aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
85s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/580-66-0x00000000063F0000-0x0000000006790000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

956 voiceadequovl.exe
580 voiceadequovl.exe
1368 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

956 voiceadequovl.exe
956 voiceadequovl.exe
956 voiceadequovl.exe
956 voiceadequovl.exe

pid	process
956	voiceadequovl.exe
580	voiceadequovl.exe
1368	voiceadequovl.exe

pid	process
956	voiceadequovl.exe
956	voiceadequovl.exe
956	voiceadequovl.exe
956	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 580 set thread context of 1368 580 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1176 powershell.exe
1780 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 580 voiceadequovl.exe
Token: SeDebugPrivilege 1176 powershell.exe
Token: SeDebugPrivilege 1780 powershell.exe

description	pid	process	target process
PID 580 set thread context of 1368	580	voiceadequovl.exe	voiceadequovl.exe

pid	process
1176	powershell.exe
1780	powershell.exe

description	pid	process
Token: SeDebugPrivilege	580	voiceadequovl.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1212 wrote to memory of 956	1212	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1212 wrote to memory of 956	1212	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1212 wrote to memory of 956	1212	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1212 wrote to memory of 956	1212	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 956 wrote to memory of 580	956	voiceadequovl.exe	voiceadequovl.exe
PID 956 wrote to memory of 580	956	voiceadequovl.exe	voiceadequovl.exe
PID 956 wrote to memory of 580	956	voiceadequovl.exe	voiceadequovl.exe
PID 956 wrote to memory of 580	956	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1176	580	voiceadequovl.exe	powershell.exe
PID 580 wrote to memory of 1176	580	voiceadequovl.exe	powershell.exe
PID 580 wrote to memory of 1176	580	voiceadequovl.exe	powershell.exe
PID 580 wrote to memory of 1176	580	voiceadequovl.exe	powershell.exe
PID 580 wrote to memory of 1540	580	voiceadequovl.exe	cmd.exe
PID 580 wrote to memory of 1540	580	voiceadequovl.exe	cmd.exe
PID 580 wrote to memory of 1540	580	voiceadequovl.exe	cmd.exe
PID 580 wrote to memory of 1540	580	voiceadequovl.exe	cmd.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 1540 wrote to memory of 1780	1540	cmd.exe	powershell.exe
PID 1540 wrote to memory of 1780	1540	cmd.exe	powershell.exe
PID 1540 wrote to memory of 1780	1540	cmd.exe	powershell.exe
PID 1540 wrote to memory of 1780	1540	cmd.exe	powershell.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe
PID 580 wrote to memory of 1368	580	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1368

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
dd3283bbfe757ffed009df000516a7a0

SHA1
dfb07ecf474fc3a954c2b450034a38498cf3ed97

SHA256
a2b6d677023df6ac26d11da6310c48db5b56e144c854117e46787235151a449d

SHA512
e17bee5eaa0ebb60eafcc946050e66adef4d95efe05f31e43d7be26fb730d94e7afb86383a470089c4c46e11e703d0dc26023fc660869632aee6bea1ba4c9b68

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
272.6MB

MD5
0ce515773947b18f0034f2632ee41ee0

SHA1
0cc47b29aeefa51caf80f881560a7ca4ca2b1c84

SHA256
f9c3be314d9878b056718d39fcf3cb6c587c7f019af13c9f7bb4d509171f6601

SHA512
44f8413fc371a0960d687b61e5ff6b7b9600ef699e1534198494ac68d416c8b39884fbe14bdeb14f4903771204c1f0fd00c01151cf26f960e07004f98d5d4666

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
274.5MB

MD5
2ba4e08bebde73febb901ea7d99a66d8

SHA1
81eb17876e61c62bafc9dad06aed6f3e1be70af0

SHA256
76d04c830717ecd7a248128243f59d7f43363bdde4d72dc9ca35c5893edf883b

SHA512
e56fd09d7fc677ac347d0556e227da8d300014ae2fa1a1a605666683228a761ef7290d035f26c7a469e89c321e7a5bf19d2817920afebf3537361e558e3ed9f2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
113.9MB

