aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
138s
max time network
146s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1092-66-0x0000000006550000-0x00000000068F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1224	voiceadequovl.exe
1092	voiceadequovl.exe
1660	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1224	voiceadequovl.exe
1224	voiceadequovl.exe
1224	voiceadequovl.exe
1224	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
320	powershell.exe
1092	voiceadequovl.exe
1092	voiceadequovl.exe
1540	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1092	voiceadequovl.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1224	832	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 832 wrote to memory of 1224	832	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 832 wrote to memory of 1224	832	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 832 wrote to memory of 1224	832	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1224 wrote to memory of 1092	1224	voiceadequovl.exe	29
PID 1224 wrote to memory of 1092	1224	voiceadequovl.exe	29
PID 1224 wrote to memory of 1092	1224	voiceadequovl.exe	29
PID 1224 wrote to memory of 1092	1224	voiceadequovl.exe	29
PID 1092 wrote to memory of 320	1092	voiceadequovl.exe	30
PID 1092 wrote to memory of 320	1092	voiceadequovl.exe	30
PID 1092 wrote to memory of 320	1092	voiceadequovl.exe	30
PID 1092 wrote to memory of 320	1092	voiceadequovl.exe	30
PID 1092 wrote to memory of 948	1092	voiceadequovl.exe	32
PID 1092 wrote to memory of 948	1092	voiceadequovl.exe	32
PID 1092 wrote to memory of 948	1092	voiceadequovl.exe	32
PID 1092 wrote to memory of 948	1092	voiceadequovl.exe	32
PID 948 wrote to memory of 1540	948	cmd.exe	34
PID 948 wrote to memory of 1540	948	cmd.exe	34
PID 948 wrote to memory of 1540	948	cmd.exe	34
PID 948 wrote to memory of 1540	948	cmd.exe	34
PID 1092 wrote to memory of 1660	1092	voiceadequovl.exe	35
PID 1092 wrote to memory of 1660	1092	voiceadequovl.exe	35
PID 1092 wrote to memory of 1660	1092	voiceadequovl.exe	35
PID 1092 wrote to memory of 1660	1092	voiceadequovl.exe	35
PID 1092 wrote to memory of 692	1092	voiceadequovl.exe	36
PID 1092 wrote to memory of 692	1092	voiceadequovl.exe	36
PID 1092 wrote to memory of 692	1092	voiceadequovl.exe	36
PID 1092 wrote to memory of 692	1092	voiceadequovl.exe	36
PID 1092 wrote to memory of 692	1092	voiceadequovl.exe	36
PID 1092 wrote to memory of 692	1092	voiceadequovl.exe	36

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1660
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:692
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1604
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
46cf4d25714199ce0d0171805dcee3f1

SHA1
17bfd9b06f26b04fe8d022540d9370c95b022a48

SHA256
a8c6357632d2f246a390e4e398aef636b95adc6f7c2fc7415dd4127e935a6895

SHA512
06a83d1c868a0f7532fd3c7cae0993e18c8e1f9e125ee4d662fea7f41465193578482cb9b3667f8a6124e5de15ed67f3604d1793712307a078bafdad47f4a9b7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
244.8MB

MD5
a0073ddbfdf1d2f6bfca991340d2d21b

SHA1
63adde7006d1da79fa64e30eb953fd2e20dbd6b7

SHA256
b29e60b76387685c4ba0d13a8b49278783b3f75961b8743ba55e2ba227d9f5bf

SHA512
e5843bc811dfa5ab608830ea2a067aa506dec455e75f03ba001e04ad28b015ac2a7f347c588dd2b712c0f2505392038fcdcf5a5126b9aaec170f4cd32db12adb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
241.2MB

MD5
585edf44154d6f55d2a673d9ac45e3af

SHA1
8fafac4f74ab57d5c0657ab4872654efca968f3d

SHA256
42c68251b21cc16ae5a90bb34a0fdaa0c6922a416bd4f0e1e10291a6af022a38

SHA512
2cc0146313aeb2477d2bfaf21812c02095545bb2efffa7206308de1cbb59c726c3c0d80a8d2ff4a3970a5497c459ab74e724750ad958b6821a6cb0db1cd7c194

