aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
105s
max time network
143s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1504-66-0x00000000065F0000-0x0000000006990000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

2036 voiceadequovl.exe
1504 voiceadequovl.exe
1824 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

2036 voiceadequovl.exe
2036 voiceadequovl.exe
2036 voiceadequovl.exe
2036 voiceadequovl.exe

pid	process
2036	voiceadequovl.exe
1504	voiceadequovl.exe
1824	voiceadequovl.exe

pid	process
2036	voiceadequovl.exe
2036	voiceadequovl.exe
2036	voiceadequovl.exe
2036	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exevoiceadequovl.exepowershell.exe

pid process

896 powershell.exe
1504 voiceadequovl.exe
1504 voiceadequovl.exe
1912 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1504 voiceadequovl.exe
Token: SeDebugPrivilege 896 powershell.exe
Token: SeDebugPrivilege 1912 powershell.exe

pid	process
896	powershell.exe
1504	voiceadequovl.exe
1504	voiceadequovl.exe
1912	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1504	voiceadequovl.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1712 wrote to memory of 2036	1712	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1712 wrote to memory of 2036	1712	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1712 wrote to memory of 2036	1712	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1712 wrote to memory of 2036	1712	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2036 wrote to memory of 1504	2036	voiceadequovl.exe	voiceadequovl.exe
PID 2036 wrote to memory of 1504	2036	voiceadequovl.exe	voiceadequovl.exe
PID 2036 wrote to memory of 1504	2036	voiceadequovl.exe	voiceadequovl.exe
PID 2036 wrote to memory of 1504	2036	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 896	1504	voiceadequovl.exe	powershell.exe
PID 1504 wrote to memory of 896	1504	voiceadequovl.exe	powershell.exe
PID 1504 wrote to memory of 896	1504	voiceadequovl.exe	powershell.exe
PID 1504 wrote to memory of 896	1504	voiceadequovl.exe	powershell.exe
PID 1504 wrote to memory of 1788	1504	voiceadequovl.exe	cmd.exe
PID 1504 wrote to memory of 1788	1504	voiceadequovl.exe	cmd.exe
PID 1504 wrote to memory of 1788	1504	voiceadequovl.exe	cmd.exe
PID 1504 wrote to memory of 1788	1504	voiceadequovl.exe	cmd.exe
PID 1788 wrote to memory of 1912	1788	cmd.exe	powershell.exe
PID 1788 wrote to memory of 1912	1788	cmd.exe	powershell.exe
PID 1788 wrote to memory of 1912	1788	cmd.exe	powershell.exe
PID 1788 wrote to memory of 1912	1788	cmd.exe	powershell.exe
PID 1504 wrote to memory of 1824	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1824	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1824	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1824	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1216	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1216	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1216	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1216	1504	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1824

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1216

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:768

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
244.2MB

MD5
4d43c90e278dd1b90877d4b2bdb80f72

SHA1
7235ad16129d04a63324a78139a7849b3fed0b97

SHA256
ad3d30b99aa9dbd9907cf19fe5ca07f729062e326942848c4acf33349d26be18

SHA512
7877c13eee00738fd2e4fd8ea36cf2538872e48af4d5a7bddb707688fdd963aee6935dceebd72a8bbbfda8b263be5527d9bf748d24cc07ebde81609f26f2b64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0995c69ccceac858d8fddb26bf8d7a5f

SHA1
4ba50f6fb4e048c0f00520b35a7ea235fe94c472

SHA256
ef64585638c0689a68755360e52ec028e5fa5ea2da5c98a301200f45ce3af933

SHA512
a4463def419b85f5dab4158696fbb5fa2d73e121d5e00612cfe559ad3007bb766918ec16199f29085f9aceb7885b601f831aaf8501ac6885a66e5fbccc1017f2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
299.2MB

MD5
fd0b4232c0b04707da53a7b688980275

SHA1
d941c4e84662e7229a650d308b870bc183214de6

SHA256
01456fa98348474c7c784d4578f3c0dd180b678dde03fae78072c72ff80a6731

SHA512
78f24cb0cfeb24e699b756d78993f643a203fbf22f924b973810dfce0ff2baec79cd253031d4010dc2d36fd1f5b69784e4b0e90fecb9a8c5a0d4e2e72f18a3f8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
252.2MB