MD5
8ea504c82032b78104576b2dabdff14a

SHA1
c387983eeffa46bba1641e1ad44dbe1b42c1aeb9

SHA256
0b01b1ad3625a7daa59cfa0dd1541dd826108eb72683f1e2ffcbc070bf151fa6

SHA512
c3c73aec0abd9b1583dddfaf74228285d54f8e97c5f79a9202bf9b67ba703691a455a234723051f56569483caa731220cedc83cd9666ed53d5d4787fd2ee8c6c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
274.9MB

MD5
7a3db1f64943d50ef6f499418f5161cd

SHA1
40c5c8cc3c71609e5c924f51194b8fdf11df7663

SHA256
bd152716800dbbda9208135483ad75bcb071ee25301acf6e214ab4c6b82ea78a

SHA512
0b75420f3b131bb4df86fcc26a178f177135aa12d6c671c7f129029186b074614c7d8a4a2f086b509c988d5f575a5b266a528d31f71447132a7be28fc4400e6c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
284.4MB

MD5
d9d4769ddf0ccc799b5a32aa82300a38

SHA1
8510fd250de78747a22ee142db9405a765c3bfdd

SHA256
df503e4c7462064e4699c3879c19f2adf35058abdb98105b2d5f82e5d04a5a7f

SHA512
f42a6828bdf8fe6b57011137032b7a8b55bdb4770a23a1046b2bfef6e0629d0a98595e3b09017bf538496a9cf1de57a3537ba448bbedca337e62943c58e8e9d6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
277.2MB

MD5
b8dd42fec2cf1e48a1bbf32d6d89a578

SHA1
03d158b318e8a971ca12a5dcc0a7507198150c74

SHA256
8c3facfc2b33a9738112190e3adc9ecc503ce01eb8dab030e0a135d080c90ec2

SHA512
f226b2c0b8fed68cba53ef9e935c1eac0ac92fb3c85ca06ba17596a15cd6de5b4f8d8cdc1bf4f31b9f92fb411907bc4aa49193aaa994561ed9c83aa49827ad5f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
274.7MB

MD5
db32f2d9d34da9dbc2ff03c80906d511

SHA1
de6c47607861be52ddcc34d2d262ccc241b964d2

SHA256
7c081a1f8c99c9ea5f368a8e30c43c27caf2637ef90ce54359285aff0b2706a3

SHA512
83923d9c434e67ab02f617efe1f26de4c7a81319136e91557e677ce05781577e198ed889dc977e8efa570d40b334bdf94e6f997a8f5711856aea93d33b81f696

Download Submit
memory/580-62-0x0000000000000000-mapping.dmp

Download
memory/580-65-0x00000000013A0000-0x0000000001B14000-memory.dmp

Filesize
7.5MB

Download
memory/580-66-0x00000000063F0000-0x0000000006790000-memory.dmp

Filesize
3.6MB

Download
memory/580-73-0x00000000053B0000-0x0000000005522000-memory.dmp

Filesize
1.4MB

Download
memory/956-56-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/956-54-0x0000000000000000-mapping.dmp

Download
memory/1176-67-0x0000000000000000-mapping.dmp

Download
memory/1176-69-0x000000006F500000-0x000000006FAAB000-memory.dmp

Filesize
5.7MB

Download
memory/1176-70-0x000000006F500000-0x000000006FAAB000-memory.dmp

Filesize
5.7MB

Download
memory/1176-71-0x000000006F500000-0x000000006FAAB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1368-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1368-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1368-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1368-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1368-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1368-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1368-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1368-90-0x0000000000464C20-mapping.dmp

Download
memory/1540-72-0x0000000000000000-mapping.dmp

Download
memory/1780-75-0x0000000000000000-mapping.dmp

Download
memory/1780-87-0x000000006F230000-0x000000006F7DB000-memory.dmp

Filesize
5.7MB

Download
memory/1780-93-0x000000006F230000-0x000000006F7DB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads