aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
134s
max time network
142s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1176-66-0x00000000064A0000-0x0000000006840000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
2036	voiceadequovl.exe
1176	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2036	voiceadequovl.exe
2036	voiceadequovl.exe
2036	voiceadequovl.exe
2036	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
708	powershell.exe
2012	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	voiceadequovl.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2036	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1748 wrote to memory of 2036	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1748 wrote to memory of 2036	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1748 wrote to memory of 2036	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2036 wrote to memory of 1176	2036	voiceadequovl.exe	29
PID 2036 wrote to memory of 1176	2036	voiceadequovl.exe	29
PID 2036 wrote to memory of 1176	2036	voiceadequovl.exe	29
PID 2036 wrote to memory of 1176	2036	voiceadequovl.exe	29
PID 1176 wrote to memory of 708	1176	voiceadequovl.exe	30
PID 1176 wrote to memory of 708	1176	voiceadequovl.exe	30
PID 1176 wrote to memory of 708	1176	voiceadequovl.exe	30
PID 1176 wrote to memory of 708	1176	voiceadequovl.exe	30
PID 1176 wrote to memory of 364	1176	voiceadequovl.exe	32
PID 1176 wrote to memory of 364	1176	voiceadequovl.exe	32
PID 1176 wrote to memory of 364	1176	voiceadequovl.exe	32
PID 1176 wrote to memory of 364	1176	voiceadequovl.exe	32
PID 1176 wrote to memory of 1048	1176	voiceadequovl.exe	34
PID 1176 wrote to memory of 1048	1176	voiceadequovl.exe	34
PID 1176 wrote to memory of 1048	1176	voiceadequovl.exe	34
PID 1176 wrote to memory of 1048	1176	voiceadequovl.exe	34
PID 364 wrote to memory of 2012	364	cmd.exe	35
PID 364 wrote to memory of 2012	364	cmd.exe	35
PID 364 wrote to memory of 2012	364	cmd.exe	35
PID 364 wrote to memory of 2012	364	cmd.exe	35
PID 1176 wrote to memory of 1048	1176	voiceadequovl.exe	34
PID 1176 wrote to memory of 1048	1176	voiceadequovl.exe	34
PID 1176 wrote to memory of 1048	1176	voiceadequovl.exe	34

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1048
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1d66e6927e0a41791f41d6188ca9dd11

SHA1
06f0c5feadc0ef7cbad2346f3087327e2fd24696

SHA256
ed083681f5819e182b5bff3dfa07c45dea8a2f981d6bf251c70300a0927efe1d

SHA512
8909714c09b45ff68ef7dfaea446644507bc76074950a1e6693d5f6a3d1ca31c3468aa8a019752fb1a3420ba681a6ca898258f72bebaaf11c3014d35dd98e019

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
242.6MB

MD5
def278d4548ab60c362f11b0a8b75417

SHA1
dde068037843b24051aa1ce4288167d948db2b1b

SHA256
71720aaffcc72716170a99051d2f7a1fa075fbc84d5cf9c4859df285eb898929

SHA512
8bc428afc868d7f8c5e357ada273ffad188e4c47d7a48d44211477e1dab295968fbe18018a6f4dfaba6ebbcf5485d2583a3a62297a6fa45d48069f3a93fb5fa3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
242.1MB

MD5
553ebc6282f39fbcd51f84be47b6746f

SHA1
c70e142896757183085dd4cc214c6d29b60adb1b

SHA256
552686b15caca921787a21f2dddb545a3e184128613ddecdb1fb790ccc7f3e6a

SHA512
a6cf88f3faf6af2c6da2b66478cc950d7c0af985f368d46780465dc980a714620962f0cab1da496a03abf2c532ff8c77b4a69270ea95360cc4341aedf1f5ed04

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
29.8MB

MD5
3f2aaabf8240847885d9b9eaa40b54c4

SHA1
4e2202ea7aec2f497ebb3caeb861dd065c5723d3

SHA256
903955f4ce504416f47ad11ae4f4791402f726cbb4b957b5c75e4513c8d768c0

SHA512
e407c6f1d003eb7d0ca820ddbfb5866797586b919f0e2f41a0e6163823c138c4084c56bb76d17e753f0542d3dc2b9effd67aba9a2b821aa35b0779ff60a3026d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
261.6MB

MD5
94beabf86021d74d979509384d7ae3d3

SHA1
f1fe173f3fff84308cc20ab8e9a495d30ab72875

SHA256
ee87fd6465137ec216e320131cdc5793d6edfc512925456d3af490caf007af7b

SHA512
d28498bd3364863a5316cb36ad78903d57b0a6e377f4272d3d28890a613bcfe8a368e3066d3ed7ccf5329f71ffc416100aaa4ead58c913622b7326945e24e85a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
221.8MB

MD5
90e7c8111992d356c60975cf0907f333

SHA1
bacef1cad47e4cc3623813848dbe7a12ed5ab260

SHA256
7cd61473450b9b764bbabb1fc1f5ba2c03ac05a52b211cc168fca87c4875b684

SHA512
e2e0a251a72718bf38c4ca1f2194405908b52e75466adf09860c1ba444d6290bda928802c308c0cbdf0a24c5c39cfc6a84f923e270b11dc5194483d3ac10fcae

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.9MB

MD5
302bfe7274fcefc83971e0e13c6a1a69

SHA1
cff1faa03c68ebd081a7e6361b9b566eb768c984

SHA256
c7329c16a892ccc839bc1d70a4591e16dee026225d0af7e2878cdb6be505a511

SHA512
b30f2b615c1fe0045ecd5bb3d93f00b28597e60a6016d7d211e780b797d8f4ad9357c3c4c170862960273565cb7a235baeacb72947ef2c3753d72b1a8f2246e9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
247.8MB

MD5
ad54695bbaf35354b16f2fd96bcc59ee

SHA1
08e40d28816cb36c5d4406d87632e119580897e7

SHA256
1428d79050870d0a7463da6c86dfc695837014d57d308b821d9582d16f9492b3

SHA512
5047fbdd0b82c527da1649b2fc997eb79db60326e6ca49507e5815bcd6232de8ac95c820c729b014aa1750082e2ec1a0ee3dd55a736111a04c274485a7022bfd

Download Submit
memory/708-71-0x000000006FAE0000-0x000000007008B000-memory.dmp

Filesize
5.7MB

Download
memory/708-70-0x000000006FAE0000-0x000000007008B000-memory.dmp

Filesize
5.7MB

Download
memory/708-69-0x000000006FAE0000-0x000000007008B000-memory.dmp

Filesize
5.7MB

Download
memory/1048-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1048-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1048-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1048-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1048-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1048-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1048-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1048-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1048-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1048-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1176-66-0x00000000064A0000-0x0000000006840000-memory.dmp

Filesize
3.6MB

Download
memory/1176-73-0x00000000052C0000-0x0000000005432000-memory.dmp

Filesize
1.4MB

Download
memory/1176-65-0x0000000001390000-0x0000000001B04000-memory.dmp

Filesize
7.5MB

Download
memory/2012-94-0x000000006F820000-0x000000006FDCB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-56-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download