aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
109s
max time network
146s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1752-66-0x00000000063D0000-0x0000000006770000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
2028	voiceadequovl.exe
1752	voiceadequovl.exe
1672	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1672	1752	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1056	powershell.exe
1668	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	voiceadequovl.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2028 wrote to memory of 1752	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 1752	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 1752	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 1752	2028	voiceadequovl.exe	29
PID 1752 wrote to memory of 1056	1752	voiceadequovl.exe	30
PID 1752 wrote to memory of 1056	1752	voiceadequovl.exe	30
PID 1752 wrote to memory of 1056	1752	voiceadequovl.exe	30
PID 1752 wrote to memory of 1056	1752	voiceadequovl.exe	30
PID 1752 wrote to memory of 1456	1752	voiceadequovl.exe	32
PID 1752 wrote to memory of 1456	1752	voiceadequovl.exe	32
PID 1752 wrote to memory of 1456	1752	voiceadequovl.exe	32
PID 1752 wrote to memory of 1456	1752	voiceadequovl.exe	32
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1456 wrote to memory of 1668	1456	cmd.exe	35
PID 1456 wrote to memory of 1668	1456	cmd.exe	35
PID 1456 wrote to memory of 1668	1456	cmd.exe	35
PID 1456 wrote to memory of 1668	1456	cmd.exe	35
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34
PID 1752 wrote to memory of 1672	1752	voiceadequovl.exe	34

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1672
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:568
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1652
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:980
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1500
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
323.5MB

MD5
a54e7e9b1be9326082ca71ce93885886

SHA1
37c8d984a1c41308097f5b9a73dfcef18f2b62cf

SHA256
f72dd06ccb885be2a7e341802acd6d535f9c64c8cf63d91ae0b854ad8a849551

SHA512
77d208f060dabc60dd087d93d1c6ead00ad7b79fb4d09f811a6b7c26ff3400bad3d209ab9f631635306a98f0a54e3f0706d6b09d4b7a665dac3083e3c4c01509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
315.9MB

MD5
f12b8383f7c9a80cd87c36a146f79caa

SHA1
bc32881d5f5fda13f2cd2649fce300694d40351b

SHA256
1bfc9f88deaf30e8183c2eb383f12bf1631a0da8188396e300679b57fbf665d2

SHA512
d91f773c4ae222faeceb701db220cfce4cde2656c546b0a9bb63ce4e1fd978cb55ba50caa03dd46f2d6ddc3d31b029439fa6f0ce20b790c49c72179d86b008b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d7e1dc32aae639d36440e4a7907996ab

SHA1
771fd457a1cf60820481a2038deace6100a0f29d

SHA256
8892b08c4e1e1320eb26bc2b6decbb35abd31f5df205d7dcbf8c718e5ba5fdd4

SHA512
57fe06468db54f17669cf87cc8162bb18d21cb8a35a9e9690dcc59b8ef6f03de9f28b240cfe02c4774e82cd81496425f9812c0daa9545f547957b58e918cf963

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
246.1MB

MD5
e70b92d89f297d4b905d9042100024e0

SHA1
d66ae7b953a62c016dbafc061023474b475f3547

SHA256
baae88d4ee0fa5c22a732c4fb5c2708503bbe4b48d7b5f57959b27a1213cc261

SHA512
6cafc35a759465ae532c1a542f3f2057ac663cd3c6f18dabed602f7f0e89a53c9f7fddc74e956b0f52dd8c8dd61147ab81e6fc043ebfede5b517169741ee36a3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
226.2MB

MD5
1d1fd47d220e9688963d1fd1072afde7

SHA1
bf0322bbf7dfb0ecdc82739133b82f3483154f5c

SHA256
10d39601c696400f7f29490ada1a6d36fe98024feeb4d36f4e17c1c5faba89d6

SHA512
f36603e35cbbb947423c1ab0fb82676b5b7671df949b59207464388249d92649cb7ea811cac555d1f800dae8536e4a5010ba7bf22fcf8617caa63370c98fb0da

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
74.4MB

MD5
397310937c9c68b4ba2fa876bd9c05c6

SHA1
2d66ef228253982b5d5ab1db2d001bef5745b94f

SHA256
3d1796d65a5a96b40b689db6afd67875668853213c230b83c25fc569dc9149c6

SHA512
5b280e43856a336a3d3643b9bd831003f1af251d805f66dca28e188a37a43f5977d585b7c7f14556958181b32419df539d9fac6eb6b3707c187418e3972773b5

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
246.0MB

MD5
02183a1ca946ab05aeefdbbd27cb23b3

SHA1
e55b0d2f8bd835803e6dd015eb579d89163867dd

SHA256
5e1f378ff3e0b3df382cf7f3962062dcc19edca025d84365f89f8026fbf00fef

SHA512
de4b501c2125124e9f761ee7fdc3c9a21069804402871da02a70db4c691a44735ff0b87176f7be1e9d5d8a8b88062bbf4c2282ed92a87518bb29ba7600dce726

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
245.8MB

MD5
c169715a77c5526546200ecb7f8e4f63

SHA1
b89a10c43fa0f828740930b9c559a99a5ca84ab9

SHA256
be5cfa3d0fcbb591d814e2a6a7172633c0292267f95f8766265f19bd059abc18

SHA512
1d46e0ec4bcc69946610dfe9b2581bf525c2572bc8ec2f17fd1e7acdfd35f9420ee6569dfba40dfe050fc389a8251addf4e9738e2308586855e93d9668bf47f5

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.6MB

MD5
80559c94480bdc73dac94aaefaf7f729

SHA1
9cbeedf2233543a587df1ccfa3e00427d6e1c8ff

SHA256
d4838e790dadfb7d79b181992e11a7f5388c91375398d36b9a2a7de323538167

SHA512
b48fe5491579854b0fcb05a23db2463dccc61168e8d6c5d879f8bd543e28d9606c7c918f6e45bdef968667b6069fdb69fb375c5fefc7dfa2e5f64b37d1c44ee7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
248.4MB

MD5
e14baefef4f832d70bdd6b6c4ba0ef7b

SHA1
9e764a16f63f5401eb071cad46efd3c9196b8243

SHA256
50f5158f0e8f1fe9cb94df033b760a7bb3881a4e7dcfec8d124bc7c5b844b6ad

SHA512
a69f997ec7ba28a545e3513ba1dc7b8a5170b5de36767d0e2bf4527f07a66e37f3d7572f34bfe0696a13cc7b6461f581ccfcbf59af0128a5154169c4a3a99270

Download Submit
memory/1056-69-0x000000006F750000-0x000000006FCFB000-memory.dmp

Filesize
5.7MB

Download
memory/1056-70-0x000000006F750000-0x000000006FCFB000-memory.dmp

Filesize
5.7MB

Download
memory/1056-71-0x000000006F750000-0x000000006FCFB000-memory.dmp

Filesize
5.7MB

Download
memory/1668-96-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/1668-93-0x0000000073CC0000-0x000000007426B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-99-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1752-73-0x00000000053F0000-0x0000000005562000-memory.dmp

Filesize
1.4MB

Download
memory/1752-66-0x00000000063D0000-0x0000000006770000-memory.dmp

Filesize
3.6MB

Download
memory/1752-65-0x0000000001180000-0x00000000018F4000-memory.dmp

Filesize
7.5MB

Download
memory/2028-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download