aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
100s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1896-66-0x0000000006310000-0x00000000066B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1072	voiceadequovl.exe
1896	voiceadequovl.exe
1188	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1072	voiceadequovl.exe
1072	voiceadequovl.exe
1072	voiceadequovl.exe
1072	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 1188	1896	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	powershell.exe
1564	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	voiceadequovl.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeIncreaseQuotaPrivilege	2012	wmic.exe
Token: SeSecurityPrivilege	2012	wmic.exe
Token: SeTakeOwnershipPrivilege	2012	wmic.exe
Token: SeLoadDriverPrivilege	2012	wmic.exe
Token: SeSystemProfilePrivilege	2012	wmic.exe
Token: SeSystemtimePrivilege	2012	wmic.exe
Token: SeProfSingleProcessPrivilege	2012	wmic.exe
Token: SeIncBasePriorityPrivilege	2012	wmic.exe
Token: SeCreatePagefilePrivilege	2012	wmic.exe
Token: SeBackupPrivilege	2012	wmic.exe
Token: SeRestorePrivilege	2012	wmic.exe
Token: SeShutdownPrivilege	2012	wmic.exe
Token: SeDebugPrivilege	2012	wmic.exe
Token: SeSystemEnvironmentPrivilege	2012	wmic.exe
Token: SeRemoteShutdownPrivilege	2012	wmic.exe
Token: SeUndockPrivilege	2012	wmic.exe
Token: SeManageVolumePrivilege	2012	wmic.exe
Token: 33	2012	wmic.exe
Token: 34	2012	wmic.exe
Token: 35	2012	wmic.exe
Token: SeIncreaseQuotaPrivilege	2012	wmic.exe
Token: SeSecurityPrivilege	2012	wmic.exe
Token: SeTakeOwnershipPrivilege	2012	wmic.exe
Token: SeLoadDriverPrivilege	2012	wmic.exe
Token: SeSystemProfilePrivilege	2012	wmic.exe
Token: SeSystemtimePrivilege	2012	wmic.exe
Token: SeProfSingleProcessPrivilege	2012	wmic.exe
Token: SeIncBasePriorityPrivilege	2012	wmic.exe
Token: SeCreatePagefilePrivilege	2012	wmic.exe
Token: SeBackupPrivilege	2012	wmic.exe
Token: SeRestorePrivilege	2012	wmic.exe
Token: SeShutdownPrivilege	2012	wmic.exe
Token: SeDebugPrivilege	2012	wmic.exe
Token: SeSystemEnvironmentPrivilege	2012	wmic.exe
Token: SeRemoteShutdownPrivilege	2012	wmic.exe
Token: SeUndockPrivilege	2012	wmic.exe
Token: SeManageVolumePrivilege	2012	wmic.exe
Token: 33	2012	wmic.exe
Token: 34	2012	wmic.exe
Token: 35	2012	wmic.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemProfilePrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeProfSingleProcessPrivilege	956	WMIC.exe
Token: SeIncBasePriorityPrivilege	956	WMIC.exe
Token: SeCreatePagefilePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeDebugPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeRemoteShutdownPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: 33	956	WMIC.exe
Token: 34	956	WMIC.exe
Token: 35	956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1072	1084	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1084 wrote to memory of 1072	1084	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1084 wrote to memory of 1072	1084	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1084 wrote to memory of 1072	1084	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1072 wrote to memory of 1896	1072	voiceadequovl.exe	28
PID 1072 wrote to memory of 1896	1072	voiceadequovl.exe	28
PID 1072 wrote to memory of 1896	1072	voiceadequovl.exe	28
PID 1072 wrote to memory of 1896	1072	voiceadequovl.exe	28
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	29
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	29
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	29
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	29
PID 1896 wrote to memory of 1236	1896	voiceadequovl.exe	32
PID 1896 wrote to memory of 1236	1896	voiceadequovl.exe	32
PID 1896 wrote to memory of 1236	1896	voiceadequovl.exe	32
PID 1896 wrote to memory of 1236	1896	voiceadequovl.exe	32
PID 1236 wrote to memory of 1564	1236	cmd.exe	33
PID 1236 wrote to memory of 1564	1236	cmd.exe	33
PID 1236 wrote to memory of 1564	1236	cmd.exe	33
PID 1236 wrote to memory of 1564	1236	cmd.exe	33
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1896 wrote to memory of 1188	1896	voiceadequovl.exe	34
PID 1188 wrote to memory of 2012	1188	voiceadequovl.exe	35
PID 1188 wrote to memory of 2012	1188	voiceadequovl.exe	35
PID 1188 wrote to memory of 2012	1188	voiceadequovl.exe	35
PID 1188 wrote to memory of 2012	1188	voiceadequovl.exe	35
PID 1188 wrote to memory of 908	1188	voiceadequovl.exe	38
PID 1188 wrote to memory of 908	1188	voiceadequovl.exe	38
PID 1188 wrote to memory of 908	1188	voiceadequovl.exe	38
PID 1188 wrote to memory of 908	1188	voiceadequovl.exe	38
PID 908 wrote to memory of 956	908	cmd.exe	40
PID 908 wrote to memory of 956	908	cmd.exe	40
PID 908 wrote to memory of 956	908	cmd.exe	40
PID 908 wrote to memory of 956	908	cmd.exe	40
PID 1188 wrote to memory of 1720	1188	voiceadequovl.exe	41
PID 1188 wrote to memory of 1720	1188	voiceadequovl.exe	41
PID 1188 wrote to memory of 1720	1188	voiceadequovl.exe	41
PID 1188 wrote to memory of 1720	1188	voiceadequovl.exe	41
PID 1720 wrote to memory of 848	1720	cmd.exe	43
PID 1720 wrote to memory of 848	1720	cmd.exe	43
PID 1720 wrote to memory of 848	1720	cmd.exe	43
PID 1720 wrote to memory of 848	1720	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1976a80493dcc2cfd4c210df34f1705c

