aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
97s
max time network
158s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1492-66-0x0000000006640000-0x00000000069E0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1212 voiceadequovl.exe
1492 voiceadequovl.exe
1896 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1212 voiceadequovl.exe
1212 voiceadequovl.exe
1212 voiceadequovl.exe
1212 voiceadequovl.exe

pid	process
1212	voiceadequovl.exe
1492	voiceadequovl.exe
1896	voiceadequovl.exe

pid	process
1212	voiceadequovl.exe
1212	voiceadequovl.exe
1212	voiceadequovl.exe
1212	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1492 set thread context of 1896 1492 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

380 powershell.exe
988 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1492 voiceadequovl.exe
Token: SeDebugPrivilege 380 powershell.exe
Token: SeDebugPrivilege 988 powershell.exe

description	pid	process	target process
PID 1492 set thread context of 1896	1492	voiceadequovl.exe	voiceadequovl.exe

pid	process
380	powershell.exe
988	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1492	voiceadequovl.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 1212	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2032 wrote to memory of 1212	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2032 wrote to memory of 1212	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2032 wrote to memory of 1212	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1212 wrote to memory of 1492	1212	voiceadequovl.exe	voiceadequovl.exe
PID 1212 wrote to memory of 1492	1212	voiceadequovl.exe	voiceadequovl.exe
PID 1212 wrote to memory of 1492	1212	voiceadequovl.exe	voiceadequovl.exe
PID 1212 wrote to memory of 1492	1212	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 380	1492	voiceadequovl.exe	powershell.exe
PID 1492 wrote to memory of 380	1492	voiceadequovl.exe	powershell.exe
PID 1492 wrote to memory of 380	1492	voiceadequovl.exe	powershell.exe
PID 1492 wrote to memory of 380	1492	voiceadequovl.exe	powershell.exe
PID 1492 wrote to memory of 1768	1492	voiceadequovl.exe	cmd.exe
PID 1492 wrote to memory of 1768	1492	voiceadequovl.exe	cmd.exe
PID 1492 wrote to memory of 1768	1492	voiceadequovl.exe	cmd.exe
PID 1492 wrote to memory of 1768	1492	voiceadequovl.exe	cmd.exe
PID 1768 wrote to memory of 988	1768	cmd.exe	powershell.exe
PID 1768 wrote to memory of 988	1768	cmd.exe	powershell.exe
PID 1768 wrote to memory of 988	1768	cmd.exe	powershell.exe
PID 1768 wrote to memory of 988	1768	cmd.exe	powershell.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 1896	1492	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1896

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:620

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1552

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:1704

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
321c1fd549ee457ff69edef1954253fb

SHA1
f74530f9e4dce8ae05f0ec0d141bb8109fe6e6d3

SHA256
e096dd019b31542cb199ac63f238bf15616cd8ab9b2fe5f824630a28bdebecc2

SHA512
bd989debb3f4fda3ad7ee13f6582c3e06d6ef233a65e0f5bb4e41848a1bbb6dad63f3f82f1117ef528c250272d416339857e7acf7b8589105c03147d7fc2bcac

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
278.9MB

MD5
52d5db36d22f969b8ff31fb286dfe675

SHA1
84b09665dfa0c3dff159b78daa5eba37b1bb2c9a

SHA256
4397ccdb25c11bf80bf0a9dca5ac0c365c73bae8d7d1a847546d34f781c0a3a8

SHA512
b2bb3543f5a73d62da07d8ee859cba1ed9b420093df1ae5330824c21f27336891a0546c615621b6dff1a6a666054b58b20a8000a91f7884dc0ba6fdb775363f0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
284.8MB

MD5
533377e3843f1f8a04b38687b7ba7448

SHA1
d3e42f9e213afe32ffd9f11ecbdc21e8972284d7

SHA256
117538702817304fba93536d138d71dafbf95832edd0ec8dbbd3bd5b188de693

SHA512
54b0bf8dcd1053421c7fbc8f77d9ec35ff30e820d158ce21cff868203d30d7b0a09273a79a75de77cd7d38880fd008bf61865e84f1d7b6801bc759e2fe5ec6b5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
112.1MB

