aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/692-66-0x0000000006600000-0x00000000069A0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1416 voiceadequovl.exe
692 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1416 voiceadequovl.exe
1416 voiceadequovl.exe
1416 voiceadequovl.exe
1416 voiceadequovl.exe

pid	process
1416	voiceadequovl.exe
692	voiceadequovl.exe

pid	process
1416	voiceadequovl.exe
1416	voiceadequovl.exe
1416	voiceadequovl.exe
1416	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1280 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 692 voiceadequovl.exe
Token: SeDebugPrivilege 1280 powershell.exe

pid	process
1280	powershell.exe

description	pid	process
Token: SeDebugPrivilege	692	voiceadequovl.exe
Token: SeDebugPrivilege	1280	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 1416	1736	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1736 wrote to memory of 1416	1736	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1736 wrote to memory of 1416	1736	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1736 wrote to memory of 1416	1736	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1416 wrote to memory of 692	1416	voiceadequovl.exe	voiceadequovl.exe
PID 1416 wrote to memory of 692	1416	voiceadequovl.exe	voiceadequovl.exe
PID 1416 wrote to memory of 692	1416	voiceadequovl.exe	voiceadequovl.exe
PID 1416 wrote to memory of 692	1416	voiceadequovl.exe	voiceadequovl.exe
PID 692 wrote to memory of 1280	692	voiceadequovl.exe	powershell.exe
PID 692 wrote to memory of 1280	692	voiceadequovl.exe	powershell.exe
PID 692 wrote to memory of 1280	692	voiceadequovl.exe	powershell.exe
PID 692 wrote to memory of 1280	692	voiceadequovl.exe	powershell.exe
PID 692 wrote to memory of 108	692	voiceadequovl.exe	cmd.exe
PID 692 wrote to memory of 108	692	voiceadequovl.exe	cmd.exe
PID 692 wrote to memory of 108	692	voiceadequovl.exe	cmd.exe
PID 692 wrote to memory of 108	692	voiceadequovl.exe	cmd.exe
PID 108 wrote to memory of 1528	108	cmd.exe	powershell.exe
PID 108 wrote to memory of 1528	108	cmd.exe	powershell.exe
PID 108 wrote to memory of 1528	108	cmd.exe	powershell.exe
PID 108 wrote to memory of 1528	108	cmd.exe	powershell.exe
PID 692 wrote to memory of 1624	692	voiceadequovl.exe	voiceadequovl.exe
PID 692 wrote to memory of 1624	692	voiceadequovl.exe	voiceadequovl.exe
PID 692 wrote to memory of 1624	692	voiceadequovl.exe	voiceadequovl.exe
PID 692 wrote to memory of 1624	692	voiceadequovl.exe	voiceadequovl.exe
PID 692 wrote to memory of 1624	692	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1528

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1624

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:360

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
51d2eff77a9f0dd44903c952fadcbea9

SHA1
a276eb32c792924148988858529c18bb0aac3752

SHA256
411a9c250a987e86c9467949928a7076458b74fd207769f12355bb6921e15676

SHA512
8b370dfcc46a29afc1f93ee75eaa427dc7bf556aaa024be23c8d2ef92d06f1ae4cdf03862afa9812cd1382a5134cf3c948e9f4eb8572fba34b62a5713eb1762e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
245.2MB

MD5
7a6c9bf8823b7a6a3f1a8b379386b347

SHA1
68506d411afa1d2d7727132b1f9e2898d283d407

SHA256
c874a255109babc2b39ba1223805f4ca8e3e1cc203d009e04509dbc270f2a675

SHA512
be90d76d84f4dd481baeb097d23d44f4b11ab6365675f7b70dcc1814654ad65da585f23fe2a07cc347ce572bee9022f9fc9a745b99390969044f5f1be1ccc562

