aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
114s
max time network
145s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/900-66-0x0000000006450000-0x00000000067F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1940 voiceadequovl.exe
900 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1940 voiceadequovl.exe
1940 voiceadequovl.exe
1940 voiceadequovl.exe
1940 voiceadequovl.exe

pid	process
1940	voiceadequovl.exe
900	voiceadequovl.exe

pid	process
1940	voiceadequovl.exe
1940	voiceadequovl.exe
1940	voiceadequovl.exe
1940	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1912 powershell.exe
572 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 900 voiceadequovl.exe
Token: SeDebugPrivilege 1912 powershell.exe
Token: SeDebugPrivilege 572 powershell.exe

pid	process
1912	powershell.exe
572	powershell.exe

description	pid	process
Token: SeDebugPrivilege	900	voiceadequovl.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 2012 wrote to memory of 1940	2012	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2012 wrote to memory of 1940	2012	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2012 wrote to memory of 1940	2012	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2012 wrote to memory of 1940	2012	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1940 wrote to memory of 900	1940	voiceadequovl.exe	voiceadequovl.exe
PID 1940 wrote to memory of 900	1940	voiceadequovl.exe	voiceadequovl.exe
PID 1940 wrote to memory of 900	1940	voiceadequovl.exe	voiceadequovl.exe
PID 1940 wrote to memory of 900	1940	voiceadequovl.exe	voiceadequovl.exe
PID 900 wrote to memory of 1912	900	voiceadequovl.exe	powershell.exe
PID 900 wrote to memory of 1912	900	voiceadequovl.exe	powershell.exe
PID 900 wrote to memory of 1912	900	voiceadequovl.exe	powershell.exe
PID 900 wrote to memory of 1912	900	voiceadequovl.exe	powershell.exe
PID 900 wrote to memory of 996	900	voiceadequovl.exe	cmd.exe
PID 900 wrote to memory of 996	900	voiceadequovl.exe	cmd.exe
PID 900 wrote to memory of 996	900	voiceadequovl.exe	cmd.exe
PID 900 wrote to memory of 996	900	voiceadequovl.exe	cmd.exe
PID 996 wrote to memory of 572	996	cmd.exe	powershell.exe
PID 996 wrote to memory of 572	996	cmd.exe	powershell.exe
PID 996 wrote to memory of 572	996	cmd.exe	powershell.exe
PID 996 wrote to memory of 572	996	cmd.exe	powershell.exe
PID 900 wrote to memory of 1580	900	voiceadequovl.exe	voiceadequovl.exe
PID 900 wrote to memory of 1580	900	voiceadequovl.exe	voiceadequovl.exe
PID 900 wrote to memory of 1580	900	voiceadequovl.exe	voiceadequovl.exe
PID 900 wrote to memory of 1580	900	voiceadequovl.exe	voiceadequovl.exe
PID 900 wrote to memory of 1580	900	voiceadequovl.exe	voiceadequovl.exe
PID 900 wrote to memory of 1580	900	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1580

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:912

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
245.7MB

MD5
5d6a8f599e1cac143cbfe66c1c123855

SHA1
81fb7fae015f256b7fd71239290f4dd5a81811a2

SHA256
e96c4a1feed48f628680697bbbf5f84a5278a5cfa3bbf5f769dc754c5d1a4ba3

SHA512
ca5c0697170b131809d675b1d0b5830da0fcdd51e2e7bfe79bffc3406f0443268db81403d77e9769d19b27c64c4f5c881afdaf3dd3dbef2c62b8dbc4101b30f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1bc7c29509b28a10b5368f3d43bc7f5d

SHA1
3f5d226ef5d355bae0d2791c062210d11a9d908a

SHA256
b15858de5fa1af503d59c71956b538fd5a208efa6cccbb915ddbda7a6192b067

SHA512
b5095a4e1d0cbcd97bfa2a2521db43648f79e41620a054fb19b2bd5da2d7156a3d61f99279c69709f48d509644f512924a2a15806a29eb1245ab8b1c6d06ec98

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
275.4MB

MD5
c9c456efeca9a0d29c611e45453fba9c

SHA1
362963becc4b18fb18e4b1a1d5d2d2b77e5fe8b6

SHA256
6779e7822dc068e60c8de456eba3863b32c36c1e00624cc867c11b6f7904b24e

SHA512
f17f0c6d1015c428d117c79ac6d47824f649f13e83e0df385ff1db0ed031880d540790edaa2b4dd7c6c2a878a0ee70c5ff23e0fb8ecc89a9e55993d160747ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
272.8MB

