aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
127s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1568-66-0x00000000064C0000-0x0000000006860000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1632 voiceadequovl.exe
1568 voiceadequovl.exe
1056 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1632 voiceadequovl.exe
1632 voiceadequovl.exe
1632 voiceadequovl.exe
1632 voiceadequovl.exe

pid	process
1632	voiceadequovl.exe
1568	voiceadequovl.exe
1056	voiceadequovl.exe

pid	process
1632	voiceadequovl.exe
1632	voiceadequovl.exe
1632	voiceadequovl.exe
1632	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1568 set thread context of 1056 1568 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1292 powershell.exe
1888 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1568 voiceadequovl.exe
Token: SeDebugPrivilege 1292 powershell.exe
Token: SeDebugPrivilege 1888 powershell.exe

description	pid	process	target process
PID 1568 set thread context of 1056	1568	voiceadequovl.exe	voiceadequovl.exe

pid	process
1292	powershell.exe
1888	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1568	voiceadequovl.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 912 wrote to memory of 1632	912	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 912 wrote to memory of 1632	912	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 912 wrote to memory of 1632	912	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 912 wrote to memory of 1632	912	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1632 wrote to memory of 1568	1632	voiceadequovl.exe	voiceadequovl.exe
PID 1632 wrote to memory of 1568	1632	voiceadequovl.exe	voiceadequovl.exe
PID 1632 wrote to memory of 1568	1632	voiceadequovl.exe	voiceadequovl.exe
PID 1632 wrote to memory of 1568	1632	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1292	1568	voiceadequovl.exe	powershell.exe
PID 1568 wrote to memory of 1292	1568	voiceadequovl.exe	powershell.exe
PID 1568 wrote to memory of 1292	1568	voiceadequovl.exe	powershell.exe
PID 1568 wrote to memory of 1292	1568	voiceadequovl.exe	powershell.exe
PID 1568 wrote to memory of 968	1568	voiceadequovl.exe	cmd.exe
PID 1568 wrote to memory of 968	1568	voiceadequovl.exe	cmd.exe
PID 1568 wrote to memory of 968	1568	voiceadequovl.exe	cmd.exe
PID 1568 wrote to memory of 968	1568	voiceadequovl.exe	cmd.exe
PID 968 wrote to memory of 1888	968	cmd.exe	powershell.exe
PID 968 wrote to memory of 1888	968	cmd.exe	powershell.exe
PID 968 wrote to memory of 1888	968	cmd.exe	powershell.exe
PID 968 wrote to memory of 1888	968	cmd.exe	powershell.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe
PID 1568 wrote to memory of 1056	1568	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1056

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:536

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:2032

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
294260811e3f5e866ea059903b3f7d24

SHA1
f11f8e681626287dc4646da895ace97230794c4b

SHA256
c99f4e6fba1b9635c1733a1867dd43300f2fc3be54ba85f3e62700222e887f31

SHA512
f099f17455d69a90883984db384f012df19abf7e1c9ec168dcc2ad9bfdd0a196adf4887d328fa96ab148001efdc260bbf0c3b9dc4a0bdb1ea810fa2305d8dead

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
196.1MB

MD5
e8fa852329a93a1eded138240827be4e

SHA1
1e15388ec83b3267af1a22acc9866831c356367d

SHA256
ab4d7e0c3d134e511feb7b8a8c972e9c12e3464709e59745cb8ba391bbbc6452

SHA512
e7aef5d253999c1c5639d2754726b88e9dfb19ab42b52cd5037165bbc8a646ce4603e8363f2c068e7566b8b8194fed230eca3f2a8de4ee8e1ad0ff1ac588df86

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
195.2MB

MD5
93375553023188a81dc059dc81810ea7

SHA1
53e374f4588e1fd9cc8b2e66f1ce13bdfffe25cc

SHA256
176158d36d14abae4ee6ca7fc167b9389408930d74eaff9ab58e4ca1e57724ec

SHA512
73cda2b068a200b30d00fbe06b7f6f0a46d75068b3d8f6d33469a9663bfdcac5e405589b13cdba14b39acc10c3f6ecd6178bbef6c939605ff772ac0e6efe22fe