MD5
235a0e910f5b12a2ecb38396a6d51748

SHA1
1f1659d1c836b1295f263f9ac57aa901890018b7

SHA256
b5573d26e50ecb9e15fbd7779beed44532126070c723013953a7cdcb6db8cd8e

SHA512
7d77e11ed1a8d42f934d40869713ad8b28ac6c9a665e56c5c0ea5a478d60fa1cd92e3e87443504516672b8975418921dbd2c6a1aafd088e93175872fd345c5b3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
80.4MB

MD5
25b4855f69334cc031a924fba8617e26

SHA1
7d02852c7e0769342345e090b930e7bd163f861a

SHA256
ebacc2f75d124f32f977c00341e4fe828d1e48b4afb98a92798120707c07d90a

SHA512
b18792c41954999e7a7038ce219cfa77b1ff379d220e5990a5df56add3380f4554021bbb1542fac8cd203d64750e055476062cea77a8f58bb0d8a2cdb6a14da9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
79.6MB

MD5
6bc3ed58a9e7c842909c8909a8528fa3

SHA1
69cdd9c1f7e984166f4dcb1d4d6afb4054c7ec72

SHA256
e98d61c2e24b9b0f8d81ba38b9539a6aa902d9f0fa96987b5efb55cb6538afb9

SHA512
be760dd9f1c8ce4f52b6a006d9eb9540251e2691664473fb59cc930fa398a520b576529a0900888b68363129fed9fb4a0da4ac2e1000ede637cf0cb3678b4614

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
271.9MB

MD5
7b8fbe347b25e88437dbe3ba8df74941

SHA1
75f3baf087f24afe56961f53ec90c6c6e64568b4

SHA256
9189dbee8826c29854bedf81e2a186a238f1c8912228f311b40ac00ef1f9b13f

SHA512
b0d5c81d9c91eca55ac34a24e11768fe2d4e2933ac71a1fed4e179e31fec6e83c3f94e83979040429f5694fd28015c306116d1c7760a032181f6efd13d9bf9c7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
311.5MB

MD5
d2c8b31be30bef73f06e38c8fc3734e9

SHA1
d96cc767dc15cb1a689c053c5789969620680a44

SHA256
cd8efd73c7dd252d940ee670073e860d2d38b6eb41b406ccd95295e21d7e6ba2

SHA512
7b38e9ab64670866421d874e582176fcc50da74e63873412b7420c7e8de757e0724032958663ca48d9e1a7e32ac867871cdffe94244291634ef6a9ca36024fee

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
299.6MB

MD5
d19ff3ed6ecc18be713eb33f007ac354

SHA1
6c36085eac1bdfb7918acbfa694b88b72a0fd2b8

SHA256
7e9292f542d4ef3dc8e296166d667add8c80e24fdfa7086300c3137c8a954758

SHA512
4224349cc6e09aa32e5f48ecf072802f9a433e9eab57d410657be5cef52dd5be713848976a046386411c4de2cf460208a006ba622f6bd38eec90cba133304805

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
310.2MB

MD5
7ec37b234ab8d893aea1b47c0004ca5a

SHA1
ce51fc042d5004ba12f08c368e4360c408329980

SHA256
f919958168437e09c968cf699e0b7d839ccb81570b6eae82c7847bc46d032040

SHA512
e59469a0c779b10c84dfc0e591db4ba875add720f5017e75390506928a3fb7523a2d3f48853c42c91d848c39c0bb42166936397bb7d939ca9527daf77c84fefb

Download Submit
memory/768-99-0x0000000000000000-mapping.dmp

Download
memory/896-67-0x0000000000000000-mapping.dmp

Download
memory/896-71-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/896-69-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/896-70-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/1216-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-98-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-91-0x0000000000464C20-mapping.dmp

Download
memory/1216-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-62-0x0000000000000000-mapping.dmp

Download
memory/1504-65-0x00000000011C0000-0x0000000001934000-memory.dmp

Filesize
7.5MB

Download
memory/1504-66-0x00000000065F0000-0x0000000006990000-memory.dmp

Filesize
3.6MB

Download
memory/1504-73-0x00000000053C0000-0x0000000005532000-memory.dmp

Filesize
1.4MB

Download
memory/1624-97-0x0000000000000000-mapping.dmp

Download
memory/1788-72-0x0000000000000000-mapping.dmp

Download
memory/1912-89-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-95-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-74-0x0000000000000000-mapping.dmp

Download
memory/1988-100-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000000000000-mapping.dmp

Download
memory/2036-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download