SHA1
671b29f8b340e68bfb0777271de8fd6903c6c910

SHA256
ea5d47eb9771a22264c37b50f19711fe937d53b771407b539b02f9c85fdc2497

SHA512
0024f6f21f1dadff9daa3018330a4fe50fc0add39f5b3ee6528897e7487c3ea867b931ab66655bc1e7f08b23a9ac39eca67d9b2994040f32b76aac2698b7daf2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
139.2MB

MD5
8b5170d176f23735d9845b1af55074ad

SHA1
37948308bc8008a684b964124c3cb4911cc17bd6

SHA256
3d5e58e4bfe9f55e76e443c97d64739e221d0394dac6136dcb99289a43d9999e

SHA512
75d7d0982faa1e168843f8de88355e8ca25067c687c9a0145a6922eb039a7a2774ace3ff5a1e9e252d229f3e868c10accfdb636ff6608f1032e9fcad9baf7612

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
153.4MB

MD5
ce0e1316eb93a1d2fef8b65f77b169dc

SHA1
d1b13a5af7dbcb5d4c5423edf55a0a75bc732503

SHA256
444b4fcabeceb0724fcfc9b65b2aa884de5324ab4fe62e51de07e2b34760269c

SHA512
6393c83801f67f00c4d4f7c9cab0686b18a5e290fd5ac59628cd513972d16bf1cae9bcfe16c6ec4abd2206afebc42934148e3eacee949befecefb66505954fce

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
47.6MB

MD5
0ca3a8783fc65c5cfce38e72c6ba99e5

SHA1
44970f43b7b0c4d66bc601b31bfcc4c2d0adb737

SHA256
2264d03bb6f3d5db2f6ad651574188563c3b810b56129b2ed66e840de677c6c4

SHA512
f1d5f6bd08415735ec78688b9421f72187e91383c01791710ab1c65242cd0c259ec7e2521819ca270be028dd88585bdd48036ac9521f3ee8cd87547879c40ee1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
160.3MB

MD5
7c1743514483a4740b030173361b53e7

SHA1
9b83caa2edff6fc76a9d7b09ee586b8735151a95

SHA256
94b958d5e488680e0e37dd85cf13ab7229e95a1bb6e34d02a7c6bf0e6463e9bc

SHA512
fc4badb86dd6efaa43ac70cd01290329e005f4c654fd6dc5233f9f8a01fd4d6d679975692a246b3ce22d674a35fd691c87dc1d69fcafd19cce0ffb698adf535f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
158.9MB

MD5
cbea6f9ec982168a7d2673efb7ac952d

SHA1
a053aad02016cfdc713b6cce2c06e6d7dd94c038

SHA256
00220611b8dd6c15134ef9d0bdefb3f16ad0b044861c4acce3e838dc13e1966a

SHA512
40d2117584282ff713dc0b22d409549026ef60ac4770f45057a1010b43f2dd5968d8ab8a448a163d5a1da6e002d5a5fad99b0a2ce5ec42035046b05ae0e6d3c4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
154.3MB

MD5
8200d75fc2c6ccfa1fba511c8ee00f6e

SHA1
5978f37a06f80e7aebe7232969f1e86b9aeb8771

SHA256
8319c52002a1e2da1d36fddd79cb888a92777d4b469142dad00e7d42c080f143

SHA512
46afed073354d7fef97229bc369baf49127bf2a9dde4feeabe0d55f445750e8d59c30b4741b2fe4eb3220ce4971b406afc780b6fd44df5101c1a4c6be1414979

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
159.8MB

MD5
ae20590be54a07d7c55a26b61db50853

SHA1
705f3026a0c0c3c348c9a3290582cd734c7cd3fd

SHA256
a94a9bf0ff19ff89d43817c982aeced85abb87ae9cf61e44d4283f8267b7f212

SHA512
65c4061ce3e9a33ac893e0c65f3c68c56e5a5779eb87067538628a29d9a27baabbfc5aaeb21ecf2a8b491d139227a61764396207a7e41ff9219d124314ea1616

Download Submit
memory/1072-56-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1188-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-100-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1188-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1408-71-0x000000006F3F0000-0x000000006F99B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-69-0x000000006F3F0000-0x000000006F99B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-70-0x000000006F3F0000-0x000000006F99B000-memory.dmp

Filesize
5.7MB

Download
memory/1564-77-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/1896-66-0x0000000006310000-0x00000000066B0000-memory.dmp

Filesize
3.6MB

Download
memory/1896-74-0x0000000005360000-0x00000000054D2000-memory.dmp

Filesize
1.4MB

Download
memory/1896-65-0x0000000001280000-0x00000000019F4000-memory.dmp

Filesize
7.5MB

Download