aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
148s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/980-66-0x0000000006330000-0x00000000066D0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 4 IoCs

pid	Process
1652	voiceadequovl.exe
980	voiceadequovl.exe
1932	voiceadequovl.exe
1724	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1652	voiceadequovl.exe
1652	voiceadequovl.exe
1652	voiceadequovl.exe
1652	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 980 set thread context of 1724	980	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1924	powershell.exe
1232	powershell.exe
980	voiceadequovl.exe
980	voiceadequovl.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	voiceadequovl.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeIncreaseQuotaPrivilege	1888	wmic.exe
Token: SeSecurityPrivilege	1888	wmic.exe
Token: SeTakeOwnershipPrivilege	1888	wmic.exe
Token: SeLoadDriverPrivilege	1888	wmic.exe
Token: SeSystemProfilePrivilege	1888	wmic.exe
Token: SeSystemtimePrivilege	1888	wmic.exe
Token: SeProfSingleProcessPrivilege	1888	wmic.exe
Token: SeIncBasePriorityPrivilege	1888	wmic.exe
Token: SeCreatePagefilePrivilege	1888	wmic.exe
Token: SeBackupPrivilege	1888	wmic.exe
Token: SeRestorePrivilege	1888	wmic.exe
Token: SeShutdownPrivilege	1888	wmic.exe
Token: SeDebugPrivilege	1888	wmic.exe
Token: SeSystemEnvironmentPrivilege	1888	wmic.exe
Token: SeRemoteShutdownPrivilege	1888	wmic.exe
Token: SeUndockPrivilege	1888	wmic.exe
Token: SeManageVolumePrivilege	1888	wmic.exe
Token: 33	1888	wmic.exe
Token: 34	1888	wmic.exe
Token: 35	1888	wmic.exe
Token: SeIncreaseQuotaPrivilege	1888	wmic.exe
Token: SeSecurityPrivilege	1888	wmic.exe
Token: SeTakeOwnershipPrivilege	1888	wmic.exe
Token: SeLoadDriverPrivilege	1888	wmic.exe
Token: SeSystemProfilePrivilege	1888	wmic.exe
Token: SeSystemtimePrivilege	1888	wmic.exe
Token: SeProfSingleProcessPrivilege	1888	wmic.exe
Token: SeIncBasePriorityPrivilege	1888	wmic.exe
Token: SeCreatePagefilePrivilege	1888	wmic.exe
Token: SeBackupPrivilege	1888	wmic.exe
Token: SeRestorePrivilege	1888	wmic.exe
Token: SeShutdownPrivilege	1888	wmic.exe
Token: SeDebugPrivilege	1888	wmic.exe
Token: SeSystemEnvironmentPrivilege	1888	wmic.exe
Token: SeRemoteShutdownPrivilege	1888	wmic.exe
Token: SeUndockPrivilege	1888	wmic.exe
Token: SeManageVolumePrivilege	1888	wmic.exe
Token: 33	1888	wmic.exe
Token: 34	1888	wmic.exe
Token: 35	1888	wmic.exe
Token: SeIncreaseQuotaPrivilege	896	WMIC.exe
Token: SeSecurityPrivilege	896	WMIC.exe
Token: SeTakeOwnershipPrivilege	896	WMIC.exe
Token: SeLoadDriverPrivilege	896	WMIC.exe
Token: SeSystemProfilePrivilege	896	WMIC.exe
Token: SeSystemtimePrivilege	896	WMIC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1652 wrote to memory of 980	1652	voiceadequovl.exe	28
PID 1652 wrote to memory of 980	1652	voiceadequovl.exe	28
PID 1652 wrote to memory of 980	1652	voiceadequovl.exe	28
PID 1652 wrote to memory of 980	1652	voiceadequovl.exe	28
PID 980 wrote to memory of 1924	980	voiceadequovl.exe	30
PID 980 wrote to memory of 1924	980	voiceadequovl.exe	30
PID 980 wrote to memory of 1924	980	voiceadequovl.exe	30
PID 980 wrote to memory of 1924	980	voiceadequovl.exe	30
PID 980 wrote to memory of 696	980	voiceadequovl.exe	31
PID 980 wrote to memory of 696	980	voiceadequovl.exe	31
PID 980 wrote to memory of 696	980	voiceadequovl.exe	31
PID 980 wrote to memory of 696	980	voiceadequovl.exe	31
PID 696 wrote to memory of 1232	696	cmd.exe	33
PID 696 wrote to memory of 1232	696	cmd.exe	33
PID 696 wrote to memory of 1232	696	cmd.exe	33
PID 696 wrote to memory of 1232	696	cmd.exe	33
PID 980 wrote to memory of 1932	980	voiceadequovl.exe	34
PID 980 wrote to memory of 1932	980	voiceadequovl.exe	34
PID 980 wrote to memory of 1932	980	voiceadequovl.exe	34
PID 980 wrote to memory of 1932	980	voiceadequovl.exe	34
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 980 wrote to memory of 1724	980	voiceadequovl.exe	35
PID 1724 wrote to memory of 1888	1724	voiceadequovl.exe	36
PID 1724 wrote to memory of 1888	1724	voiceadequovl.exe	36
PID 1724 wrote to memory of 1888	1724	voiceadequovl.exe	36
PID 1724 wrote to memory of 1888	1724	voiceadequovl.exe	36
PID 1724 wrote to memory of 1720	1724	voiceadequovl.exe	39
PID 1724 wrote to memory of 1720	1724	voiceadequovl.exe	39
PID 1724 wrote to memory of 1720	1724	voiceadequovl.exe	39
PID 1724 wrote to memory of 1720	1724	voiceadequovl.exe	39
PID 1720 wrote to memory of 896	1720	cmd.exe	41
PID 1720 wrote to memory of 896	1720	cmd.exe	41
PID 1720 wrote to memory of 896	1720	cmd.exe	41
PID 1720 wrote to memory of 896	1720	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1932
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
347.2MB

