aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
116s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1864-66-0x0000000006460000-0x0000000006800000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1368	voiceadequovl.exe
1864	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1368	voiceadequovl.exe
1368	voiceadequovl.exe
1368	voiceadequovl.exe
1368	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
872	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	voiceadequovl.exe
Token: SeDebugPrivilege	872	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 1368	1336	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1336 wrote to memory of 1368	1336	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1336 wrote to memory of 1368	1336	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1336 wrote to memory of 1368	1336	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1368 wrote to memory of 1864	1368	voiceadequovl.exe	29
PID 1368 wrote to memory of 1864	1368	voiceadequovl.exe	29
PID 1368 wrote to memory of 1864	1368	voiceadequovl.exe	29
PID 1368 wrote to memory of 1864	1368	voiceadequovl.exe	29
PID 1864 wrote to memory of 872	1864	voiceadequovl.exe	30
PID 1864 wrote to memory of 872	1864	voiceadequovl.exe	30
PID 1864 wrote to memory of 872	1864	voiceadequovl.exe	30
PID 1864 wrote to memory of 872	1864	voiceadequovl.exe	30
PID 1864 wrote to memory of 1556	1864	voiceadequovl.exe	32
PID 1864 wrote to memory of 1556	1864	voiceadequovl.exe	32
PID 1864 wrote to memory of 1556	1864	voiceadequovl.exe	32
PID 1864 wrote to memory of 1556	1864	voiceadequovl.exe	32
PID 1556 wrote to memory of 2040	1556	cmd.exe	34
PID 1556 wrote to memory of 2040	1556	cmd.exe	34
PID 1556 wrote to memory of 2040	1556	cmd.exe	34
PID 1556 wrote to memory of 2040	1556	cmd.exe	34
PID 1864 wrote to memory of 772	1864	voiceadequovl.exe	35
PID 1864 wrote to memory of 772	1864	voiceadequovl.exe	35
PID 1864 wrote to memory of 772	1864	voiceadequovl.exe	35
PID 1864 wrote to memory of 772	1864	voiceadequovl.exe	35
PID 1864 wrote to memory of 772	1864	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:2040
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
217.4MB

MD5
199eb6947e63125e72f3861b06f6c58b

SHA1
729effef0ce56ca0e5bed1dc546cd7ec473aa8f0

SHA256
de8b9281b731b824ca072b0d3594b4d399b207563d9a3a556336439507029095

SHA512
8d9269b3e3681ef0de77721904212bd701135a9900aa2307ef3caeee41afb62e7f5d38e9f7d24d272bec9ef6164e1b3ffcc817582888677d1b642db5a8a0af6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
330.6MB

MD5
4ed12f9c6b76d281d794b9122c601670

SHA1
7f0c74c86e05f553a5052adc74cf6635e48ac7fe

SHA256
122f4ce7298412d9b027a7d0cd8d0f032335a66a004d15c6113951ed7d3bc43f

SHA512
3a3e77ad1b2e03b341203b05de8b5b2cb9635624d69909b7d095c1cb5b904cc1839302ff0bdffb4d815e70561c1885e40c35393c46005140617781920f8f00dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8fbc7c79ecc46060dd2c0787c3aa1511

SHA1
c33afd78016d2bdc6f2ce63bbfa7cd75375ce69a

SHA256
975e95a5e402edd6aa062141d9a27a88ac9c6900ee3121ca709f1c104081d480

SHA512
5691f6f7f3b20a7cf5247e19b22ee6160ff89f21f56909b49fe53eb8ce0b7b2321f7de9da88ccbdec0cdfc20fc4468792cfd3a9196aceb1dff397ff9ec7dd91e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
257.9MB

MD5
7e6761e36cb8e1b19175e8c141d2309c

SHA1
a4e23382419aa28f7706b305c50d4ebe935f8a78

SHA256
3eaaba6d6a2fda46021c67dd775636cdae9c3b702125fd2eaf0f39764591ae1b

SHA512
cb6905588fb69d2e72a071697ce17e7e801f12a460e3732d9d2266dd3fea0e5bfdef85ce12cf95ebe1804ce23f436d002ff5412083946c02960e1242cebb7677

