aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
106s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/940-66-0x00000000064B0000-0x0000000006850000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
972	voiceadequovl.exe
940	voiceadequovl.exe
1528	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
972	voiceadequovl.exe
972	voiceadequovl.exe
972	voiceadequovl.exe
972	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 1528	940	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
924	powershell.exe
1968	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	voiceadequovl.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 972	1952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1952 wrote to memory of 972	1952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1952 wrote to memory of 972	1952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1952 wrote to memory of 972	1952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 972 wrote to memory of 940	972	voiceadequovl.exe	29
PID 972 wrote to memory of 940	972	voiceadequovl.exe	29
PID 972 wrote to memory of 940	972	voiceadequovl.exe	29
PID 972 wrote to memory of 940	972	voiceadequovl.exe	29
PID 940 wrote to memory of 924	940	voiceadequovl.exe	30
PID 940 wrote to memory of 924	940	voiceadequovl.exe	30
PID 940 wrote to memory of 924	940	voiceadequovl.exe	30
PID 940 wrote to memory of 924	940	voiceadequovl.exe	30
PID 940 wrote to memory of 1824	940	voiceadequovl.exe	32
PID 940 wrote to memory of 1824	940	voiceadequovl.exe	32
PID 940 wrote to memory of 1824	940	voiceadequovl.exe	32
PID 940 wrote to memory of 1824	940	voiceadequovl.exe	32
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 1824 wrote to memory of 1968	1824	cmd.exe	34
PID 1824 wrote to memory of 1968	1824	cmd.exe	34
PID 1824 wrote to memory of 1968	1824	cmd.exe	34
PID 1824 wrote to memory of 1968	1824	cmd.exe	34
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35
PID 940 wrote to memory of 1528	940	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1528
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1048
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1552
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1768
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1ebb2f88508af647112453ac66927e3e

SHA1
de5f606db401384d9316b32d904b2b63290cdf3c

SHA256
5fe82a4141f379546b0b366280a3c3ef479289e2beafc328df244cdba2da2dc4

SHA512
a573fb349087dcf89be14b5d01ae6dd52723bd373a13bc561ff988d3d4a9cb73caa7a28be749ea64825f8546d4456ccff3d965c35c4b9d9f5588583b2d7cbf89

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.7MB

MD5
4b6a9c8cebdb8049e8cdb13b0486a092

SHA1
69b2489b75cf63d5c39ece13162169e9450b1c3e

SHA256
737316c69474ab96ac81641d6270232eeb22265bb54435a6571942f151bedc17

SHA512
78bf2aa37c21cec0c2f9e4a0b7a2d29858115c2240924677cde54673d4b0c30c34f40acdc15c6255f3ffe39b2fd44aef204369af7498f2c13a1d3b35bd76a0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.6MB

MD5
b085be6726f9995c20d2ba45a867ee3b

SHA1
7e9b058883e2bbbaa69662f76263e9dd29125bfc

SHA256
9cb90ca6bd6f092895a0acb4d6734c7759f40893c595c1a5ed8d113ba9efe30c

SHA512
45e19a422de3d7b156c0a269d9a7439e3d827f34e58946be390b1e0e67990deb8783c5b765af159bc6ea2f3cbb27ecdc44d6b4117029c7110408b24198ea134a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
88.2MB

MD5
6ec630e020cab0b157aee6650d090efd

SHA1
c7ac8480ea191dc09632689404c909484cd664cf

SHA256
a81473ab86e6df4666aff31817535ddd86380c2113a94e4d1be123a53db04db4

SHA512
af3fd3774528eb235daf93f0c0d6a5d05153f7164368f62240fac5c037796891834a50c39bb37d7e0f91dc4f1150a35c97ab656d9171b56239f7f102ce09aa52

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
264.2MB

MD5
73856ef6c28943d3295c80ebaa8baedc

SHA1
f9b179779ae181cdeafca9c55155938e01290dad

SHA256
7cb0863ee129f02f0db62baefaa4d816395180c8d736050faf667852545da016

SHA512
78843326d50e20023ee148bdaaeeff266b1551bdfd4655f9d4a526e5ed3e30578c5b72c09efd9f5404b4c10a4f725bdb3b3c4b3bf85109bad6356755fa5e4612

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
260.2MB

MD5
757453a45def0696d651a4b1d5b94222

SHA1
f6e56ac771da3e026a91919fb1b8d6b6225f9f6f

SHA256
9776eab1ed64fa96966fa6efe63d83a7665ad01149033aeac11bb8c77ead26db

SHA512
67d68c5c8df93d8b9f518ea06f08bf2940473b963adac96ebd0dc1903a4ad33b9cedb65065fbcc0c88723123de85e67f70d384bf0efcab64ef0a007779282315

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
264.1MB

MD5
c2978936d27aea31ba399c09aedfc92d

SHA1
56c20f5ba11e19c0589c9c27e2a3f8a14ebb56d1

SHA256
c2d36b773f356f4544a642c35b0c6a70bcea1a1f98a70f0d3251bee8caa3435a

SHA512
0a1dced340da6ef5509273481decc00d3b07b7d7dac46618120a11262827a48f5b1b22e1b161a1e0cfd63dae577640f17361b49798dd2dfaeb73a291862101b7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
267.9MB

MD5
060176c823891dfdac65875dbf863915

SHA1
60f59968bbad268182aa58e226425036f65d5245

SHA256
23ada4cb473ec0269495ee63136a4ed70b6ca6c69807fcbae79c1d1eaf4b4cad

SHA512
98a73f8cd9f743e2a7987bf8559d93f19817a8c5ad2bf9fe50df0a29918fe473469feebe559c048365df04cef4abc5be09a2fabde3eeba9b8d4b3b7d6bbe0d1f

Download Submit
memory/924-71-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/924-69-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/924-70-0x000000006F390000-0x000000006F93B000-memory.dmp

Filesize
5.7MB

Download
memory/940-66-0x00000000064B0000-0x0000000006850000-memory.dmp

Filesize
3.6MB

Download
memory/940-65-0x0000000001300000-0x0000000001A74000-memory.dmp

Filesize
7.5MB

Download
memory/940-73-0x0000000005460000-0x00000000055D2000-memory.dmp

Filesize
1.4MB

Download
memory/972-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1528-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-102-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-100-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1968-96-0x000000006F340000-0x000000006F8EB000-memory.dmp

Filesize
5.7MB

Download
memory/1968-93-0x000000006F340000-0x000000006F8EB000-memory.dmp

Filesize
5.7MB

Download