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
237.1MB

MD5
cdb83a59bb4ee28584509166d73a6b6a

SHA1
95e75904d21d573c2b33d526b8ad5e6b575a7fb5

SHA256
d5aaf3674aaa3d6c5aab42b0281115c1152106dbc9f4b8ccf5296fa0d33d57f1

SHA512
3345ccbde0a6763a5e568c137dfd7af4d20713375e5bfa911d5dbe4499dd677bac8970989438c929dd57708d4df405e3f670f10aecac47fafa2ee7d747e0d47d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
44.2MB

MD5
4e0ee541936eda55f1fb600340ae8cb7

SHA1
c7c716ea601e54d91a786f3222c8995082bbeb82

SHA256
27610219167f39ba791bcad5205d2497704f623aae4ea3b48e4f99b84afb0bfa

SHA512
58e46f0cd2ace6f6d84117e63f1591772d5558f73b3d14ea4689f4a7878eb974d701f77988d79429b3b4dce4fe6d45d24ef77ba1eb4e5eaa288f0c53bd4efe43

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
210.2MB

MD5
4a9c4a5aeed110ee25b8c58f60e4e479

SHA1
76df73b2865edd261875dcfae7b14e7382cc37b8

SHA256
fa8d56fb8c3f2249e2881caf806e5963409aa5386f7652a2130a8eb128ef6c7c

SHA512
ff3af842c9a194e27e7b1f279f35367e4fd1ce265ca394f6abf9a452bcef96de77fda7d6365e410d3e7cbb38f3d9dfde602054995534bab03d3841ba0a52d88b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
247.6MB

MD5
5edcd39a21dc51b104cfa47768c14608

SHA1
cfb3c36f2a3642536eaa1914b75fc0b4e296f9ba

SHA256
5030e41d191b43c50d653ebd31efa9a84baa4000353cd858eac425f736171d8e

SHA512
0eba6e5a18f53e89c097947f1f8ca8720b4414153e4d68332def0ac211e95bcd3231827700047e204b8f316ee788fc628299316833405d1da289a9c183a66c06

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
254.2MB

MD5
8968fbd2ead02dd325159bb6b66b0196

SHA1
d64c4d4e25fc74d6ee623c9c5ad2df5fc09c8ef2

SHA256
7c67f2b2644b955dbaa72cfa51323268af25ff901e92fe6df9fcf0db75f28374

SHA512
49de72722f466d9f6fc58dd71784fa2583277fc646da3ed866d99dfb8b04ea4d97140d1ce98c465170d67a5f6686688aa4b09adb34d020eb592ea9a72aa88df3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
232.4MB

MD5
a5889cea3c5442359e3e438f5fdb4e18

SHA1
8e6aed95a852a14adf14bddf07e3ee1f0816ce59

SHA256
57ff2240c3212b7a1aa467c9c64f2788b9bc3d260dd316dc5ee429a71ebd20b9

SHA512
c47042e5e1cb0998b5b373507af0ae8b23f120ff5138fe94c87b0b0e7dcd43ef16e3ca0894e3fefc6508a85730d12fc68897ca3f6de4c01732e78e0740222792

Download Submit
memory/108-72-0x0000000000000000-mapping.dmp

Download
memory/360-93-0x0000000000000000-mapping.dmp

Download
memory/692-73-0x0000000005590000-0x0000000005702000-memory.dmp

Filesize
1.4MB

Download
memory/692-62-0x0000000000000000-mapping.dmp

Download
memory/692-65-0x0000000000D80000-0x00000000014F4000-memory.dmp

Filesize
7.5MB

Download
memory/692-66-0x0000000006600000-0x00000000069A0000-memory.dmp

Filesize
3.6MB

Download
memory/1280-71-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-70-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-69-0x000000006FA00000-0x000000006FFAB000-memory.dmp

Filesize
5.7MB

Download
memory/1280-67-0x0000000000000000-mapping.dmp

Download
memory/1416-54-0x0000000000000000-mapping.dmp

Download
memory/1416-56-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1528-74-0x0000000000000000-mapping.dmp

Download
memory/1528-96-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-94-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/1624-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1624-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1624-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1624-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1624-89-0x0000000000464C20-mapping.dmp

Download
memory/1624-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1624-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1624-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1624-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1624-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1624-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download