aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
111s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1112-66-0x0000000006650000-0x00000000069F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1552	voiceadequovl.exe
1112	voiceadequovl.exe
1856	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1552	voiceadequovl.exe
1552	voiceadequovl.exe
1552	voiceadequovl.exe
1552	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 1856	1112	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1896	powershell.exe
1084	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	voiceadequovl.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1552	1504	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1504 wrote to memory of 1552	1504	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1504 wrote to memory of 1552	1504	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1504 wrote to memory of 1552	1504	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1552 wrote to memory of 1112	1552	voiceadequovl.exe	29
PID 1552 wrote to memory of 1112	1552	voiceadequovl.exe	29
PID 1552 wrote to memory of 1112	1552	voiceadequovl.exe	29
PID 1552 wrote to memory of 1112	1552	voiceadequovl.exe	29
PID 1112 wrote to memory of 1896	1112	voiceadequovl.exe	30
PID 1112 wrote to memory of 1896	1112	voiceadequovl.exe	30
PID 1112 wrote to memory of 1896	1112	voiceadequovl.exe	30
PID 1112 wrote to memory of 1896	1112	voiceadequovl.exe	30
PID 1112 wrote to memory of 1664	1112	voiceadequovl.exe	32
PID 1112 wrote to memory of 1664	1112	voiceadequovl.exe	32
PID 1112 wrote to memory of 1664	1112	voiceadequovl.exe	32
PID 1112 wrote to memory of 1664	1112	voiceadequovl.exe	32
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1664 wrote to memory of 1084	1664	cmd.exe	35
PID 1664 wrote to memory of 1084	1664	cmd.exe	35
PID 1664 wrote to memory of 1084	1664	cmd.exe	35
PID 1664 wrote to memory of 1084	1664	cmd.exe	35
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34
PID 1112 wrote to memory of 1856	1112	voiceadequovl.exe	34

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1664
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1856
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:784
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1192
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
001ab5503e738d1c52006801067d91eb

SHA1
946d2f95cf50e3053ac2127f678e9dd3226a52b4

SHA256
a39257df1ebddeeee15fca0371459933d465925cb49309b36fd0c08bf773507a

SHA512
62c4e2276c043b567db0cd7d7c5d5b986abf126d51fbdd934f44da745afe867f128c0cac4ec3effe8fad07de13913ef70e63cda5dc815c4b247e1b1166449b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
268.0MB

MD5
25772c70a210cffae13994afbfd91d58

SHA1
378a420e92ce77154e5bedd2243d685ee45c430d

SHA256
4b60102716821b86581d57a5a62f26f63359870a84c65f98883912effaa2acc2

SHA512
adccd4e66f133f804d7565c8787a02895e85b83d96caad4176c5867def5554320f9563fb843f8367d66502cc7830279b86fd794f39d0ab8cb087c4304a8c885a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
274.9MB

MD5
07f1c439f33c6970a303cf97e8fe2253

SHA1
ffe051825ec1140d842f4ca450925322cae5cd0b

SHA256
5fc8a9b38697bfaf5e2be03b801376edba1065ba6637d7934e8f7d0ee3eeb88c

SHA512
2fe5e19e413742559b3405d58ffc775e1eb110cc1a383fa23d948465f7a54e709476bcab839a0570a3449ee0b24355389c801273bcb59b104c9d6f5d54e06024

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
86.1MB

MD5
e8ff539155bbe675928c3043de2a9d05

SHA1
f0712f36e3c314d14ac5207c26381f3dcdbb4bdb

SHA256
94a2bfc3b725c1b0c1e314a1221bfba802b8e44a8f3913ff91a4b3cd5cefe25f

SHA512
186b297600f2e6196906ade450bb3e90290001b5492e17ace4613fee58082de36701df7730beb34783e5f867ef7f04dbdb28a1d842afac8909ae2575f7080a8b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
275.9MB

MD5
08ad120dc98efd1256d0aafdb1edf4c5

SHA1
1bec3652db7f4b8a3140133171410ff5c152023e

SHA256
9156aff5d3d95a108e7c532188ad0348ef052110f35fab55f7ebc33bb9f5ab5f

SHA512
464a2a9267f8469d4ad95580f84080e2cb81a902ce1b6f98876e9e2565aa52bed7761c86e98c8e7a19e87ee155b7ea8ab515f159d6999dba43caa77139083490

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
272.4MB

MD5
2906356249c62954fa6824398820227f

SHA1
6e4264bff1652db56345d2335337c57c24fafc66

SHA256
5f62785ee1ea33dc4f8f45a8c0558794a019c864301ba984f5f1e521541521d9

SHA512
df6da635c125f4b37ee823cc6c6d8f6c748d46fbe0dc8bec0db934c6177c161d37dd2df169a09e170fd872edc0f1cf0e3ec9e48682c75d2b90c7184c76253c76

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
276.1MB

MD5
a05887c105a5fabde254dd8578e69169

SHA1
aabfe2d0cde05069a5a71d1276996cdd627926b4

SHA256
b517a8fdf49bda843ace37aff04228e840a1d79e1c3d2913c502c23aeb967e3a

SHA512
d8e4465dbf16e4330b21632e5562a8da984219e5b232152c5969c43fb41e41648f6d64978e5fea2a64bc01a26879f2817323f05fd4755607af86266c6f99c482

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
268.6MB

MD5
eff52626ffd5a3c91ff7fe9226afd1a2

SHA1
caa8b7fbae48e3b1b1cc82129ec75e11701f3e50

SHA256
e3b3cfa7b03433103367a7572e1abc5f0d066988d4e5ccc39711d9d4c3567356

SHA512
8c202352a0eeb10d335e377c11e8bba718c10a3b22078260b7e5745c946665b9a6cf36fd3fd6ad54bdcf657afc3102378898fa6a1bf12befefed9fdd112cca37

Download Submit
memory/1084-93-0x000000006FE00000-0x00000000703AB000-memory.dmp

Filesize
5.7MB

Download
memory/1112-73-0x0000000005520000-0x0000000005692000-memory.dmp

Filesize
1.4MB

Download
memory/1112-66-0x0000000006650000-0x00000000069F0000-memory.dmp

Filesize
3.6MB

Download
memory/1112-65-0x0000000000B40000-0x00000000012B4000-memory.dmp

Filesize
7.5MB

Download
memory/1552-56-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1856-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1856-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1896-69-0x0000000070280000-0x000000007082B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-70-0x0000000070280000-0x000000007082B000-memory.dmp

Filesize
5.7MB

Download
memory/1896-71-0x0000000070280000-0x000000007082B000-memory.dmp

Filesize
5.7MB

Download