aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
133s
max time network
139s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-02-2023 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/672-66-0x00000000064C0000-0x0000000006860000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 4 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

852 voiceadequovl.exe
672 voiceadequovl.exe
828 voiceadequovl.exe
820 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

852 voiceadequovl.exe
852 voiceadequovl.exe
852 voiceadequovl.exe
852 voiceadequovl.exe

pid	process
852	voiceadequovl.exe
672	voiceadequovl.exe
828	voiceadequovl.exe
820	voiceadequovl.exe

pid	process
852	voiceadequovl.exe
852	voiceadequovl.exe
852	voiceadequovl.exe
852	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 672 set thread context of 820 672 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exevoiceadequovl.exe

pid process

1328 powershell.exe
672 voiceadequovl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 672 voiceadequovl.exe
Token: SeDebugPrivilege 1328 powershell.exe

description	pid	process	target process
PID 672 set thread context of 820	672	voiceadequovl.exe	voiceadequovl.exe

pid	process
1328	powershell.exe
672	voiceadequovl.exe

description	pid	process
Token: SeDebugPrivilege	672	voiceadequovl.exe
Token: SeDebugPrivilege	1328	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1292 wrote to memory of 852	1292	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1292 wrote to memory of 852	1292	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1292 wrote to memory of 852	1292	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1292 wrote to memory of 852	1292	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 852 wrote to memory of 672	852	voiceadequovl.exe	voiceadequovl.exe
PID 852 wrote to memory of 672	852	voiceadequovl.exe	voiceadequovl.exe
PID 852 wrote to memory of 672	852	voiceadequovl.exe	voiceadequovl.exe
PID 852 wrote to memory of 672	852	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 1328	672	voiceadequovl.exe	powershell.exe
PID 672 wrote to memory of 1328	672	voiceadequovl.exe	powershell.exe
PID 672 wrote to memory of 1328	672	voiceadequovl.exe	powershell.exe
PID 672 wrote to memory of 1328	672	voiceadequovl.exe	powershell.exe
PID 672 wrote to memory of 1624	672	voiceadequovl.exe	cmd.exe
PID 672 wrote to memory of 1624	672	voiceadequovl.exe	cmd.exe
PID 672 wrote to memory of 1624	672	voiceadequovl.exe	cmd.exe
PID 672 wrote to memory of 1624	672	voiceadequovl.exe	cmd.exe
PID 672 wrote to memory of 828	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 828	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 828	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 828	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 1624 wrote to memory of 2028	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 2028	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 2028	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 2028	1624	cmd.exe	powershell.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe
PID 672 wrote to memory of 820	672	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:2028

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:828

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:820

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
6d9e576d2cf0e9b8288cf04410f6fb49

SHA1
f2388856ee1e739f974d6574dda14c07e8ce6a56

SHA256
ab70c99d57bec3411cec63602d4361acac28e330234e3f48c1923c0af2be65e4

SHA512
42868885fb7ee009f417f466ffd40d5cd0091303425f37640156a424ef67769c7e53d22909ff67c94164eef57f5216a335090a1ffc0a10a0d5c70b06703f52e5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
258.2MB

MD5
765bd0a6d8fcb757f2f2a2fbae7d5994

SHA1
ee6547a2a654f28882f54da0f13aab0aa2a1bdb7

SHA256
5fa782585ac4207fea1bc652349cc109c32e90d704a05b6e2ce1bad3ff3ec2c2

SHA512
86d767bed1b5a2a65ef854c72ce5c0abd902c8873c9e049b79170f12f2ccacd4da71965055a557235eba56b43c101d96c9485a83dafc2330c1959765109fb3f0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
248.5MB

MD5
eb6de7263277328b64588a4d7e694a22

SHA1
d9fa9773243fa77262c997d831c306b388cbf34f

SHA256
e246ec93ca1b9edb6246203aa61fe6351e7571904fefd26f91a17545d6535a28

SHA512
6826bb9f96f2896e8fe42452a19a5ccb0d214d0dc866e9102e8470bc25f7d2a992d1fa43bd9a02055b3beaa2bcf7c9922fc9b66588a4c7fc8a68b708946638bf

