aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/948-66-0x00000000064A0000-0x0000000006840000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
836	voiceadequovl.exe
948	voiceadequovl.exe
672	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
836	voiceadequovl.exe
836	voiceadequovl.exe
836	voiceadequovl.exe
836	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 672	948	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
276	powershell.exe
1480	powershell.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	voiceadequovl.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeIncreaseQuotaPrivilege	1952	wmic.exe
Token: SeSecurityPrivilege	1952	wmic.exe
Token: SeTakeOwnershipPrivilege	1952	wmic.exe
Token: SeLoadDriverPrivilege	1952	wmic.exe
Token: SeSystemProfilePrivilege	1952	wmic.exe
Token: SeSystemtimePrivilege	1952	wmic.exe
Token: SeProfSingleProcessPrivilege	1952	wmic.exe
Token: SeIncBasePriorityPrivilege	1952	wmic.exe
Token: SeCreatePagefilePrivilege	1952	wmic.exe
Token: SeBackupPrivilege	1952	wmic.exe
Token: SeRestorePrivilege	1952	wmic.exe
Token: SeShutdownPrivilege	1952	wmic.exe
Token: SeDebugPrivilege	1952	wmic.exe
Token: SeSystemEnvironmentPrivilege	1952	wmic.exe
Token: SeRemoteShutdownPrivilege	1952	wmic.exe
Token: SeUndockPrivilege	1952	wmic.exe
Token: SeManageVolumePrivilege	1952	wmic.exe
Token: 33	1952	wmic.exe
Token: 34	1952	wmic.exe
Token: 35	1952	wmic.exe
Token: SeIncreaseQuotaPrivilege	1952	wmic.exe
Token: SeSecurityPrivilege	1952	wmic.exe
Token: SeTakeOwnershipPrivilege	1952	wmic.exe
Token: SeLoadDriverPrivilege	1952	wmic.exe
Token: SeSystemProfilePrivilege	1952	wmic.exe
Token: SeSystemtimePrivilege	1952	wmic.exe
Token: SeProfSingleProcessPrivilege	1952	wmic.exe
Token: SeIncBasePriorityPrivilege	1952	wmic.exe
Token: SeCreatePagefilePrivilege	1952	wmic.exe
Token: SeBackupPrivilege	1952	wmic.exe
Token: SeRestorePrivilege	1952	wmic.exe
Token: SeShutdownPrivilege	1952	wmic.exe
Token: SeDebugPrivilege	1952	wmic.exe
Token: SeSystemEnvironmentPrivilege	1952	wmic.exe
Token: SeRemoteShutdownPrivilege	1952	wmic.exe
Token: SeUndockPrivilege	1952	wmic.exe
Token: SeManageVolumePrivilege	1952	wmic.exe
Token: 33	1952	wmic.exe
Token: 34	1952	wmic.exe
Token: 35	1952	wmic.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 836	1684	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1684 wrote to memory of 836	1684	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1684 wrote to memory of 836	1684	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1684 wrote to memory of 836	1684	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 836 wrote to memory of 948	836	voiceadequovl.exe	28
PID 836 wrote to memory of 948	836	voiceadequovl.exe	28
PID 836 wrote to memory of 948	836	voiceadequovl.exe	28
PID 836 wrote to memory of 948	836	voiceadequovl.exe	28
PID 948 wrote to memory of 276	948	voiceadequovl.exe	30
PID 948 wrote to memory of 276	948	voiceadequovl.exe	30
PID 948 wrote to memory of 276	948	voiceadequovl.exe	30
PID 948 wrote to memory of 276	948	voiceadequovl.exe	30
PID 948 wrote to memory of 1568	948	voiceadequovl.exe	31
PID 948 wrote to memory of 1568	948	voiceadequovl.exe	31
PID 948 wrote to memory of 1568	948	voiceadequovl.exe	31
PID 948 wrote to memory of 1568	948	voiceadequovl.exe	31
PID 1568 wrote to memory of 1480	1568	cmd.exe	33
PID 1568 wrote to memory of 1480	1568	cmd.exe	33
PID 1568 wrote to memory of 1480	1568	cmd.exe	33
PID 1568 wrote to memory of 1480	1568	cmd.exe	33
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 948 wrote to memory of 672	948	voiceadequovl.exe	34
PID 672 wrote to memory of 1952	672	voiceadequovl.exe	35
PID 672 wrote to memory of 1952	672	voiceadequovl.exe	35
PID 672 wrote to memory of 1952	672	voiceadequovl.exe	35
PID 672 wrote to memory of 1952	672	voiceadequovl.exe	35
PID 672 wrote to memory of 1608	672	voiceadequovl.exe	38
PID 672 wrote to memory of 1608	672	voiceadequovl.exe	38
PID 672 wrote to memory of 1608	672	voiceadequovl.exe	38
PID 672 wrote to memory of 1608	672	voiceadequovl.exe	38
PID 1608 wrote to memory of 844	1608	cmd.exe	40
PID 1608 wrote to memory of 844	1608	cmd.exe	40
PID 1608 wrote to memory of 844	1608	cmd.exe	40
PID 1608 wrote to memory of 844	1608	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1608
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
277.2MB

MD5
b45a1a93fea17558f8aa319bbdcfcf6d

SHA1
f32ffee67b86ab009d5fc02683e96e1950a828f7

SHA256
18e54e6da6e30641714e6bc4a1e17bad4db98d486a1cc66e0c6dd4ba577faa01

SHA512
02472808e01eb0bc2cca2d0776c21fa22d1412628155e5e9bb1593b282aeb7bc11ad47e3d5abbe9735dc83688c1582dc5471f2af08e17a8fe4343494ce70c8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
273.1MB