MD5
d2274a120532cbc61ed58e1cc5e10bb7

SHA1
5ec7f683c55e276ffaa5dfea2f082d8dfc86c132

SHA256
ae96dc8fdc1ce5312a59c4918c1d9e54e04515504495488371b0e653d50f1070

SHA512
eff508606a9f5e5e32a5718ea18331a89e6331aaab80ecd400b289c64af3479aa809f03b6936e123fc066b8f6948dc332be491077388d0a358d587bc49573d17

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
276.4MB

MD5
dd03a7f44db865a8d0f8936fa3e5896e

SHA1
04982f21ebb473204f0d7cd28dbecf5856f58d6f

SHA256
fc9e31d665b1c85ca5380b4e138831a27fc113d37f1046d6225cdb16e0167434

SHA512
8e10c80b61a19baa31aa5c9e7d77701d15a5c5a6dfa8ce040ea08db19a180bb90a983a369d6487c629fa5511f9a814d976e4be195ee5afb337e7e72735c1838d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
268.1MB

MD5
98d68354ae68ee309f7265c94c5fa4e8

SHA1
e01778de905d0c11172eb38500d2791225e2db84

SHA256
18203c135e2590e11010bdee7fa841b7a6e29a9d0bdfe8c428121b6c48ae722c

SHA512
6071cff60801334c0180903ee605a179f3301220569dcbe55e3fd2cecc86ec682979e8e822f608bb16d7593a26ff6f1b381644a852e80394bd038e4cf16d65be

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
288.9MB

MD5
7dc74178efbadacf87bcb63fe8e5ae07

SHA1
2ddcefb8d62bad051a57ed03dc3428c8bf5791f7

SHA256
411039edec56921b376a3fedfe1a68fd2a7984dd585b9f29cbfca15d0e04368d

SHA512
ee722de04014e5274513a615bef36b62503d1630d4fb2edce5418bd11bf8e1bff528711542bd52e5bc5427723b14e0e9cd289213539b232ad6d06335dae8001c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
281.4MB

MD5
ab2aa0a23cdc4dfd52a8b89951e9310c

SHA1
b64364f6325e38eae6e0c066a53bae2584726416

SHA256
b8136f0f72e0c94ba70242cda265a83cb1ee025a7d3a1d14052c58bee2812269

SHA512
c57819a14634196b60a85f409770c4e14e68dfd8ab825ec7f1941f96fca8e1d4f97b514f8c8ffcdf0917ca7074b24b088d16efd3796374d912f8619e3240194f

Download Submit
memory/300-100-0x0000000000000000-mapping.dmp

Download
memory/380-71-0x0000000070280000-0x000000007082B000-memory.dmp

Filesize
5.7MB

Download
memory/380-67-0x0000000000000000-mapping.dmp

Download
memory/380-69-0x0000000070280000-0x000000007082B000-memory.dmp

Filesize
5.7MB

Download
memory/380-70-0x0000000070280000-0x000000007082B000-memory.dmp

Filesize
5.7MB

Download
memory/620-96-0x0000000000000000-mapping.dmp

Download
memory/988-73-0x0000000000000000-mapping.dmp

Download
memory/988-94-0x000000006FFB0000-0x000000007055B000-memory.dmp

Filesize
5.7MB

Download
memory/988-87-0x000000006FFB0000-0x000000007055B000-memory.dmp

Filesize
5.7MB

Download
memory/1212-56-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1212-54-0x0000000000000000-mapping.dmp

Download
memory/1492-66-0x0000000006640000-0x00000000069E0000-memory.dmp

Filesize
3.6MB

Download
memory/1492-74-0x0000000005510000-0x0000000005682000-memory.dmp

Filesize
1.4MB

Download
memory/1492-65-0x00000000012D0000-0x0000000001A44000-memory.dmp

Filesize
7.5MB

Download
memory/1492-62-0x0000000000000000-mapping.dmp

Download
memory/1552-97-0x0000000000000000-mapping.dmp

Download
memory/1704-99-0x0000000000000000-mapping.dmp

Download
memory/1768-72-0x0000000000000000-mapping.dmp

Download
memory/1896-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-90-0x0000000000464C20-mapping.dmp

Download
memory/1896-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-102-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2024-98-0x0000000000000000-mapping.dmp

Download