aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
117s
max time network
144s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/912-66-0x0000000006480000-0x0000000006820000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1964 voiceadequovl.exe
912 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1964 voiceadequovl.exe
1964 voiceadequovl.exe
1964 voiceadequovl.exe
1964 voiceadequovl.exe

pid	process
1964	voiceadequovl.exe
912	voiceadequovl.exe

pid	process
1964	voiceadequovl.exe
1964	voiceadequovl.exe
1964	voiceadequovl.exe
1964	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

268 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 912 voiceadequovl.exe
Token: SeDebugPrivilege 268 powershell.exe

pid	process
268	powershell.exe

description	pid	process
Token: SeDebugPrivilege	912	voiceadequovl.exe
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1708 wrote to memory of 1964	1708	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1708 wrote to memory of 1964	1708	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1708 wrote to memory of 1964	1708	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1708 wrote to memory of 1964	1708	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1964 wrote to memory of 912	1964	voiceadequovl.exe	voiceadequovl.exe
PID 1964 wrote to memory of 912	1964	voiceadequovl.exe	voiceadequovl.exe
PID 1964 wrote to memory of 912	1964	voiceadequovl.exe	voiceadequovl.exe
PID 1964 wrote to memory of 912	1964	voiceadequovl.exe	voiceadequovl.exe
PID 912 wrote to memory of 268	912	voiceadequovl.exe	powershell.exe
PID 912 wrote to memory of 268	912	voiceadequovl.exe	powershell.exe
PID 912 wrote to memory of 268	912	voiceadequovl.exe	powershell.exe
PID 912 wrote to memory of 268	912	voiceadequovl.exe	powershell.exe
PID 912 wrote to memory of 1864	912	voiceadequovl.exe	cmd.exe
PID 912 wrote to memory of 1864	912	voiceadequovl.exe	cmd.exe
PID 912 wrote to memory of 1864	912	voiceadequovl.exe	cmd.exe
PID 912 wrote to memory of 1864	912	voiceadequovl.exe	cmd.exe
PID 1864 wrote to memory of 1540	1864	cmd.exe	powershell.exe
PID 1864 wrote to memory of 1540	1864	cmd.exe	powershell.exe
PID 1864 wrote to memory of 1540	1864	cmd.exe	powershell.exe
PID 1864 wrote to memory of 1540	1864	cmd.exe	powershell.exe
PID 912 wrote to memory of 1016	912	voiceadequovl.exe	voiceadequovl.exe
PID 912 wrote to memory of 1016	912	voiceadequovl.exe	voiceadequovl.exe
PID 912 wrote to memory of 1016	912	voiceadequovl.exe	voiceadequovl.exe
PID 912 wrote to memory of 1016	912	voiceadequovl.exe	voiceadequovl.exe
PID 912 wrote to memory of 1016	912	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1540

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1016

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1952

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:1328

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
243.5MB

MD5
86ca65c91656ce6b02993ebdf2945932

SHA1
f2db3e8d67a96901c04a851ff8d7969326fb96f1

SHA256
4cbd0c7000dd69db2aa93d805716dc6d146226120bf779466735dfa73778af72

SHA512
ad765f43a88a06027edc0322a4916dac1b7dbb73436c19b47cd5fe90f6957db7262c60c64fa9c64717b278567c26ea07e914c569c105ed9ef2c17bb32961beba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0509218fcb722d88ab74726217773583

SHA1
13ec794ac3c17c8211ff4138fa8a3ff0ad005668

SHA256
f88f3033d8b804a8dd1dfbcd9da7baab45532fdcdb66b5727b101af3090ca5a2

SHA512
cab6d4c7dc1a36098e58fbd473ec5e6079f0a83d7a32ff87a3583e163816b11582484b8a86b24f4fc0cc28cc9256405cd5c6683e50cafab84a8d05981b3ec169

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
278.9MB

MD5
a250ae3d7de6893c388d0f3c3feed485

SHA1
7f46460795c5dc5f277f0e092062c7b8ebe735af

SHA256
3069499355ff96e2f9825790398c72c281a14b83d4fe1c9b2ebbf9e5dd65164c

SHA512
d980ee24ed7b6359269a860e5a2aba6122733adc0da2c32f62bc703f9f0bc46f4cd9bf982ab8a77e8a45cf00006fd10ff110e6a9cdc3d0176166585897c0628a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
268.6MB