MD5
0036335f0428d7aa8b84056100818c88

SHA1
6304a63ab9d1af6e06f364e34a02d3517032f2ee

SHA256
d944986ab021b4cc937be249a31762a351ae7e91cda15805fe0a9b79c491ab9f

SHA512
17819519a73a40928c20e1574e13242effa00ccd3f718e4e3af746fb2281a1be45086fa8d504b1574aaf9b2c229213ae6fe69c832f869206b8fc625c8adb6651

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
340.2MB

MD5
b4c8c8e87a692e395611677701e08ebc

SHA1
42d02a563e94c604a40d0898da666832820b437f

SHA256
72743a2349f8704725e93c8c73d29bf59d816547e3d6773e8ef5566e272a06d0

SHA512
e4bfacbafdb845d2f3f064f05d0fd4afaa522ed218e12072339dc9059e0cc5d0dbfd87f01d9aa7026945b51c10fc392eaf7fb27e675bcd8e7ab63333c4bebfd7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a434967aeb0be1b1ed6d25ad1b4db8fb

SHA1
78b0fb1d25f8e4a2cfaf3fd104f34a917e2b0f85

SHA256
8b3872710f4692512e8927f0bebb1c65c62ed6e4e8da03a1235f876dbcf0adaa

SHA512
1a99a1874123b98e092e0970c4b03e33d74964f06dc04967fd99edec2d9054e72ab34f4f6e21e496e7250a642ac3dd80a3fe25f78f0bdb200b23ae8fa5da1cda

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
238.0MB

MD5
a35140bffe954ee96fa8ab2ab4263976

SHA1
e7df0f12054115d7feec5ac29ed6b78c90821cf2

SHA256
dd742b6ad40205d24de98fb331caf51d5aaf47c6cc6b79717e4cae242996dd2d

SHA512
26d7ebbdfcbe5c70bfe555d0e0c4b11d913e34df5150225a90acf1c3ff236a3eae9d7c38cf9e85f477496f6c355faa156737a83e43db9d7d8aa0c354e8571c4f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
232.1MB

