aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
103s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1028-66-0x0000000006610000-0x00000000069B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

2008 voiceadequovl.exe
1028 voiceadequovl.exe
276 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

2008 voiceadequovl.exe
2008 voiceadequovl.exe
2008 voiceadequovl.exe
2008 voiceadequovl.exe

pid	process
2008	voiceadequovl.exe
1028	voiceadequovl.exe
276	voiceadequovl.exe

pid	process
2008	voiceadequovl.exe
2008	voiceadequovl.exe
2008	voiceadequovl.exe
2008	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1028 set thread context of 276 1028 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1616 powershell.exe
1264 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1028 voiceadequovl.exe
Token: SeDebugPrivilege 1616 powershell.exe
Token: SeDebugPrivilege 1264 powershell.exe

description	pid	process	target process
PID 1028 set thread context of 276	1028	voiceadequovl.exe	voiceadequovl.exe

pid	process
1616	powershell.exe
1264	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1028	voiceadequovl.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1148 wrote to memory of 2008	1148	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1148 wrote to memory of 2008	1148	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1148 wrote to memory of 2008	1148	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1148 wrote to memory of 2008	1148	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2008 wrote to memory of 1028	2008	voiceadequovl.exe	voiceadequovl.exe
PID 2008 wrote to memory of 1028	2008	voiceadequovl.exe	voiceadequovl.exe
PID 2008 wrote to memory of 1028	2008	voiceadequovl.exe	voiceadequovl.exe
PID 2008 wrote to memory of 1028	2008	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 1616	1028	voiceadequovl.exe	powershell.exe
PID 1028 wrote to memory of 1616	1028	voiceadequovl.exe	powershell.exe
PID 1028 wrote to memory of 1616	1028	voiceadequovl.exe	powershell.exe
PID 1028 wrote to memory of 1616	1028	voiceadequovl.exe	powershell.exe
PID 1028 wrote to memory of 1576	1028	voiceadequovl.exe	cmd.exe
PID 1028 wrote to memory of 1576	1028	voiceadequovl.exe	cmd.exe
PID 1028 wrote to memory of 1576	1028	voiceadequovl.exe	cmd.exe
PID 1028 wrote to memory of 1576	1028	voiceadequovl.exe	cmd.exe
PID 1576 wrote to memory of 1264	1576	cmd.exe	powershell.exe
PID 1576 wrote to memory of 1264	1576	cmd.exe	powershell.exe
PID 1576 wrote to memory of 1264	1576	cmd.exe	powershell.exe
PID 1576 wrote to memory of 1264	1576	cmd.exe	powershell.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe
PID 1028 wrote to memory of 276	1028	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1576
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:276
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:784
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:668
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:384
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9145880e9309d68c0a06ea90808fa2a9

SHA1
c76c440c1f27d6aa34657d8a5847937c78181317

SHA256
b88d0dc1a8e74bb82ef7dc70d875fe1f554df3fcc100cd5b93ee1600604dc203

SHA512
f483f594dcc4d8623b38b66f14cc695f9c8466d80a83091e51d085bb6267844ec5f9278c7644a949ae3243c59582e36d9fa2d3427603d654c21ea97b6bcb1e86

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
276.3MB

MD5
caa354f84fba20885fee3bad079d48cc

SHA1
21e780a9dfe5d2554a320132f60c372f86a6a0ff

SHA256
d0e0c5b39626103a38042de45954e4a2ac594b9631c7c7940944a2e4a4cba3a8

SHA512
7a3c3b2194dcfd8e6bc441b1650322062f80e2d22b9e9d438068a9977bba9f18723f8056a70a81fb83af7ff5a91a1d7ed97d0009ec78b33a48e4cb66e888c91e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
270.6MB

MD5
18b5791354f62d7468dc4799849848fe

SHA1
ca7942601b10d8e2e67b6e8758c166554b68869b

SHA256
b49aff36931074d3b855a819620bf38bf585487532b77777d4e54fbcbd028e27

SHA512
30447da45642c8117374dea606350bcff81f584526519515d7c5b3ed6ea6a779ea1ab91493ba341d03a4b64b134a0630a1188d40995bb6c0aca810a4e77d2472

