aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
147s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/272-66-0x0000000006540000-0x00000000068E0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

948 voiceadequovl.exe
272 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

948 voiceadequovl.exe
948 voiceadequovl.exe
948 voiceadequovl.exe
948 voiceadequovl.exe

pid	process
948	voiceadequovl.exe
272	voiceadequovl.exe

pid	process
948	voiceadequovl.exe
948	voiceadequovl.exe
948	voiceadequovl.exe
948	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

616 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 272 voiceadequovl.exe
Token: SeDebugPrivilege 616 powershell.exe

pid	process
616	powershell.exe

description	pid	process
Token: SeDebugPrivilege	272	voiceadequovl.exe
Token: SeDebugPrivilege	616	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 948	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 948	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 948	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 948	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 948 wrote to memory of 272	948	voiceadequovl.exe	voiceadequovl.exe
PID 948 wrote to memory of 272	948	voiceadequovl.exe	voiceadequovl.exe
PID 948 wrote to memory of 272	948	voiceadequovl.exe	voiceadequovl.exe
PID 948 wrote to memory of 272	948	voiceadequovl.exe	voiceadequovl.exe
PID 272 wrote to memory of 616	272	voiceadequovl.exe	powershell.exe
PID 272 wrote to memory of 616	272	voiceadequovl.exe	powershell.exe
PID 272 wrote to memory of 616	272	voiceadequovl.exe	powershell.exe
PID 272 wrote to memory of 616	272	voiceadequovl.exe	powershell.exe
PID 272 wrote to memory of 1044	272	voiceadequovl.exe	cmd.exe
PID 272 wrote to memory of 1044	272	voiceadequovl.exe	cmd.exe
PID 272 wrote to memory of 1044	272	voiceadequovl.exe	cmd.exe
PID 272 wrote to memory of 1044	272	voiceadequovl.exe	cmd.exe
PID 1044 wrote to memory of 1132	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 1132	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 1132	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 1132	1044	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:272
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1132
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ea9f0730e653932b31d28c44719d7d3a

SHA1
141eaafea3b749ad2bf28d88f0ac6dd70e15f38f

SHA256
db9ad8d3a8c1e175e9e31c0a3e0aac26c35efe8cdcf45dad22ed82e5dd43915a

SHA512
2623d1e000a2c6049eebff8601dc1962abaa44d4cc8e9a5c5026cd5d53aa8e4444e66a2e5bbd918c2cf6b7feb6b1c88c0ff1a92198e45492d7f5ed99bc6bd3e9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
285.1MB

MD5
e68903677f897032474678df0a79dd3f

SHA1
1b7a912dd89535cdeaa2d10cd177d8a7e0e49cd4

SHA256
19e18483244b236098d8c0ca45669f90c2bc78ae52f682f86477890420080df9

SHA512
0bfa7fc29150c7f3bddb841f4fc22ddbbc7c1de1d61e0b4aa7db5d1d451c0ad15eb892191e3a0ff93e0b5d62cfcc41d2fb5aeab093c3c42f95a5a4667ee829ee

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
258.0MB

MD5
2b2f6867675e9f7ceee9c3d5ebe4c7a4

SHA1
1a9cf05289fb6f2b0e02e35cc623a8f095e883c4

SHA256
df30b371ba7ee589b9c45860b0a63319b2c0576744ee292fc607f8df63db9e10

SHA512
029d5caec6c3bc849462236472bee2744c110e1f9a6b474efe7fd279b2c8c13d433c0fb7996d2ef9aec77eeee52b89d1afe35b4e2eb17822d73e3aa9901fe008

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
294.6MB

MD5
8df800ec67c1628f1efb8f2487737947

SHA1
044461dba1ab4cffaf0d6c805e371389d7f19a05

SHA256
e5f0738aa8b94792886d86db90dd4102a11b0f01cd032312dd152f060ffa9108

SHA512
87cad461262e1930078e2aa5fa77654593f3b25850b292a2df8fe91ea0c46bcadf2c0fc7b4a3172bad692aa0c638642d3792bc70c80540c9c5a61d0ed0ce1320

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
269.1MB

MD5
df922f6cdbb118914c23aa447e389450

SHA1
721e61ccf44030ab9ba46c16904e9b6489050a73

SHA256
65c6feac4281e75bd83e8635384391243195810fd6c4155d3640d3299bc9999c

SHA512
347dad23b0ca7832a1989acdba0051a9eb81c7997187f7bb46c822a1e0b81b8060137bba18474e937031a01cdd25a524db23926543269b8b6a48239563a67a8a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
291.9MB

MD5
7212ea22d3012ce2e74d375c92579e9e

SHA1
f624ebb2854097356a041a7b51bfa22c1d7c440d

SHA256
ed1f09578ca86200ad94af33b38b26d78056101fd6c9a12f3a6a91390ef6ea39

SHA512
e17340351879d3a898ef4f6c2a2aca0a47160e4e7b8b14f0f225f41a1cf479edd45f0ac66df0281e4835613e899768301dc9cdeae9ffa1a59c7e934d00dcfca9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
265.4MB

MD5
ef44dfcaa6a258297d24111db857b74b

SHA1
cfd4416291a1d49ccdf995fef3465e80f7163bdd

SHA256
a0fe2b2642762478fd34d23b2705e68b07940fa54f6879a9e8687a96eb1ffa6f

SHA512
1dd6ecb1ebf7c9535c2c6b88c609e8956aae83d1da19cbfbc566a98573b92af57a3894717f7fb33b95a6f3ac1f4299333de2a740c3d8b7e445a0453fc7bd5bbc

Download Submit
memory/272-62-0x0000000000000000-mapping.dmp

Download
memory/272-73-0x0000000005430000-0x00000000055A2000-memory.dmp

Filesize
1.4MB

Download
memory/272-65-0x00000000012B0000-0x0000000001A24000-memory.dmp

Filesize
7.5MB

Download
memory/272-66-0x0000000006540000-0x00000000068E0000-memory.dmp

Filesize
3.6MB

Download
memory/544-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/544-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/544-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/544-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/544-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/544-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/544-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/544-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/616-67-0x0000000000000000-mapping.dmp

Download
memory/616-69-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/616-71-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/616-70-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/948-54-0x0000000000000000-mapping.dmp

Download
memory/948-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1044-72-0x0000000000000000-mapping.dmp

Download
memory/1132-80-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1132-74-0x0000000000000000-mapping.dmp

Download