aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1032-66-0x0000000006520000-0x00000000068C0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
308	voiceadequovl.exe
1032	voiceadequovl.exe
1928	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
308	voiceadequovl.exe
308	voiceadequovl.exe
308	voiceadequovl.exe
308	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1032 set thread context of 1928	1032	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	powershell.exe
1004	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	voiceadequovl.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeIncreaseQuotaPrivilege	1956	wmic.exe
Token: SeSecurityPrivilege	1956	wmic.exe
Token: SeTakeOwnershipPrivilege	1956	wmic.exe
Token: SeLoadDriverPrivilege	1956	wmic.exe
Token: SeSystemProfilePrivilege	1956	wmic.exe
Token: SeSystemtimePrivilege	1956	wmic.exe
Token: SeProfSingleProcessPrivilege	1956	wmic.exe
Token: SeIncBasePriorityPrivilege	1956	wmic.exe
Token: SeCreatePagefilePrivilege	1956	wmic.exe
Token: SeBackupPrivilege	1956	wmic.exe
Token: SeRestorePrivilege	1956	wmic.exe
Token: SeShutdownPrivilege	1956	wmic.exe
Token: SeDebugPrivilege	1956	wmic.exe
Token: SeSystemEnvironmentPrivilege	1956	wmic.exe
Token: SeRemoteShutdownPrivilege	1956	wmic.exe
Token: SeUndockPrivilege	1956	wmic.exe
Token: SeManageVolumePrivilege	1956	wmic.exe
Token: 33	1956	wmic.exe
Token: 34	1956	wmic.exe
Token: 35	1956	wmic.exe
Token: SeIncreaseQuotaPrivilege	1956	wmic.exe
Token: SeSecurityPrivilege	1956	wmic.exe
Token: SeTakeOwnershipPrivilege	1956	wmic.exe
Token: SeLoadDriverPrivilege	1956	wmic.exe
Token: SeSystemProfilePrivilege	1956	wmic.exe
Token: SeSystemtimePrivilege	1956	wmic.exe
Token: SeProfSingleProcessPrivilege	1956	wmic.exe
Token: SeIncBasePriorityPrivilege	1956	wmic.exe
Token: SeCreatePagefilePrivilege	1956	wmic.exe
Token: SeBackupPrivilege	1956	wmic.exe
Token: SeRestorePrivilege	1956	wmic.exe
Token: SeShutdownPrivilege	1956	wmic.exe
Token: SeDebugPrivilege	1956	wmic.exe
Token: SeSystemEnvironmentPrivilege	1956	wmic.exe
Token: SeRemoteShutdownPrivilege	1956	wmic.exe
Token: SeUndockPrivilege	1956	wmic.exe
Token: SeManageVolumePrivilege	1956	wmic.exe
Token: 33	1956	wmic.exe
Token: 34	1956	wmic.exe
Token: 35	1956	wmic.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 308	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1472 wrote to memory of 308	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1472 wrote to memory of 308	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1472 wrote to memory of 308	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 308 wrote to memory of 1032	308	voiceadequovl.exe	29
PID 308 wrote to memory of 1032	308	voiceadequovl.exe	29
PID 308 wrote to memory of 1032	308	voiceadequovl.exe	29
PID 308 wrote to memory of 1032	308	voiceadequovl.exe	29
PID 1032 wrote to memory of 1984	1032	voiceadequovl.exe	30
PID 1032 wrote to memory of 1984	1032	voiceadequovl.exe	30
PID 1032 wrote to memory of 1984	1032	voiceadequovl.exe	30
PID 1032 wrote to memory of 1984	1032	voiceadequovl.exe	30
PID 1032 wrote to memory of 1536	1032	voiceadequovl.exe	32
PID 1032 wrote to memory of 1536	1032	voiceadequovl.exe	32
PID 1032 wrote to memory of 1536	1032	voiceadequovl.exe	32
PID 1032 wrote to memory of 1536	1032	voiceadequovl.exe	32
PID 1536 wrote to memory of 1004	1536	cmd.exe	34
PID 1536 wrote to memory of 1004	1536	cmd.exe	34
PID 1536 wrote to memory of 1004	1536	cmd.exe	34
PID 1536 wrote to memory of 1004	1536	cmd.exe	34
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1032 wrote to memory of 1928	1032	voiceadequovl.exe	35
PID 1928 wrote to memory of 1956	1928	voiceadequovl.exe	36
PID 1928 wrote to memory of 1956	1928	voiceadequovl.exe	36
PID 1928 wrote to memory of 1956	1928	voiceadequovl.exe	36
PID 1928 wrote to memory of 1956	1928	voiceadequovl.exe	36
PID 1928 wrote to memory of 1688	1928	voiceadequovl.exe	39
PID 1928 wrote to memory of 1688	1928	voiceadequovl.exe	39
PID 1928 wrote to memory of 1688	1928	voiceadequovl.exe	39
PID 1928 wrote to memory of 1688	1928	voiceadequovl.exe	39
PID 1688 wrote to memory of 1568	1688	cmd.exe	41
PID 1688 wrote to memory of 1568	1688	cmd.exe	41
PID 1688 wrote to memory of 1568	1688	cmd.exe	41
PID 1688 wrote to memory of 1568	1688	cmd.exe	41
PID 1928 wrote to memory of 688	1928	voiceadequovl.exe	42
PID 1928 wrote to memory of 688	1928	voiceadequovl.exe	42
PID 1928 wrote to memory of 688	1928	voiceadequovl.exe	42
PID 1928 wrote to memory of 688	1928	voiceadequovl.exe	42
PID 688 wrote to memory of 1728	688	cmd.exe	44
PID 688 wrote to memory of 1728	688	cmd.exe	44
PID 688 wrote to memory of 1728	688	cmd.exe	44
PID 688 wrote to memory of 1728	688	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1984
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2fb44155de555d2425f585bd84dec906

SHA1
77f0f3c0142050401855ea6b5736165656095e31

SHA256
b8eb051e5ec6b432cfc790178843a860cfbf400cd4d3253b667a78d659c82adf

SHA512
3338d474fdfc3f84a1fb31c4d53ea919eda8f3a6403f330d6c0fce4685f4bb95a700eb09de9660fdfaa07ecb7fc7168f3323fcf16c74ef4478b40900bf78e1f3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
211.9MB

MD5
d9f0baf69a059c55473ec49c935e3188

SHA1
ef339d043378da9aa1c00dab0d60134cc5da7281

SHA256
ba03cb4a867ecbb5b52ef87a63b9b34c8d7c07dc01b63fa25a2e1d733d4b7e11

SHA512
027561801fddc100c780e8818476339bd3986abebcace393778b5831e27e3874b59369b7144d8f819eea1357b9aac41767f05821a953041ac4c4f7f65370f88d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
211.8MB

MD5
9ed9651d012f3848dbdb36caf1be23e7

SHA1
940bd78348e453bdf0a56c8fbdb17e3d5365a526

SHA256
d09f066049fd3414c578612d7a41c7cba3be38d41ec250eb17644b36043b1d02

SHA512
d9e1fb6ca800203c7a53d9a28c146dabcd14d02fad97427d22ac002cc413bd84b487ad6793275567c5427fb5a85fae1211d6e2e7951decb5099d163db3ac1eb5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
23.3MB

MD5
fde444daa8a7b471b07da36a1fe4ced9

SHA1
2531a06d53346e44723afc908525bd4c817eefe1

SHA256
cdf8d9e967cdc01773978b1383cc08afa7ed02ae795dce75dcb5b60aaaeaca73

SHA512
bb543cb8472a536994388cb9ce2af60c6eeddcc2b8129cb58c710b4c6f003d0a957672ce4f6541b7587f35fca8a82ea12e3d57d1512e7c0cdbe3516f94519bb0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.1MB

MD5
12aeba734541577cceeccfcc8e1921e0

SHA1
2f5dedb2cbf3db24ec7fbc67646b340fa0afa842

SHA256
7d9e0e4e78b04ed500388d680a641944437050961a3e32e8c58db9498f1f599a

SHA512
81dacb118813876dec8d0acd338482aaef190f90aabb0703452d5dd66c549df9e6efd1ea5ee4d57804a5728427528fbbeb2b4e18ec7e31e030afde37dd01de21

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
194.3MB

MD5
6612cc06214d358b5516f441e380e973

SHA1
4df288e28d82f3d029ea1d77b31c973cb1035a92

SHA256
5af8f672ba2933cbaa743871da3b9eea509da21743370081e410103f5e030581

SHA512
01ee73f16e3ee011a8da1a416333d80c2eefb37b418be2ba1e061c319bac35af98e1954baeaddc0902a69a2e94a4f8f60aa5da3bba885725a150a1d940d16fcc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
211.2MB

MD5
96ae957aeb7ac989c70d5fea8bf82032

SHA1
fa65421f9b860c22251c02f9d34a3879abbfa894

SHA256
97cb038aa7267bc2c6740db0710245965d0ce95bfc9485216e6143fbf2d15ee7

SHA512
8159c2099194d299adf03c175453721b6df4ca46b1677ca8ba301716517665c524ea3b5de7903fe169e313564918ed63515d7f8b263172b0dcfd6aa5675219ae

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
216.1MB

MD5
357c8b0e87c548c2e4ec111430f5e3a7

SHA1
8fc82ba1a8d2466f710a505b37337b65d063a9da

SHA256
0aae23dc7981b6b6c916d7cdd0e1718a892771214c568257c443678cf320a4dc

SHA512
0d3793bdfa71b47cf6d5b5b70d35a8f642f9bc72005e46938d6fcf392e53c0b4a59510c615c7713afcd06017ecb08173d9c85bee85e850b367808ff9b186352e

Download Submit
memory/308-56-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/1004-93-0x000000006F380000-0x000000006F92B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-78-0x000000006F380000-0x000000006F92B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-75-0x00000000053E0000-0x0000000005552000-memory.dmp

Filesize
1.4MB

Download
memory/1032-65-0x0000000000A90000-0x0000000001204000-memory.dmp

Filesize
7.5MB

Download
memory/1032-66-0x0000000006520000-0x00000000068C0000-memory.dmp

Filesize
3.6MB

Download
memory/1928-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1928-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1984-69-0x000000006F630000-0x000000006FBDB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-70-0x000000006F630000-0x000000006FBDB000-memory.dmp

Filesize
5.7MB

Download
memory/1984-71-0x000000006F630000-0x000000006FBDB000-memory.dmp

Filesize
5.7MB

Download