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.4MB

MD5
3126aeea44fc047cda1a8692682ffbe9

SHA1
f3b99953b063e98d1c9e87dc40dbce26e366f546

SHA256
432ec4678a667f5e381ad7b24bee3a0794327455c307a271b4d8d59a72539126

SHA512
061098b8911d14589ab945cf6f99f3b31e30cf07061518de93766c15401a400eecb752f716b17957d3a7b61976bafbfb54dcd94f100d4696ed42277f220b9471

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
53.8MB

MD5
54d7852c44a4b23010d476871392d798

SHA1
b40e1aab038c9b629c9fa21dbde24d15cbeaaa1c

SHA256
8dedbe05a4d79062066b820293687081a7f4dd628520c5319fee1de68ae3802c

SHA512
be3d0d148f50be37310fdc708b5443d9d89158e3c03c91eff05b5176a50474c4bdb655c6821c9829f0af7bd469c49c5ffb927856b9351a44d08d98d3800182e8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.1MB

MD5
ea6959c0cc8921cbfeac6729f4057517

SHA1
cc976e1c386acbf02ab932056bc8e481c7782d42

SHA256
260b33940cf54e491de22046ace00c083e1474491040528cf0e55c360642ffc3

SHA512
2a8cca0cf4538146cf3041aa7236d2a1a7289587e6f072f09679cf90b978dacf110eb2245cfe2ac897fc281f7fb9c405875910a7b13026e899eb4be2fbe46123

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.8MB

MD5
c493a283504804594c565f4694b55e76

SHA1
ccbd45cd40dc9e558d8d4a09c5ba46adad53c89c

SHA256
75bd6ee5d1d449c5ffa86b8648f8f07e66f10124c7985ca1a226f3014d403640

SHA512
dbe5d4bc759206e06a1f587c5f6fdeff5c9f413b9a505ef60bace0eacd8720e769afea2657e5563684667900c12d0e4aab329f965dc57d9feb5866a7560a8946

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.4MB

MD5
d29df591e502164682f551456ab23c4d

SHA1
e26b000097bed9cdcc0990fd170a41467812dd77

SHA256
d3d04d0ae861b90b874e1d31f39ae0cf878884574334b6eae6de8db9eea7c130

SHA512
5e0dd2f3b86ad7d2a962cb0f63d5295868464897e9e0067154896137a254b0b498baa2588e7143f04978476152572357dda6912b8475f71a18d0f206992827d8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
252.4MB

MD5
2ca96b222ffab6ed49acda5c9d564582

SHA1
8ba29f9a51a1b0fe540515624c03287cf76ba707

SHA256
6ecff811a1efe82c895b839fe2b0bb85dbe58b7d2fbdc6004b0acf00b4b8c5fc

SHA512
c81d86fa6236fbab37a772c2e32565820b03cbc5f2fa0ac5bc66a3dc51b888f5f072750037eabf36d76d87ee9eba1708d8e7bed7e60f7edd274278e2c2c8335b

Download Submit
memory/772-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/772-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/872-71-0x000000006FC00000-0x00000000701AB000-memory.dmp

Filesize
5.7MB

Download
memory/872-69-0x000000006FC00000-0x00000000701AB000-memory.dmp

Filesize
5.7MB

Download
memory/872-70-0x000000006FC00000-0x00000000701AB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-56-0x0000000075491000-0x0000000075493000-memory.dmp

Filesize
8KB

Download
memory/1864-65-0x0000000000EB0000-0x0000000001624000-memory.dmp

Filesize
7.5MB

Download
memory/1864-73-0x0000000005320000-0x0000000005492000-memory.dmp

Filesize
1.4MB

Download
memory/1864-66-0x0000000006460000-0x0000000006800000-memory.dmp

Filesize
3.6MB

Download
memory/2040-84-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-92-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download