aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
122s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1264-66-0x0000000006510000-0x00000000068B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1736	voiceadequovl.exe
1264	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1736	voiceadequovl.exe
1736	voiceadequovl.exe
1736	voiceadequovl.exe
1736	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	powershell.exe
1364	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	voiceadequovl.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1736	1340	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1340 wrote to memory of 1736	1340	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1340 wrote to memory of 1736	1340	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1340 wrote to memory of 1736	1340	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1736 wrote to memory of 1264	1736	voiceadequovl.exe	29
PID 1736 wrote to memory of 1264	1736	voiceadequovl.exe	29
PID 1736 wrote to memory of 1264	1736	voiceadequovl.exe	29
PID 1736 wrote to memory of 1264	1736	voiceadequovl.exe	29
PID 1264 wrote to memory of 2004	1264	voiceadequovl.exe	30
PID 1264 wrote to memory of 2004	1264	voiceadequovl.exe	30
PID 1264 wrote to memory of 2004	1264	voiceadequovl.exe	30
PID 1264 wrote to memory of 2004	1264	voiceadequovl.exe	30
PID 1264 wrote to memory of 1072	1264	voiceadequovl.exe	32
PID 1264 wrote to memory of 1072	1264	voiceadequovl.exe	32
PID 1264 wrote to memory of 1072	1264	voiceadequovl.exe	32
PID 1264 wrote to memory of 1072	1264	voiceadequovl.exe	32
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35
PID 1072 wrote to memory of 1364	1072	cmd.exe	34
PID 1072 wrote to memory of 1364	1072	cmd.exe	34
PID 1072 wrote to memory of 1364	1072	cmd.exe	34
PID 1072 wrote to memory of 1364	1072	cmd.exe	34
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35
PID 1264 wrote to memory of 304	1264	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:304
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1868
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1692
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1280
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
96e15b7d708f604257824d88f3dec000

SHA1
7749fd3fca7c6151be84a3e470bb12d9d1648d2e

SHA256
7f9a3ab406c107967c90ab9dce545bad21ff0cb0d63e935eee6ea85d8fd0696d

SHA512
f360b01e32ec424828663cd145df9f7f9fe37b8687325eacccb53f332f5335a2d9e20f597597d96be19021d175358932fdea4962c7078ab976c7a388ea785fc3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
202.7MB

MD5
b7689a00abb92ddeec35865e15b6a9f5

SHA1
c9418562b8036192bcc3d1669bcec839ee8b6cd4

SHA256
748df616fb43f26bb138007eabccddd9ddb9bb77b11440a0f7c0989a77f7f96b

SHA512
4a746a9bddf141d3b7114bd11d0c330f4befc10065e83e747fabc7ac3f5d9cd8a9d5c3c38da0ced0478557921f47fa399a4a5ae0263440d9f5f6b7adcbd256fd

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
208.9MB

MD5
8c4d246a5339bef3d3e40703b11fba4f

SHA1
f24ead3b7171160280515f0191182af0dc39f085

SHA256
9a5ea3668b2924d833e113cbf624fea39ddb733aa95e1cc5957e42f6677d525c

SHA512
4999fb5e49e76166bef9cbbc3b3f610541b2331fd38040a7ac6c5270e7d5bfe4ffaa536c36250f0ab7bea873c71a70b3e042714e3712a22cd01f0b57a12c3a05

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
49.5MB

MD5
ccaff2a19e8f71a55969c9740e35862d

SHA1
a96274f431e660b7d6c4911628574bbf5fbc77f3

SHA256
1c6981ec6839e42312ad12d0aa2a820798f8276d8973a7849ab7399b2c96ffe1

SHA512
ff99ffa84256516953c5353babd1d6709106cbeeef1147855f0e0d3022ea3108363228732931e6f176f78cc327ffeb69bbe6756f9f9a7e6d210decfdf63edeac

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
265.4MB

MD5
ef44dfcaa6a258297d24111db857b74b

SHA1
cfd4416291a1d49ccdf995fef3465e80f7163bdd

SHA256
a0fe2b2642762478fd34d23b2705e68b07940fa54f6879a9e8687a96eb1ffa6f

SHA512
1dd6ecb1ebf7c9535c2c6b88c609e8956aae83d1da19cbfbc566a98573b92af57a3894717f7fb33b95a6f3ac1f4299333de2a740c3d8b7e445a0453fc7bd5bbc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
257.7MB

MD5
c25f2dd5e15d24a164ae17fab7849b83

SHA1
953ce9e47ff663a29ff58bac207f3f46c3730482

SHA256
3323f58a959586cca8efb78e65faeaf1f3610b6fcc183b7b5a91a9fe987c950c

SHA512
2089ee18552ff52dd50af02128442136f2277eb00bb4e6836d7060bc598de47e8f6e483f439367bbb5b74fa2ddb2f4ccb20efab8bb7d005b557dab1f734c1c59

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.5MB

MD5
3cc1bc9d1452df39a13e8b815d744247

SHA1
32c62fc399917037f95552fc286cd4250bb20177

SHA256
0a3ea57d46e3500cb45213961648eb8d3f4917a80f54b5374c4aac93b7461452

SHA512
76d8231b07d2a7a7143d2d2ee2513313a4bb2732f26070d36aae51d447afccdccfdcb659b23c1ab370db8196dd199b934484f1958a43a2453a138c6c2361c1ef

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.5MB

MD5
af86515bead15d0c61427d93a6fd8410

SHA1
546c9887a98c81b40e16ab0a89f7d9a7113c2cd2

SHA256
9dda40b8bdb02d4a3f592ab92be906956ebc31c5d61a5a1ce38f2a74a562b6b1

SHA512
b7123ed915e95564747f24b79b88af3ee6c2c3490ad60abff4aa4f2ede9d064f8d913c2b4c226d7ad79bfdfb1fb7464d077e6fc088b40ad24bfa3a318f8683f0

Download Submit
memory/304-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-99-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1264-66-0x0000000006510000-0x00000000068B0000-memory.dmp

Filesize
3.6MB

Download
memory/1264-73-0x0000000005330000-0x00000000054A2000-memory.dmp

Filesize
1.4MB

Download
memory/1264-65-0x0000000000800000-0x0000000000F74000-memory.dmp

Filesize
7.5MB

Download
memory/1364-93-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-56-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/2004-71-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-70-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-69-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download