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
22.6MB

MD5
054a994c94cb49e293c2f3401c416bd5

SHA1
12d4c96b093a646dab880037fd5252e0fe2a0e33

SHA256
f030d120bbda490b4a71988bad00538cb5f021fa6ee80867a9b64cbf502ac027

SHA512
ac25b72110af847b51a6b0190b69d75f3f51b4913d762530ad91e1fb51eb70ce5e48c581c1631977db175be53944c213b95c63421450c131a0ea51d351362427

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
21.0MB

MD5
86d74a3b5ab44071daa21a7ccf08290a

SHA1
daf91c6b9525feb9ee40af859db8fd6b8a4b616c

SHA256
53538685465b7765ec7f61114df20488169ec6d510635131cafcc5bcefb915d5

SHA512
9a599f30e16fc3b914d6a1ce90d85f9ce39b79f5f8c42f342dc9a3aa141b9311308788fa3796f15b0fe4c500d3a2bbe41b12863a5e7373bf52360c26ee344adf

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
272.9MB

MD5
86f9ddc3be53eb4ba042ee9d59c0afa0

SHA1
3a439a0c998c88a09427abb46f2835c9f01753c2

SHA256
ff5c5003787841483100ddd3ff95101359251dee68cc646d2ce320944f317c71

SHA512
08689af6e10d8561fbe7380ec7ef3e7708240202734be97802c7c4f0f9bf5281a9dd775e485c39b13e1a0f23243d2985a141a57abc163d77375618b7e69cf060

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.3MB

MD5
c804e72fc145377c63ee5bec10a7565f

SHA1
481db8053ad072d2d0eb1dc312142b6c026e1515

SHA256
97e32ebe2e7cbe0e4dac233471dba0c169bad5ec96cf84ccbd21b63081f3af91

SHA512
146719881a3eef1f7297a12f1818d578b96ef7694a914c3fac5cba2bd91acc17d235cf002ee4b8d46d5482255c7b8d7ef748821e7be06b0f79880bc7ffc060ea

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
241.9MB

MD5
99e65f9917ae9775805f610ba9dc496e

SHA1
4491ef651e65e35c0355dec961ae60da7591f60d

SHA256
766187024c040bfda80bd3ee1f4c0c3e1f810b04630dc810a9a46434ef23fb31

SHA512
29045fe65868b49409227295f02be217631059f0cc05aa72ba04bdaa8f3733960b34772d70766d9b48627407b74e65a7b3750596e3a133f8d299b8aa10786016

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
246.2MB

MD5
b21e77a5ac8143714802fba76a7230ee

SHA1
89dfdbca76dd7386320a7ee770f80a79d650e5db

SHA256
ac66b1bf4b4a32a0c14bb8413c13d10707690d194aeffcf7053b9b2ac6aef69e

SHA512
6da5ba85684b2c3dd143b30202e051013aaf2f7cd61c7fc7379e2b12dbfa64d1b915ff623b93e18f9c0cebb81b25d797c1d1bb327ff15a011bd1598bad33affd

Download Submit
memory/320-70-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/320-71-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/320-69-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/692-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/692-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/692-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/692-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/692-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/692-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/692-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/692-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/692-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/692-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1092-65-0x0000000000E70000-0x00000000015E4000-memory.dmp

Filesize
7.5MB

Download
memory/1092-66-0x0000000006550000-0x00000000068F0000-memory.dmp

Filesize
3.6MB

Download
memory/1092-74-0x0000000005400000-0x0000000005572000-memory.dmp

Filesize
1.4MB

Download
memory/1224-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1540-83-0x000000006F2B0000-0x000000006F85B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-95-0x000000006F2B0000-0x000000006F85B000-memory.dmp

Filesize
5.7MB

Download