aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
111s
max time network
170s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1240-66-0x00000000065E0000-0x0000000006980000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
284	voiceadequovl.exe
1240	voiceadequovl.exe
1548	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
284	voiceadequovl.exe
284	voiceadequovl.exe
284	voiceadequovl.exe
284	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1240 set thread context of 1548	1240	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1384	powershell.exe
1904	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1240	voiceadequovl.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 284	956	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 956 wrote to memory of 284	956	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 956 wrote to memory of 284	956	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 956 wrote to memory of 284	956	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 284 wrote to memory of 1240	284	voiceadequovl.exe	29
PID 284 wrote to memory of 1240	284	voiceadequovl.exe	29
PID 284 wrote to memory of 1240	284	voiceadequovl.exe	29
PID 284 wrote to memory of 1240	284	voiceadequovl.exe	29
PID 1240 wrote to memory of 1384	1240	voiceadequovl.exe	30
PID 1240 wrote to memory of 1384	1240	voiceadequovl.exe	30
PID 1240 wrote to memory of 1384	1240	voiceadequovl.exe	30
PID 1240 wrote to memory of 1384	1240	voiceadequovl.exe	30
PID 1240 wrote to memory of 1436	1240	voiceadequovl.exe	32
PID 1240 wrote to memory of 1436	1240	voiceadequovl.exe	32
PID 1240 wrote to memory of 1436	1240	voiceadequovl.exe	32
PID 1240 wrote to memory of 1436	1240	voiceadequovl.exe	32
PID 1436 wrote to memory of 1904	1436	cmd.exe	34
PID 1436 wrote to memory of 1904	1436	cmd.exe	34
PID 1436 wrote to memory of 1904	1436	cmd.exe	34
PID 1436 wrote to memory of 1904	1436	cmd.exe	34
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35
PID 1240 wrote to memory of 1548	1240	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:284
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1384
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1548
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1168
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:476
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1260
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
225.4MB

MD5
fdd9819ac6120f42ceac24d99cac9068

SHA1
dcb2e98dbb7db41a0948d3ac07e92495967b165b

SHA256
efed88e60fc5290cdd022bd81fe23f52fe68548bcec345da20caff5b1e9d309d

SHA512
4bda3a48d68f87f6465355d4d7b6798e13a878cbdfe6e71961a45b9915cadc766d36db2bd283793958f5a54e53a883feb5fccba8357e00c78cf894523074b62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
355.4MB

MD5
fc74dc15e5bf6948ef175a630a1ab55d

SHA1
9120732a1eebe0ca341e4e34d4d491b637376b1a

SHA256
8bff453994e48a891b5bc4ba94a5d8b86a3d23e48d2d9ceec074cbaf2193237a

SHA512
cb5c65b2d73448eae188d897c14c50d12f9902033e5febae1c107f8842a3a6ea3f85156cad7ad3b7af6724b1b228103b828b77bc57c436fc993018f844ffa388

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e96d7ccfd7e3dbaeaefa7570e9d5ac61

SHA1
9cf5dbba0a97e2d041724c1661861996663ad4f2

SHA256
d73cb540c0919cb6ed536a2b5d2fd24a65de7ddfb95d38bf62379dd5185b775c

SHA512
77aa5dda47161a44e65fd81910a13962910f006415771c8b9f1a3b7c88ff6ffddf4ce9e8aff13552396c1f9e962ec75dc91eed8376d4e936f580fe491b97ac06

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
273.1MB

MD5
2f30f4b4d1d029c263ba4b424f944290

SHA1
7f9efb9fb363e78fd8df9c63316dc7e2709b5321

SHA256
a6c8399eacfd33e2ea924c656367a1c07f85a106c47c813f13d1160f575207e0

SHA512
972726b8b637e8b1dbe4d27d2253bd0b2647243f36ea78022e6b540ca0ece1b0f3a15aaef7e1147994b16f7050bf6628c20466975cde456e569d18c8d5474604

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
249.4MB

MD5
9540d7358137a8ac61e616c87e42d98f

SHA1
7c4eaf5536f636360c8fb0aec12a953ebf8a38ac

SHA256
e859cb6e71cc41ab56ab88b31f33617cfde0cbc856d7b1f70e2d809ffe54bf29

SHA512
b6f8ffd93d7ff145cd703adfe737a0a31cb7f92b76a277f32e688f18e0b6f60e19bad6ce0e704d05207ce37490c81e7f9f8af0782951edfe5c0b71a0bd018d08

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
102.1MB

MD5
4e9a2c0e31e3ca74ac9a9a11c30b1953

SHA1
a123bfd16e2a53e193106d64ba0551af16fb1c48

SHA256
1cb4ea1909e0aed350d3d4d0212865802a1bb0c498b45d5d252b7be47455a020

SHA512
03a2051881efb50e768954b2a1818571cb2343c9469ecbdf087ba06db3ecf54c479fef049e176269d30d19d2fbdc43de052c18e94ad460073fb38022e96ebb1d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
248.6MB

MD5
2751884b44069bc69a91ef2d6681feb5

SHA1
33e95f7833c9bc27659063c587fabc42b40f9ac5

SHA256
e54a5511402f309b2964024c19a4a1379bab53d1bec1a77b283d5d1daccdbade

SHA512
579711dff76e5286b880f206260ad65be2cbe296c27a0374866b737063bcb28a9bcd07fd2c020d5ad72a0abd38ba006df280150616f86d00943b0f668e774f67

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
272.8MB

MD5
41f54b64aa4d862b3cb9a8e503b98e69

SHA1
acfe10e703a2ef44eb41b0184fbb0ead9baafc4c

SHA256
df78bfc22faef3419c99200ffdebd3e50bff98adb700a05e7d4a18c5bbcd45ee

SHA512
858850cb216b33570670c80d8930cfdf2a1890e24f6f909ea5f6837fd7dbef97de0e3d61a645baf8bcbd66827e902579ddf68ec673a555af2a9c1aa14b04f43f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
261.1MB

MD5
830aed7062a4fc8cc82db090aeb8e58c

SHA1
2fcc23a6b89739989cacfd064dce6c08bc3e7fda

SHA256
c6dc34be88d041bb56bdc3229bb3d3286f62fc8fca6cf351599a31c3fcad57f2

SHA512
3dad4e972e55563e50311c756a0eee6e8c0fc1478dc0d3c89ec62315da9e3100013d857b1cb3bdaca272d7e1b4f0073ddd6c83c4576d4854900c531c27275de2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.6MB

MD5
67facaca45c9360c98d1dffdb30dcce3

SHA1
79067980293e9c5d345a857c8b30b7487a3c5030

SHA256
dd2053cee41a295ed3f32d66c84307291e092fb7c736413be4f50f8b9520cc1f

SHA512
b474089a76587bbe64e76a6f429fbfc96b94dcdf0c505b53fc91dfe70dba0cdf1e9070b33cc5fd8cec7dcac7a7370e2641063bb38ef244c54670fe0aede4fd76

Download Submit
memory/284-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1240-66-0x00000000065E0000-0x0000000006980000-memory.dmp

Filesize
3.6MB

Download
memory/1240-65-0x00000000009C0000-0x0000000001134000-memory.dmp

Filesize
7.5MB

Download
memory/1240-75-0x00000000054B0000-0x0000000005622000-memory.dmp

Filesize
1.4MB

Download
memory/1384-70-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/1384-71-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/1384-69-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1904-83-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1904-85-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download