MD5
e8922b6bd90126ba048cbcdc33457e8e

SHA1
0f67397104a07e7ba7f7ab84cb2b36906fe925cc

SHA256
6947f5ed7a0a033a5cf217e9e01474d18c9cb315abd448c9d7275607d4398193

SHA512
250500a9bce00326c7ebc01750c0e2c94b880e6bf2052f4f5dfe6c13984eaff209b4a7889b0246c6f6bcb4e90762bf2e2679083e0939d336d329ff453fd6ca46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ba99e87054f07039b50a0bc2aa85a663

SHA1
2c4e82da98372d7e7ad599fa20be03ca5577eda5

SHA256
164fc2ca91787981070b4d65466dbc1b34bed813ea7968fc2d1cc9193cfceb89

SHA512
41448c716eb19a0f907a553d319896c0b335c735f531c39b0df1df81857992c40af320eda9f2d655430365d0f531344e2c0fcb56030b52bb91572c2ae60d1652

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.9MB

MD5
a0fa09fcd8e22ff552f215a02c732987

SHA1
3fe204b58b4f58e9393f1e90f6d563bc445087d2

SHA256
d1b6816cd7453479ac61e0ec773eb87aa9ee16fe1d646777cf03e1c8ef420713

SHA512
fa04ba39d9b834ca31ae2369f0c39f361a1003b837e7f96d5c20f7564b128bcb2c63bd4528cecee0e94a45b6b98901485ccf199de952a77bd39ed6116b9f5d6b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
259.4MB

MD5
23882ead8144c0e8b503742ac1d5c776

SHA1
0b9e4f3cfda20d2c00e358afe6ab0e8ff8c2aa4d

SHA256
f771f54a9497964e06d745d744058b941a13e4657322c452dc1f5f8dd9f48604

SHA512
4d0e304e41a52f98d9830e8fbea8ceb57e01d03c9763850e16e6796a169500beeea729c9b51f91c61b2285d0e5914e3bfff8f521d0c14a1bccff7fa599973406

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
154.7MB

MD5
f1cd4d290ebb5557ff601ba9d6c9b803

SHA1
cf293a2f69d0a6878eb66bff18b3a01bd0669461

SHA256
fdd493f39c02e85fc7bdeb3710b8b6a00ee65825a4ce7e106c98537c64db78cf

SHA512
51d9fd41900a02dce97a6bd0adeef365fe8c79be14269019f59fb36708471e49b3f7ab60dd55d75fb6db1fd140c9ee0765c7d9c985f24b572bc8e7174f055a3b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
253.6MB

MD5
50bcfb1b30438549f89e946e1dd4da36

SHA1
5c485f1cdc0ef493bf1e1ee512af34a8d2237f89

SHA256
b3394acfadece2ebb18ddbd0662c8da1330aa859e2180fcdc20e6e4e06f9b1bf

SHA512
869d2e3f95230e2eb97ba16fb2c30f6200dd78f033b95ea0d341ba0917c747eb056dbcfe3ba6a0004eb32e2ebbf6b6f254e5545c57539e7ed851f4c187f72650

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
250.2MB

MD5
8cf13e61e7ec600c55de082883608969

SHA1
909e41979350f09b790e71edbee18a64d6c4173f

SHA256
528f8f274bafcc0b75b60c866eecb8b5e5f0da68ff9a1c0cbbed5e850e4a69be

SHA512
95f8050e83af6dd1055bc1af6ccdb8e7a6c0e075d92b8ba1b32108a41896ffbf5efe2ba3fe38b864eea7a7123c3c19679ed830b7193d1142a9ec4b3bc4b6b354

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
252.8MB

MD5
d1e7987c7b5cb552552a7593a678a73d

SHA1
82068b5ba031fc3997283459d8f7f82a4c9b6577

SHA256
2d5206ca7f7ca996c27f60f5ee8f92dcdd94f63e4dd80de5df680f1f6e43d6d3

SHA512
04b266f0ba32f9fc215f8bd13581f61bf780ff105cff310e26b4052a8721aadecf227f38015d85857d407bff39147a5cdfdc87de6aee893869fa496b3d23180b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
215.6MB

MD5
fe17c3a8634b751cc32e7c7add4a6a50

SHA1
4feb276f49e964638680f0da2eff60c1707c051c

SHA256
fee3bc37d0a5a8c05d4b8212850e86a67f9b210506722ddfff75ddae62ab495e

SHA512
38c0b176790a5771800d0c11b7c22dd7cf13455dc7ba5e76e01ae90d58a55fb97f5fcd57133e7e38f93784000ac05b82842af414d2450fceff140c1062e06f4e

Download Submit
memory/276-69-0x000000006FF30000-0x00000000704DB000-memory.dmp

Filesize
5.7MB

Download
memory/276-71-0x000000006FF30000-0x00000000704DB000-memory.dmp

Filesize
5.7MB

Download
memory/276-70-0x000000006FF30000-0x00000000704DB000-memory.dmp

Filesize
5.7MB

Download
memory/672-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/672-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/836-56-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/948-66-0x00000000064A0000-0x0000000006840000-memory.dmp

Filesize
3.6MB

Download
memory/948-74-0x00000000052F0000-0x0000000005462000-memory.dmp

Filesize
1.4MB

Download
memory/948-65-0x0000000000D70000-0x00000000014E4000-memory.dmp

Filesize
7.5MB

Download
memory/1480-81-0x000000006FEE0000-0x000000007048B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-91-0x000000006FEE0000-0x000000007048B000-memory.dmp

Filesize
5.7MB

Download