Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-02-2023 01:15
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20220812-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Extracted
aurora
45.9.74.11:8081
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/1228-66-0x0000000006460000-0x0000000006800000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 3 IoCs
pid Process 1952 voiceadequovl.exe 1228 voiceadequovl.exe 1392 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
pid Process 1952 voiceadequovl.exe 1952 voiceadequovl.exe 1952 voiceadequovl.exe 1952 voiceadequovl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1228 set thread context of 1392 1228 voiceadequovl.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 928 powershell.exe 1092 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1228 voiceadequovl.exe Token: SeDebugPrivilege 928 powershell.exe Token: SeDebugPrivilege 1092 powershell.exe Token: SeIncreaseQuotaPrivilege 1576 wmic.exe Token: SeSecurityPrivilege 1576 wmic.exe Token: SeTakeOwnershipPrivilege 1576 wmic.exe Token: SeLoadDriverPrivilege 1576 wmic.exe Token: SeSystemProfilePrivilege 1576 wmic.exe Token: SeSystemtimePrivilege 1576 wmic.exe Token: SeProfSingleProcessPrivilege 1576 wmic.exe Token: SeIncBasePriorityPrivilege 1576 wmic.exe Token: SeCreatePagefilePrivilege 1576 wmic.exe Token: SeBackupPrivilege 1576 wmic.exe Token: SeRestorePrivilege 1576 wmic.exe Token: SeShutdownPrivilege 1576 wmic.exe Token: SeDebugPrivilege 1576 wmic.exe Token: SeSystemEnvironmentPrivilege 1576 wmic.exe Token: SeRemoteShutdownPrivilege 1576 wmic.exe Token: SeUndockPrivilege 1576 wmic.exe Token: SeManageVolumePrivilege 1576 wmic.exe Token: 33 1576 wmic.exe Token: 34 1576 wmic.exe Token: 35 1576 wmic.exe Token: SeIncreaseQuotaPrivilege 1576 wmic.exe Token: SeSecurityPrivilege 1576 wmic.exe Token: SeTakeOwnershipPrivilege 1576 wmic.exe Token: SeLoadDriverPrivilege 1576 wmic.exe Token: SeSystemProfilePrivilege 1576 wmic.exe Token: SeSystemtimePrivilege 1576 wmic.exe Token: SeProfSingleProcessPrivilege 1576 wmic.exe Token: SeIncBasePriorityPrivilege 1576 wmic.exe Token: SeCreatePagefilePrivilege 1576 wmic.exe Token: SeBackupPrivilege 1576 wmic.exe Token: SeRestorePrivilege 1576 wmic.exe Token: SeShutdownPrivilege 1576 wmic.exe Token: SeDebugPrivilege 1576 wmic.exe Token: SeSystemEnvironmentPrivilege 1576 wmic.exe Token: SeRemoteShutdownPrivilege 1576 wmic.exe Token: SeUndockPrivilege 1576 wmic.exe Token: SeManageVolumePrivilege 1576 wmic.exe Token: 33 1576 wmic.exe Token: 34 1576 wmic.exe Token: 35 1576 wmic.exe Token: SeIncreaseQuotaPrivilege 1340 WMIC.exe Token: SeSecurityPrivilege 1340 WMIC.exe Token: SeTakeOwnershipPrivilege 1340 WMIC.exe Token: SeLoadDriverPrivilege 1340 WMIC.exe Token: SeSystemProfilePrivilege 1340 WMIC.exe Token: SeSystemtimePrivilege 1340 WMIC.exe Token: SeProfSingleProcessPrivilege 1340 WMIC.exe Token: SeIncBasePriorityPrivilege 1340 WMIC.exe Token: SeCreatePagefilePrivilege 1340 WMIC.exe Token: SeBackupPrivilege 1340 WMIC.exe Token: SeRestorePrivilege 1340 WMIC.exe Token: SeShutdownPrivilege 1340 WMIC.exe Token: SeDebugPrivilege 1340 WMIC.exe Token: SeSystemEnvironmentPrivilege 1340 WMIC.exe Token: SeRemoteShutdownPrivilege 1340 WMIC.exe Token: SeUndockPrivilege 1340 WMIC.exe Token: SeManageVolumePrivilege 1340 WMIC.exe Token: 33 1340 WMIC.exe Token: 34 1340 WMIC.exe Token: 35 1340 WMIC.exe Token: SeIncreaseQuotaPrivilege 1340 WMIC.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1952 1908 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1908 wrote to memory of 1952 1908 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1908 wrote to memory of 1952 1908 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1908 wrote to memory of 1952 1908 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1952 wrote to memory of 1228 1952 voiceadequovl.exe 29 PID 1952 wrote to memory of 1228 1952 voiceadequovl.exe 29 PID 1952 wrote to memory of 1228 1952 voiceadequovl.exe 29 PID 1952 wrote to memory of 1228 1952 voiceadequovl.exe 29 PID 1228 wrote to memory of 928 1228 voiceadequovl.exe 30 PID 1228 wrote to memory of 928 1228 voiceadequovl.exe 30 PID 1228 wrote to memory of 928 1228 voiceadequovl.exe 30 PID 1228 wrote to memory of 928 1228 voiceadequovl.exe 30 PID 1228 wrote to memory of 768 1228 voiceadequovl.exe 32 PID 1228 wrote to memory of 768 1228 voiceadequovl.exe 32 PID 1228 wrote to memory of 768 1228 voiceadequovl.exe 32 PID 1228 wrote to memory of 768 1228 voiceadequovl.exe 32 PID 768 wrote to memory of 1092 768 cmd.exe 34 PID 768 wrote to memory of 1092 768 cmd.exe 34 PID 768 wrote to memory of 1092 768 cmd.exe 34 PID 768 wrote to memory of 1092 768 cmd.exe 34 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1228 wrote to memory of 1392 1228 voiceadequovl.exe 35 PID 1392 wrote to memory of 1576 1392 voiceadequovl.exe 36 PID 1392 wrote to memory of 1576 1392 voiceadequovl.exe 36 PID 1392 wrote to memory of 1576 1392 voiceadequovl.exe 36 PID 1392 wrote to memory of 1576 1392 voiceadequovl.exe 36 PID 1392 wrote to memory of 844 1392 voiceadequovl.exe 39 PID 1392 wrote to memory of 844 1392 voiceadequovl.exe 39 PID 1392 wrote to memory of 844 1392 voiceadequovl.exe 39 PID 1392 wrote to memory of 844 1392 voiceadequovl.exe 39 PID 844 wrote to memory of 1340 844 cmd.exe 41 PID 844 wrote to memory of 1340 844 cmd.exe 41 PID 844 wrote to memory of 1340 844 cmd.exe 41 PID 844 wrote to memory of 1340 844 cmd.exe 41 PID 1392 wrote to memory of 1276 1392 voiceadequovl.exe 42 PID 1392 wrote to memory of 1276 1392 voiceadequovl.exe 42 PID 1392 wrote to memory of 1276 1392 voiceadequovl.exe 42 PID 1392 wrote to memory of 1276 1392 voiceadequovl.exe 42 PID 1276 wrote to memory of 1304 1276 cmd.exe 44 PID 1276 wrote to memory of 1304 1276 cmd.exe 44 PID 1276 wrote to memory of 1304 1276 cmd.exe 44 PID 1276 wrote to memory of 1304 1276 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:928