MD5
41f54b64aa4d862b3cb9a8e503b98e69

SHA1
acfe10e703a2ef44eb41b0184fbb0ead9baafc4c

SHA256
df78bfc22faef3419c99200ffdebd3e50bff98adb700a05e7d4a18c5bbcd45ee

SHA512
858850cb216b33570670c80d8930cfdf2a1890e24f6f909ea5f6837fd7dbef97de0e3d61a645baf8bcbd66827e902579ddf68ec673a555af2a9c1aa14b04f43f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
57.7MB

MD5
0a6f2a8ed1b861746d36b22042aad211

SHA1
7bf65cf5e31e251272717d3d9d55c44843fcfb09

SHA256
50ac45d151127f61abd67d409845bd087635a0339b2355f3a3192f842ca2ba01

SHA512
57406f8bd786cbca67c82274d94dc492f43c5a4461f8c179afc1fff1239c44e4a07ff3d4847c766e8862cc175e49ddac52d996a18225fda56fceb5cd2c0133c9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
283.4MB

MD5
563f2493c3b19ee1ba9a7c000c6897a9

SHA1
a105b8c7293aae8674688f30cae05db2947d38b6

SHA256
42fd52476165e8283cafcce9710d787624d39253c4441e427cc538c20e659597

SHA512
aefce1f2f9768da61f481c6fdc7e934bc3206a16c8dd42bfeb2f00828f810306f2276fa3e9bca4d121e41f76a651c238656d367b67ce77a329e79c44554fa918

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
293.7MB

MD5
1f3ef324f6ba4a4fead1337750331241

SHA1
b89834fbf2cbbc62d3d59840d16037fcffe30510

SHA256
c8b92d1bcaa7bd991f1607b965918f881e91b5f023d2481683524b57a61230ac

SHA512
e7fd85be45c31def0d25772f0fe83d195d32a2a4e2991d0901bff78c4a20b98a60215aa8c5139fda40f09c29b97341042356dbb27b49e512a201db200efabc94

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
272.1MB

MD5
815565d38808a607b477e7497863382c

SHA1
58d5b154534a61dc7773f1a8b96ea4f1d9d1bf1e

SHA256
029513ad6ffcbde98dca9a1dcf4e4befb2cb63b17b4b14f1dfa33f97bdcbd02e

SHA512
4ca2c52668610d11014043a30e29a9bcb89064ecde19706213454ffb6031e1c837ae8424e5121ae9a560f839f844cc21eb98dddac1989452884037fe14ec9ac3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
270.1MB

MD5
e0fd3cf2ee6da55faab08aa55807abce

SHA1
99f3502b71f755a3ad492ad490c31ac483d19cb4

SHA256
052c8b8ddeb967c6e65850dcca2e44464e7d98db634301e9df8d237141d26ef6

SHA512
7f8822a9ab74f27baa0987828c8dc597584b4ec46b2ab036c3571e8987b95152d31dab8322d2b151f7c1d53964221f8d28e0505c55317146e3a63cd9ef8b9bf4

Download Submit
memory/572-73-0x0000000000000000-mapping.dmp

Download
memory/572-95-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/572-83-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/900-74-0x0000000005410000-0x0000000005582000-memory.dmp

Filesize
1.4MB

Download
memory/900-66-0x0000000006450000-0x00000000067F0000-memory.dmp

Filesize
3.6MB

Download
memory/900-65-0x0000000001280000-0x00000000019F4000-memory.dmp

Filesize
7.5MB

Download
memory/900-62-0x0000000000000000-mapping.dmp

Download
memory/912-98-0x0000000000000000-mapping.dmp

Download
memory/996-72-0x0000000000000000-mapping.dmp

Download
memory/1580-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1580-90-0x0000000000464C20-mapping.dmp

Download
memory/1912-70-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-71-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-69-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-67-0x0000000000000000-mapping.dmp

Download
memory/1940-56-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1940-54-0x0000000000000000-mapping.dmp

Download
memory/1996-96-0x0000000000000000-mapping.dmp

Download