MD5
d00766fc3f35da3c3d497988ebe4e2e6

SHA1
d104d3a23a73d89c70e545fa17039f5cadd6503d

SHA256
a725f710834cebde7f459c1110446d6f00de9d8226db32e1560d6d4f063c7e87

SHA512
ec75425ee4993fb87f8f8756f52b729f0e0bcab3c822ff653caca60aff7443f2a9e1420e251877d39e4ecdcdd70fecb1271b3b2324bcb3cf975059f50ea47aba

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
117.9MB

MD5
7ba08eb7124b5d42255bad0cf89537cb

SHA1
292490192e67abaaee2284ca90fad9d99b2e7542

SHA256
7e91b4ca6723f43e5e4aab3213d5bf64b2e975344120867e5dd288558e2ecf5d

SHA512
2a5dd27cd6e9d1dc53b962d233752843c33c92023c173f9cac44762ef377cffa2d43e127020a7b64978eb0a2e921c2070845d1a832bc98ff0b4b6b94bfa14396

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
118.2MB

MD5
7e5d5d48dee2e19086df8c5b383eba23

SHA1
b990c6ace0ea2b4ef931cc37a6881f276308ca78

SHA256
8c3ad84bb0373e498171f0fd55578eb46fcdb384796ba0880c3fe4df99556f6e

SHA512
585a0d55b2bba7690c1c4ac13152e58cb1a2cb23bfa8118a98e554c385ad5271fb4721a310209557f6ba80cb9523232567d36f638774c7b7f2ccbaa6beeee29b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
235.2MB

MD5
8bb5c0c7527b16653309a1b60d272a9a

SHA1
22d6ee0f1102d38a710697e352f96944cf03ca26

SHA256
e43f257221386801968bda645fa0a4e67a0f80c00f38089779b8c5c15928e7ce

SHA512
a29665b9e4fe31d16f31cebe8d13456cdd27a5861f5653ac7d78a3c236ec820764eb8d1ca84ffb0aa6acb160197e9e9793c9f3fc4800a00c43c0272f37e1ebb4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
236.9MB

MD5
764c20e3d7daff64c799d75394138a37

SHA1
b3e91530f18a13cc2d6c99f2b463de316d70fe85

SHA256
6331af2ce455a288fe41c580d46a75b9d067909eeaec9c7d62223ac4a9704423

SHA512
11d01ef4d7971f41034dd55ce8ba4e87fe78bcd7e97ca67230f7cc75be23590763745c0ad1bd3af4f81d23f7f26a78f725f88b6d2066556dbf7cf9009e1fd029

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
242.5MB

MD5
9a2d95feeb5a5084c47194e5e67068c8

SHA1
a39b331c48c36a14d78b256a6a95cf551ade3212

SHA256
ec22e6568325f3bfebc31e8a29cf4d3d6e8702e2b8114e2a65db12101441903a

SHA512
8937640dac7bbdc2e2e1f70990dc8650faef5fda705926582c89d42acb668744bae574e08a81309ed57eb4015b2bc6c410864c6aebbe09600363890a82e6983d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
197.1MB

MD5
8146591ee2ba47aebb674d61584838b7

SHA1
36b5266f2422f188c8832252773ed80cbdd8c30b

SHA256
16f25ca4b56b921e1e1f1d71e8825496e431d3a70e11641c6cbd62e8cfef0110

SHA512
d18278116265511c54eb40a4b7c4c303df5c8fcd397bd6787752de40d2a3d715163515023eb69270e844cd0d51e412ac8bc6638c75e59c5a13d696bab0707630

Download Submit
memory/980-66-0x0000000006330000-0x00000000066D0000-memory.dmp

Filesize
3.6MB

Download
memory/980-65-0x0000000000830000-0x0000000000FA4000-memory.dmp

Filesize
7.5MB

Download
memory/980-74-0x0000000005300000-0x0000000005472000-memory.dmp

Filesize
1.4MB

Download
memory/1232-95-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1232-85-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1724-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-69-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-70-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-71-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download