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
109.6MB

MD5
8521c41f31ff387316405a89613ba363

SHA1
c8869fc545094e1a6b2cf5983b40558ab47e27e0

SHA256
223fd149f35fc643edb6038809a2b22f2c049157251228ab62af5eef0739d758

SHA512
8e7e9edca2db5705dee6970965351942cfac9ee3de40d90a37da72b2ee1a4692d19bfb9a042dda650d13bfbe0da108bff8d252549a599f8032fe07d7435d6898

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.8MB

MD5
ecf70c388ab92f6fb1e7986310bd48d4

SHA1
f6adea04973d1c674c9a00482efe839b5832fd87

SHA256
c436edc7fed579f765c4fe82927f6ddbc807901d75805b47353f80782ac8b9c6

SHA512
f325cc27accc533ad2a70513a88b964fc824c7127d140c982863cc505a44293650a153af05a6af18f1986ddf3efaa109bae66656f9fe3d0e0d82957d573d70dc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
287.6MB

MD5
817d3751571e25b151142ef59e3b93f1

SHA1
534a283c0c51c905909781398bbafdbee7c5e597

SHA256
d717eec6daad02912065e90f146b7759877e876d16543a71b7b4f5d559c7ce40

SHA512
daaa3ef0f0b5e061c727a35fb2d44940a662bcbf46e23c7b5aaaa0c706b21ece7cc0bfe6ebf233d76589a07f38824252378911d26f2c3e1be57403fd5d7d62f6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
286.9MB

MD5
a4c2988d563290619016c8842b9d511c

SHA1
d1523ce464f24a8675e7eaaf6de1261501c7441c

SHA256
22fd1eaa08ddceac86010b089d73e2f373f51806926080154aabe7e867a016e1

SHA512
46d41e176bd3528d5272c68fa48de6879ea0c2c0462c23678ec815fc596a04de581efcdc6fe3441358b0e0163aad2dc0b08c9b11bc6ee991a672623658dc66b4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
282.8MB

MD5
372d8de046f0b8672d418dc77b1ec134

SHA1
32030ce6d6a414c550c051b74b27d5d13fc2c668

SHA256
755743b6eb9ed72975de5ebc552fef7b966ba97a68e19de7703595bcedd1e652

SHA512
7938846ee4ce348bd25d213a8bd431be4cc54bfdf68e4d019fe6e6a00ffc4a89bdfc7fd99f71d213dfe75d4ce744d98075fccdcd948d146dc04a0d682800fb0d

Download Submit
memory/276-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-90-0x0000000000464C20-mapping.dmp

Download
memory/276-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/384-100-0x0000000000000000-mapping.dmp

Download
memory/468-99-0x0000000000000000-mapping.dmp

Download
memory/668-98-0x0000000000000000-mapping.dmp

Download
memory/784-97-0x0000000000000000-mapping.dmp

Download
memory/1028-65-0x0000000000E50000-0x00000000015C4000-memory.dmp

Filesize
7.5MB

Download
memory/1028-62-0x0000000000000000-mapping.dmp

Download
memory/1028-73-0x00000000054F0000-0x0000000005662000-memory.dmp

Filesize
1.4MB

Download
memory/1028-66-0x0000000006610000-0x00000000069B0000-memory.dmp

Filesize
3.6MB

Download
memory/1236-101-0x0000000000000000-mapping.dmp

Download
memory/1264-84-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1264-91-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1264-74-0x0000000000000000-mapping.dmp

Download
memory/1576-72-0x0000000000000000-mapping.dmp

Download
memory/1616-71-0x000000006F1A0000-0x000000006F74B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-70-0x000000006F1A0000-0x000000006F74B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-69-0x000000006F1A0000-0x000000006F74B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-67-0x0000000000000000-mapping.dmp

Download
memory/2008-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/2008-54-0x0000000000000000-mapping.dmp

Download