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
35.7MB

MD5
60d15cd9e0a7781d04157c5ff49d8be1

SHA1
4b2538d5e5c9c54dbfb4e58968719630b306066d

SHA256
90298ded971bd873723943a67c6845e198ff139b2b3c33bfa0d4b8cb966f1ecb

SHA512
8edb862a02a5fb93853e898dc30f003e7ba35c8e1de0187d52c911561d4b15ab32b82d0b707e7082d50235b82030a5e980e8327caa11981203c7ccbe46da0820

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
199.1MB

MD5
258f917e65edcac311ad3211324242bf

SHA1
db0a4915fb1618afb1956bb994c3c6af30d357a2

SHA256
b81d37c208b3fb37be44b7e015b7cf31f11df50809db5a44a65301f05eac516b

SHA512
940ea0095995034864d93c144027a1ac62055fdc2b54397b3238cbf56e95f16cce9998f9999d64b5f2d566d4f799ae2c734c70f161a16c9f43e2de635370b5a2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
199.5MB

MD5
6724592f8ee7a64520ece7f39df42292

SHA1
0118eb2e4580ff37262693e8dc124f0713a3e63c

SHA256
a5cb67d81e9ab0695d28c65ec653aec6a579cb4c7c7a835ad4880ecd40c6ded8

SHA512
e960eee0c14a3263c7c64d70a18bbdd2bc27c7cd210c67ed6f3da78add56a5aceede5e73c60c755ab829be602b7e9775012c3f4eddf5c37e465300bf3f399b76

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
195.2MB

MD5
93375553023188a81dc059dc81810ea7

SHA1
53e374f4588e1fd9cc8b2e66f1ce13bdfffe25cc

SHA256
176158d36d14abae4ee6ca7fc167b9389408930d74eaff9ab58e4ca1e57724ec

SHA512
73cda2b068a200b30d00fbe06b7f6f0a46d75068b3d8f6d33469a9663bfdcac5e405589b13cdba14b39acc10c3f6ecd6178bbef6c939605ff772ac0e6efe22fe

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
181.4MB

MD5
3083785b7b5f1f90f24c3c6a776bb39a

SHA1
924adb0268c1657d9a1a2f0fd9532790891da5b0

SHA256
a34e44ee872e05731b467e4ddb5f9fdff739d989eebb534dec125046058a3bbe

SHA512
3d20670de32cc43fc73fbda4d7daf8e60e2fe2d1f5f11ba3186dba65e67f530208b68c6fdedca14f889a81e4e4848d40f817a8c5dcae87e73748dcd91e3ec377

Download Submit
memory/536-97-0x0000000000000000-mapping.dmp

Download
memory/968-72-0x0000000000000000-mapping.dmp

Download
memory/1056-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-89-0x0000000000464C20-mapping.dmp

Download
memory/1056-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1056-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-100-0x0000000000000000-mapping.dmp

Download
memory/1292-71-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-70-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-69-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/1292-67-0x0000000000000000-mapping.dmp

Download
memory/1568-65-0x0000000000F00000-0x0000000001674000-memory.dmp

Filesize
7.5MB

Download
memory/1568-62-0x0000000000000000-mapping.dmp

Download
memory/1568-74-0x00000000053E0000-0x0000000005552000-memory.dmp

Filesize
1.4MB

Download
memory/1568-66-0x00000000064C0000-0x0000000006860000-memory.dmp

Filesize
3.6MB

Download
memory/1632-54-0x0000000000000000-mapping.dmp

Download
memory/1632-56-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1648-96-0x0000000000000000-mapping.dmp

Download
memory/1720-98-0x0000000000000000-mapping.dmp

Download
memory/1888-94-0x000000006FAC0000-0x000000007006B000-memory.dmp

Filesize
5.7MB

Download
memory/1888-90-0x000000006FAC0000-0x000000007006B000-memory.dmp

Filesize
5.7MB

Download
memory/1888-73-0x0000000000000000-mapping.dmp

Download
memory/2032-99-0x0000000000000000-mapping.dmp

Download