aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1896-66-0x00000000063B0000-0x0000000006750000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1072 voiceadequovl.exe
1896 voiceadequovl.exe
1480 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1072 voiceadequovl.exe
1072 voiceadequovl.exe
1072 voiceadequovl.exe
1072 voiceadequovl.exe

pid	process
1072	voiceadequovl.exe
1896	voiceadequovl.exe
1480	voiceadequovl.exe

pid	process
1072	voiceadequovl.exe
1072	voiceadequovl.exe
1072	voiceadequovl.exe
1072	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1896 set thread context of 1480 1896 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1408 powershell.exe
1548 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1896 voiceadequovl.exe
Token: SeDebugPrivilege 1408 powershell.exe
Token: SeDebugPrivilege 1548 powershell.exe

description	pid	process	target process
PID 1896 set thread context of 1480	1896	voiceadequovl.exe	voiceadequovl.exe

pid	process
1408	powershell.exe
1548	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1896	voiceadequovl.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1084 wrote to memory of 1072	1084	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1084 wrote to memory of 1072	1084	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1084 wrote to memory of 1072	1084	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1084 wrote to memory of 1072	1084	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1072 wrote to memory of 1896	1072	voiceadequovl.exe	voiceadequovl.exe
PID 1072 wrote to memory of 1896	1072	voiceadequovl.exe	voiceadequovl.exe
PID 1072 wrote to memory of 1896	1072	voiceadequovl.exe	voiceadequovl.exe
PID 1072 wrote to memory of 1896	1072	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	powershell.exe
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	powershell.exe
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	powershell.exe
PID 1896 wrote to memory of 1408	1896	voiceadequovl.exe	powershell.exe
PID 1896 wrote to memory of 816	1896	voiceadequovl.exe	cmd.exe
PID 1896 wrote to memory of 816	1896	voiceadequovl.exe	cmd.exe
PID 1896 wrote to memory of 816	1896	voiceadequovl.exe	cmd.exe
PID 1896 wrote to memory of 816	1896	voiceadequovl.exe	cmd.exe
PID 816 wrote to memory of 1548	816	cmd.exe	powershell.exe
PID 816 wrote to memory of 1548	816	cmd.exe	powershell.exe
PID 816 wrote to memory of 1548	816	cmd.exe	powershell.exe
PID 816 wrote to memory of 1548	816	cmd.exe	powershell.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe
PID 1896 wrote to memory of 1480	1896	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a3ad3607ff4bb75e233820b56e32e0d9

SHA1
cb629e60038b5b3db3508a4a4455f38b5cae039b

SHA256
11949eadafab2b2fcbaf064c683719ac8847229b2a8a18bfc65936c894f3b218

SHA512
9cb11135734a49f6adec14ee70e3170efb4bd9db663afe382e422be01632e00af20d6add0f8bb16e6bf9bcaa3a60891ea79f6b157fb1c8421411f9d132cdb9f4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
213.4MB

MD5
0014e9645de409131e3850aa13ddc027

SHA1
6c7e258ba3856060981eb8377527b62f33d42805

SHA256
41c0ce56143d166f476140f82b8ce5f4dc64a32542355078e8e77c1174fc6e59

SHA512
fe0226d561928c1e5ad5135da08d08d5a772361fa2238ba3a70fbca649debcf7c47228a154d4b9728d6b2081152c399e6b257eac75e213992d789895bef50c7c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
207.4MB

MD5
ad3b7071fe2095f7e4ca0dc0c0b8faa1

SHA1
306dd50a0fbd1652afa3d3bf3d71b26c1859026a

SHA256
83fe92bdcf03942e14f99e342c5b9afd1fd93a15799d8ed5677a3d3b2d50fc4a

SHA512
d4ee312c71ed5d3a33a55666d7e6ffbcbf3a4c372097b7eb89ae89cbd3e0b0198e20ae1349c2345a6542f7ca2835697fe6d2473f2a6ed6001971cd5d8b2c7ac8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
34.1MB

MD5
577d555f511f1740dc5dd52edebe6b4f

SHA1
b5e78416772678578353daf87abd57c7b4d62476

SHA256
4305fd31d4bcf306db014a5e7a0e94b72ccc6face04a7ccd3ede8eee3dc000b4

SHA512
4bdf501b29d8a072cc18bdde152f8dbec40be8ec2d6754859ac4534eb8af3aed3dd0a0cb1dd64504c092b2fb4fc33a7719c9d32684811e3899c2d9a7075ce718

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
208.3MB

MD5
ea1da7f792c53a2f77da2d7de436a73c

SHA1
ce84ffe8579f67037931bcc393c483f66f0fa4da

SHA256
3cd62b226c383ab1ea89fce01e5a795e672ea9771181ada14ca7ba0403a7e95a

SHA512
08454b30f36c0289f1034ba831dc00005255fa58b5c902e6dc5228cc1fa377751d92016df82eac24f22dfc86e298d150f37051db9afff5a97c837ab7ccd7ce22

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
207.5MB

MD5
823284cdaf448ad7a997e47cace08af3

SHA1
1207e5fd062757d32f6e668fb87c499b5202f876

SHA256
c5ce83c7d952bf81a00f684a122ff51a43c8462532aed086c1388d55a1296959

SHA512
5061ea2ef48eb2dbd8961d12fe23979885a4575b801310113548a989c3dc6656a1a2385faa18998273099c2b3f43dc7714c09cf666a5e81ca2f1781ee043c742

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
194.4MB

MD5
c60a115ac9195fefac72891be42d090f

SHA1
8dbe730af8228103f16365fe8b3b1d706ed3a962

SHA256
9c5a778990e2981953d8819da231783ef2e9ea956169ef6125e8bd8750f20c16

SHA512
d04ef1f8b440a6b663944fbea7a5415c5e7a7ae3166a72e82e5b7ee90512b79824e107639840098826de8edd15a7499f25177ee8ff8f0657acb65879fbcfc1a3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
214.3MB

MD5
bb1e6fe2cc6631c6eb73c11f2cbc1d22

SHA1
32baeb87ba6b02a32220fd913184196192a90e8b

SHA256
bc26334db02989364a8c28138718c90cb7a3b66207056b3b1f9b0485e21874d5

SHA512
67f036c6da3e1fb2ba937f24178647debb18031206fe2854d359fdfb95ad26f2d33ebc3414255ef9cd5c34e1081b5bd133d5e61036b9003479a5d5429c90a4fa

Download Submit
memory/816-72-0x0000000000000000-mapping.dmp

Download
memory/1072-54-0x0000000000000000-mapping.dmp

Download
memory/1072-56-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/1408-71-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-67-0x0000000000000000-mapping.dmp

Download
memory/1408-70-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/1408-69-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-90-0x0000000000464C20-mapping.dmp

Download
memory/1480-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1548-94-0x000000006F140000-0x000000006F6EB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-80-0x000000006F140000-0x000000006F6EB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-74-0x0000000000000000-mapping.dmp

Download
memory/1680-96-0x0000000000000000-mapping.dmp

Download
memory/1896-62-0x0000000000000000-mapping.dmp

Download
memory/1896-73-0x00000000053E0000-0x0000000005552000-memory.dmp

Filesize
1.4MB

Download
memory/1896-66-0x00000000063B0000-0x0000000006750000-memory.dmp

Filesize
3.6MB

Download
memory/1896-65-0x0000000000DB0000-0x0000000001524000-memory.dmp

Filesize
7.5MB

Download