MD5
a534a54efbbc59b68756db0e717d1d2a

SHA1
8b0ca9b633cb775a5d201ed103be6b4fd2200130

SHA256
2835b252920b6c3e882699778c0d25135ed17a8efbc64eff352cb3a2afe9bfdb

SHA512
8f05c121b52d1fee37aab4b3f9dbb535c6d9d0fc83e249b261a84e3d153c72966d6ab9cf38868883fb906e62cacf34d36e173d0814604eabfe2d6ea2ce047354

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
52.1MB

MD5
0f36ab523167202951ae633397c9bce4

SHA1
0dda7e328f3ca4ffde324ce9514d5053caa67280

SHA256
b6274d4c0a518875fcd636bcb33f3f5aef236a7778ccd2248c499b214e39a2fe

SHA512
455b5407b3a6f3ea78506444432d27f50833c539f6c0e47861e26ebc697e171fef66547dff540d2a98b3fdc742e3b98d09af3245882b865f2c3ff0a09bc18bb3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
259.2MB

MD5
e97b657409ba8481b592b787ec4e6016

SHA1
410e5ef7b1b95daad14ea11f92eb53c80e3f64a9

SHA256
109bf1260073e0fe7ab926f56a8a0625a7eed2837188eea6f9525efb7f739991

SHA512
47ea9bbffe3b0ad713a695b36bd3a3a1a948d3e0d632e154522eedfd1789f706a641b8694d6451fa0173b650871890eaa6595d8c931d2d61b6ee0c4307f18778

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
248.0MB

MD5
4c3ec08601ab208d790de6b1597944fc

SHA1
6186aad18a22d059534681e102f6c429c39b91e7

SHA256
710b607cb8422a77ab97332d10d7426c854fdf389cbdf31d7f358819cd5cf680

SHA512
574d2c1751043d7be3bf65591bd86858f4dedcf6d3a4d203556ab128c94c274436b86eb7888905bf84a4cfa29850b2d016d0e8e231fd3d90266550177526feb3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
257.1MB

MD5
5d4c312f5a1c0fac4c12d9dc953ee5be

SHA1
bee2859ea861000d7c1314c8d8ae954ef8ca3f9c

SHA256
7563a9c09385bd916a0824ac4f3e3d1f457d9ef6fd2e94137d46ce4f31058e04

SHA512
3dbff2a2401235a60dd53fec3bcb57f8edbe01b04ba8584f6209d0b38a7e60d8ff2fac5154dab23cae7691a134df91ba779bfc78e8fa549136d904ea0ba9c558

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
270.2MB

MD5
c60efb298e99e9833e0cae750a676b96

SHA1
341924500e2109188664aabaf3e582c9e2a7c944

SHA256
e9724202b4a7b45523f519d15d99d06660e9409bb7fcd04e2c044d1268924fe4

SHA512
531fa6911b804938aec088ad5b7f6fea14931ad7dd79941a14b9c9631970677b468b41c3bba8f3f62f2345053603f59033ea795f0f484e969fcd47bb83f15326

Download Submit
memory/268-69-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/268-71-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/268-70-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/268-67-0x0000000000000000-mapping.dmp

Download
memory/912-62-0x0000000000000000-mapping.dmp

Download
memory/912-66-0x0000000006480000-0x0000000006820000-memory.dmp

Filesize
3.6MB

Download
memory/912-65-0x0000000000B10000-0x0000000001284000-memory.dmp

Filesize
7.5MB

Download
memory/912-73-0x00000000054E0000-0x0000000005652000-memory.dmp

Filesize
1.4MB

Download
memory/1016-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-99-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1016-90-0x0000000000464C20-mapping.dmp

Download
memory/1064-101-0x0000000000000000-mapping.dmp

Download
memory/1328-100-0x0000000000000000-mapping.dmp

Download
memory/1540-74-0x0000000000000000-mapping.dmp

Download
memory/1540-93-0x000000006F980000-0x000000006FF2B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-84-0x000000006F980000-0x000000006FF2B000-memory.dmp

Filesize
5.7MB

Download
memory/1772-98-0x0000000000000000-mapping.dmp

Download
memory/1864-72-0x0000000000000000-mapping.dmp

Download
memory/1952-97-0x0000000000000000-mapping.dmp

Download
memory/1964-56-0x0000000075D51000-0x0000000075D53000-memory.dmp

Filesize
8KB

Download
memory/1964-54-0x0000000000000000-mapping.dmp

Download
memory/1976-96-0x0000000000000000-mapping.dmp

Download