aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
127s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1768-66-0x00000000064F0000-0x0000000006890000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

564 voiceadequovl.exe
1768 voiceadequovl.exe
704 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

564 voiceadequovl.exe
564 voiceadequovl.exe
564 voiceadequovl.exe
564 voiceadequovl.exe

pid	process
564	voiceadequovl.exe
1768	voiceadequovl.exe
704	voiceadequovl.exe

pid	process
564	voiceadequovl.exe
564	voiceadequovl.exe
564	voiceadequovl.exe
564	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1768 set thread context of 704 1768 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1004 powershell.exe
980 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1768 voiceadequovl.exe
Token: SeDebugPrivilege 1004 powershell.exe
Token: SeDebugPrivilege 980 powershell.exe

description	pid	process	target process
PID 1768 set thread context of 704	1768	voiceadequovl.exe	voiceadequovl.exe

pid	process
1004	powershell.exe
980	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1768	voiceadequovl.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1960 wrote to memory of 564	1960	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1960 wrote to memory of 564	1960	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1960 wrote to memory of 564	1960	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1960 wrote to memory of 564	1960	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 564 wrote to memory of 1768	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1768	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1768	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1768	564	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 1004	1768	voiceadequovl.exe	powershell.exe
PID 1768 wrote to memory of 1004	1768	voiceadequovl.exe	powershell.exe
PID 1768 wrote to memory of 1004	1768	voiceadequovl.exe	powershell.exe
PID 1768 wrote to memory of 1004	1768	voiceadequovl.exe	powershell.exe
PID 1768 wrote to memory of 932	1768	voiceadequovl.exe	cmd.exe
PID 1768 wrote to memory of 932	1768	voiceadequovl.exe	cmd.exe
PID 1768 wrote to memory of 932	1768	voiceadequovl.exe	cmd.exe
PID 1768 wrote to memory of 932	1768	voiceadequovl.exe	cmd.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 932 wrote to memory of 980	932	cmd.exe	powershell.exe
PID 932 wrote to memory of 980	932	cmd.exe	powershell.exe
PID 932 wrote to memory of 980	932	cmd.exe	powershell.exe
PID 932 wrote to memory of 980	932	cmd.exe	powershell.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe
PID 1768 wrote to memory of 704	1768	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:704

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
3c44752bb13e02fe2fc1e490e6a9f819

SHA1
699630f29fe2fe0ab5c29f7f8e4edd2b75184fe4

SHA256
d28b55b5638fef065645ed3ff55297fcf1d8edbbadf027207de4b6d68529443d

SHA512
591383f1a15344795512751bb243445a7b43aad31958f41435a7a71e5d5a2d3736bf3c7b8fb8d0bfa06ca31ea9f79f0a540218891133b4ad7deeb8f5ddbffdde

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
285.7MB

MD5
53ba940026da1186aa689232a1f04c46

SHA1
57699f6b287edd62dc411a01a33a234b82a2c40b

SHA256
00872e7103eece8409382983ae0b5b3f4be362c079c0aa8c0a910cb026269485

SHA512
3f9220daa8285c57f9e9ea5854b0078e89c08ff76865add28b90c253489fc8a0f52876034cfc7d39ffbe52c13a9ada8bb72e9c73cab60be88cdcc89d1e8fad81

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
287.4MB

MD5
759d5669697e87492afbae5f06756257

SHA1
bb94aba31bf5065a18912b4a058b870c27019059

SHA256
b7607011ad2f05b1a838d44619bd8f319d01f8dd7c6d4c8aaddce59d62ef8712

SHA512
3c57563efa961cbe42c9470a1386aae646417141105e515176aef3181422064a411db25f08efac0454effb73a0606a5718e73383fc5bc51e6e7efaa6722e82f8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
84.0MB

MD5
5a9feddca62d3e66902044bda5606568

SHA1
f197d6a5588a42aa2388d1323429c5fa669dd0b4

SHA256
8aa81d07eb7ebfbbd4a470ac07009e6093e47cd83840a238214c9fdf4461cf6f

SHA512
6ad24bac6224eaae235d581657329a3d6cb6ef9c03699c83a7afe7f5b4f8d0316a39ec84e90a6900854133c2726eeab5fed707cd6528889b1aa2e3bf9c8575cb

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
289.6MB

MD5
c27c4d3e29f15a838146aa9fa638e94c

SHA1
5641c71d4b78b6c8fc8b34331b6513df17c3f33e

SHA256
c741d2f02bad3b571605d2aedf84d483818a357e15ebf4a0d19f7dc7af6899eb

SHA512
7071ae48924dd707eef83b360d9ada61a030d91c6ccdcfb33b597188f25114165287a3cc8b87dfef1468786818664041f09e34ac62310abdd6e0162436f36b85

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
222.4MB

MD5
43dba4fad8db9a658963eba80801ffa5

SHA1
267e86cf951ef8492dd8398115425b8458db2950

SHA256
78793f773dc037607d4df22289681bd238060bdc9f57fded90402662a1bd129a

SHA512
02fa14cef9ef36771a311bbe1f9bbc38487ce5e441e7e8ec866c7bf0f5d23496479be8b50a92837d7f98f3e1d2effbe0d65c87e6884a1412d695d42f96c07957

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
288.2MB

MD5
53995ae4099f794ee16f50d717156d0f

SHA1
3337a822536ade34334e426aef488d0dae31398c

SHA256
dbbccba00038c0668df77e24161fb7db760685c98d00bac245c89cacf5aac0ab

SHA512
40aaff9afb0ba02247c6b43fda1143a99cd29af4e18d8aba375dfd1c42f57be10e405a6d04469e009faf77dcc5f9659185a09a78befc60eaf3be11d1e5adeb4d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
284.5MB

MD5
34f2da0cd26fe7d0ab3a837f7f9829fc

SHA1
2a533d9eae05040e3193b5610eeffac594e0234f

SHA256
b525c75b440b8886c683391da542190ef7f26d00348bfb1ec0a9516a7056e936

SHA512
8f98bd932c76c06a574e75e32fc968ee1ab604d37e3cac69547a6cd44ad020acfc8cbfe7f5d86832c50f4fbdc9672b729700597dc3baceb8cdaf1bc831695499

Download Submit
memory/564-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/564-54-0x0000000000000000-mapping.dmp

Download
memory/704-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-90-0x0000000000464C20-mapping.dmp

Download
memory/704-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/932-72-0x0000000000000000-mapping.dmp

Download
memory/980-87-0x000000006F340000-0x000000006F8EB000-memory.dmp

Filesize
5.7MB

Download
memory/980-75-0x0000000000000000-mapping.dmp

Download
memory/1004-70-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-67-0x0000000000000000-mapping.dmp

Download
memory/1004-71-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/1004-69-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-97-0x0000000000000000-mapping.dmp

Download
memory/1608-95-0x0000000000000000-mapping.dmp

Download
memory/1768-73-0x0000000005370000-0x00000000054E2000-memory.dmp

Filesize
1.4MB

Download
memory/1768-65-0x0000000000AD0000-0x0000000001244000-memory.dmp

Filesize
7.5MB

Download
memory/1768-62-0x0000000000000000-mapping.dmp

Download
memory/1768-66-0x00000000064F0000-0x0000000006890000-memory.dmp

Filesize
3.6MB

Download