FD8B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-102-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1780-66-0x00000000063B0000-0x0000000006750000-memory.dmp

Filesize
3.6MB

Download
memory/1780-65-0x0000000000CF0000-0x0000000001464000-memory.dmp

Filesize
7.5MB

Download
memory/1780-74-0x0000000005240000-0x00000000053B2000-memory.dmp

Filesize
1.4MB

Download