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
31.1MB

MD5
5f9263146730b4d013eb7c96b816a7ed

SHA1
ec1ff7926bcfcaffc4db3278b3d91b9f64951986

SHA256
af69a7cbe443957dfd5b587d4898ea232f160bab161e3222e752edfc42e5bb91

SHA512
69c52efe513056fc51b9687ebc642cc128ad4b16588f804e470b862c6bc2eb6924b4f7749bf4f0994006882cbd3ffce514e70b200bb364b6a787846569ed5e72

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
31.3MB

MD5
8ff0f690029d09eddc1dcefbad707078

SHA1
8faa4d47667e090b97d457def647c5d52fe1b872

SHA256
1c4c5079909379f1e3afdf108b091151e069260688814838414e482ca278a9f0

SHA512
c94f81e1048ea626191481b15e92b33ae89dc4057d377e56ddbbee4231d01f2f1a362f87a81e373bf5082d325531880feb2a756257f1b7ab6efd2de4cd6dc9f1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
203.2MB

MD5
5aec1c762313da973326340c70bf7d56

SHA1
bb3655adde0de4a6cf90595c734e5fc5d8022003

SHA256
23e43de223ad43d98d8d7d011dde6a09abd3120590978460e554aded095a08d8

SHA512
6a653ae4f4901227963b653f02e8382421d76bb4d188135e61f48f2b7f1ab65fe207c180be1830e3fb5d4586044b421398d790626f612c1aa2659c15bcaae691

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
260.3MB

MD5
cd4c45dbed8a85576b8179227d0b982a

SHA1
6bfe74ea911367c4f8f699d6ea58b46bd0381e6e

SHA256
fbf59c30c53444ed92b87b4a0d355a985b5d9dc9a48eb4f42552edea6d3992e4

SHA512
9cd78291969f25375c304fee89ded0849107c3346189cb20a45f36343f6806701580a83af7b34c216a76cc963603f8da57db2f0401a4ae2ada93f61384e7d061

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
245.5MB

MD5
9ad74f3a4f301def6afe1a9606eb43c5

SHA1
dd9c3cce6e9872be804405447a39347376dfe699

SHA256
ea8196fa6793d3ec58edaa6e4d1bfdef772a81ed8937fc8a2b046285e95f9fce

SHA512
bb1a66c2e903df678a9ba531af2aac55a734e581be6bd2db5ab03cea06b216c47c2e2a98a89ae2ecc25a4a385759f6c708ebbb72007f8c3a6c55dc185cc8b0dc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
207.2MB

MD5
b6cbc3eb5109fa720a8d49613dd5d376

SHA1
188e3eabc808a5d2f4d51e8954ff99896675151d

SHA256
c327b69285b52f03989eb8935ff2f62de1dbfd63b65ad92228d2c16fb548a84b

SHA512
f7295e236da4758c9fa6c452b40622aadd95c237d61cdc5835b4d666c14a2001b5612588d6f4b81232bb93976c98c78e88a71327fbf194cde1a0ff87a5b9d34d

Download Submit
memory/672-73-0x00000000053C0000-0x0000000005532000-memory.dmp

Filesize
1.4MB

Download
memory/672-65-0x0000000000900000-0x0000000001074000-memory.dmp

Filesize
7.5MB

Download
memory/672-66-0x00000000064C0000-0x0000000006860000-memory.dmp

Filesize
3.6MB

Download
memory/672-62-0x0000000000000000-mapping.dmp

Download
memory/820-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/820-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/820-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/820-89-0x0000000000464C20-mapping.dmp

Download
memory/820-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/820-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/820-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/820-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/820-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/820-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/820-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/852-56-0x00000000759C1000-0x00000000759C3000-memory.dmp

Filesize
8KB

Download
memory/852-54-0x0000000000000000-mapping.dmp

Download
memory/1328-67-0x0000000000000000-mapping.dmp

Download
memory/1328-69-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-70-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-71-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-99-0x0000000000000000-mapping.dmp

Download
memory/1624-72-0x0000000000000000-mapping.dmp

Download
memory/1904-97-0x0000000000000000-mapping.dmp

Download
memory/2028-76-0x0000000000000000-mapping.dmp

Download
memory/2028-95-0x000000006F510000-0x000000006FABB000-memory.dmp

Filesize
5.7MB

Download
memory/2028-96-0x000000006F510000-0x000000006FABB000-memory.dmp

Filesize
5.7MB

Download