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:1304
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
Filesize
357.0MB
MD59cd68e588d2a986b9a5f4f9b85feb8f6
SHA15436ee009bb710f40503f51b618b2e563a5eff54
SHA256cee1cdfeb5a9d88c7bc596b0697c124aa160d68782b88e014db685e51fe9ca7b
SHA512a3afa1c4ab76dcdd833c55ad879b8ad1f6981eb3be6e686389cfe99365da62d0e39326749f9208710ceb8cb500c8a715ceaf660e232350ddcb7d688425860f5e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52c0ec0ea989227ba6c3efa6900828674
SHA1b5865af94073b4bc542fd03bf5885c3772b4056b
SHA256a42eac412bf95b9de765c45a6213a4e6c4998c4ddb562d0faaa1a54954d5642f
SHA512fb918ac970f576d593ca085f83ab18d4281cd5acd05e01e41df39ec636176c064883315ed3139592b32a12baa3cb656dccd21757cfb4e7d8db028ae890ad21d7
-
Filesize
283.9MB
MD5bde0acf0493fa578120bedab96114221
SHA1cb691127a2910a87c2fc91bc8e1f3547118a97d8
SHA25644a4109be20c33ffd78f1863bfe647f40d57011ba711171c01dcaf2d454135f9
SHA51200b1f97773ddb459e703b9780a3fb17f34c344a92f86bbfdcc3ec94e7ede4c2aaade64f2ad4cdb5d049673e4a034148c2a619eda3c71ec156247f2b22919640f
-
Filesize
275.7MB
MD5bfd61114b28659a3d5d7fc1ff251686e
SHA1c430a76d650517edc03f81405307d55cb8bd2b6f
SHA256851b61b1594e195fd3772264d5a5eca4739c1f09f1dc8607acb5de7cf95fbb4f
SHA51269505bcce58395ddad2360c95f233f283a43d48f10e565c5fa3f74660c91f5787004e1134a67aafd0aa3c7df8039d11280079695560132a9ceb6eb4685d6977e
-
Filesize
139.7MB
MD525a195ff3b433e1ece921edf3a714bb7
SHA1d7ee98d0421bb8040f4a19ff8cfbadb24125164c
SHA256228cefaf651e82614e7a01380373215ec2e64e3281d88e5897b63a55f0408fae
SHA512de08c3401908aaf9dc63943cceda7096d6780a340a8f59fbca366f9b86de8d182918f91d169bf36514b11753f0b34c01765551f9355f57cb0504ef42386ef328
-
Filesize
281.3MB
MD5aebe8611a8870c7beb963e63a0520a01
SHA1dfbf1fe809bf539a9964fb34838e90680f5e365b
SHA256abd1cac2ee42c93d128edb85c3105f1591a7e2bea049ac50b5dfeb94a85479a8
SHA512760aa1392143da6df1dd003032b36caa6427624735d7a8a91166b1f367ec2420077324ab6f1562ce51016cd77e7d64344d681add1790b41b4fa5857d24c52f65
-
Filesize
282.8MB
MD598cf3edac7b2c02b51f990a397e4e068
SHA1857812686058de48cc70ccf9d9342b9009234271
SHA2565afab7ae8bd647aa27e44851f7de8c5020be6b3b865efe4e407ebecf2af2a43f
SHA51204d78c36c896caa7ce3ebb4aba01ef9ede7a1a044ee1a773a754a0ee3a9e0e82cb85e78bbc5bd7fa9be09343fb878b9bbc1eac1069b0da832ec205769daa383c
-
Filesize
280.2MB
MD51db16dfdcf8612e4bc02ec1a47328d17
SHA14dc4684d7bda4755d2045e325e4c974b71d3dbcd
SHA2569783249313f3d2c7f8c75c201ae90587bbd0715b467badba7ca64640f3d6d284
SHA5120ea45a542dc30adf1f686ef38a8a6b9f491c7c6ca5d9174157c3858190d2a07f26f1947cc7f7b2d5083ba6b63a71e50a9de58ad2a491924d1c6175481ad02ab7
-
Filesize
282.3MB
MD535424a7d0b5f80991216d17968788b62
SHA11c0472a879f34e2f52486336ade427433b750f55
SHA2569912e92fa25a0524ee8ae454554c4e8aaddd0de3e2f824a4a7ced89675041a4b
SHA512a597a162b0e8798a2c5d128ceba3c1593a0f0b57df7a8774e8cfb2d39347e9ae2ac3d32ed81aba9edb770ea48d983a7ab7f935bbe69355e63a9ce1034bff43b8