aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
124s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1504-66-0x0000000006380000-0x0000000006720000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1764 voiceadequovl.exe
1504 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1764 voiceadequovl.exe
1764 voiceadequovl.exe
1764 voiceadequovl.exe
1764 voiceadequovl.exe

pid	process
1764	voiceadequovl.exe
1504	voiceadequovl.exe

pid	process
1764	voiceadequovl.exe
1764	voiceadequovl.exe
1764	voiceadequovl.exe
1764	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

776 powershell.exe
888 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1504 voiceadequovl.exe
Token: SeDebugPrivilege 776 powershell.exe
Token: SeDebugPrivilege 888 powershell.exe

pid	process
776	powershell.exe
888	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1504	voiceadequovl.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 2020 wrote to memory of 1764	2020	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2020 wrote to memory of 1764	2020	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2020 wrote to memory of 1764	2020	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2020 wrote to memory of 1764	2020	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1764 wrote to memory of 1504	1764	voiceadequovl.exe	voiceadequovl.exe
PID 1764 wrote to memory of 1504	1764	voiceadequovl.exe	voiceadequovl.exe
PID 1764 wrote to memory of 1504	1764	voiceadequovl.exe	voiceadequovl.exe
PID 1764 wrote to memory of 1504	1764	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 776	1504	voiceadequovl.exe	powershell.exe
PID 1504 wrote to memory of 776	1504	voiceadequovl.exe	powershell.exe
PID 1504 wrote to memory of 776	1504	voiceadequovl.exe	powershell.exe
PID 1504 wrote to memory of 776	1504	voiceadequovl.exe	powershell.exe
PID 1504 wrote to memory of 1900	1504	voiceadequovl.exe	cmd.exe
PID 1504 wrote to memory of 1900	1504	voiceadequovl.exe	cmd.exe
PID 1504 wrote to memory of 1900	1504	voiceadequovl.exe	cmd.exe
PID 1504 wrote to memory of 1900	1504	voiceadequovl.exe	cmd.exe
PID 1900 wrote to memory of 888	1900	cmd.exe	powershell.exe
PID 1900 wrote to memory of 888	1900	cmd.exe	powershell.exe
PID 1900 wrote to memory of 888	1900	cmd.exe	powershell.exe
PID 1900 wrote to memory of 888	1900	cmd.exe	powershell.exe
PID 1504 wrote to memory of 1876	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1876	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1876	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1876	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1876	1504	voiceadequovl.exe	voiceadequovl.exe
PID 1504 wrote to memory of 1876	1504	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1876
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1008
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1636
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:1056
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f4771813efe79eca6efe9fbbd06b2a9a

SHA1
6fc822f23d5deff1f87c68f8c1f6d3d819bfee2f

SHA256
d136de7c4591c251045b666f4467a9bfa9671bfb1a297cdcf3ba9ed08c09ed8b

SHA512
2787f177721109a87976e60d6e08e69215edeab954687fea97cafafa93f5576dea486964e30949dfac2e1670d71b30a34cd0461a9b2f5506661f4dc1270b950a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
269.2MB

MD5
6a1637f2692cfe72a98d7974cc5e62e9

SHA1
3a4806ccfa30c41642ccccf64fdf762b6e789046

SHA256
904d3f7f0abfcfaab54d68788fc560855cea2297056a5d3bb75614dccf696b56

SHA512
8c066a37d3b05c7fd6ba5f0f73cc0f8c718755bde2dd7bd96212a7c422f4da43ded9731e8dcde9c23d480bbefb846992a16817c37637728054c30714ce129c4e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
264.0MB

MD5
1da2735120868e71d034d87b4e365ef3

SHA1
c0001e7cf6e543c95744fb08bb7d741a77ef202a

SHA256
0cf630acd746d2baf877e3eddf7da423c1c58a57d65b76eaa69fd664d3f56db8

SHA512
3393b999c0ee0b31c6203e69be5387047cca6d2488823c1014d34bcefaa268850936c7b029932b53c0711aa5ea6d5453c0348de215d0985ab84a8db98c06d40f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
42.1MB

MD5
c514164bb7a8de67b811fbf0c08fb778

SHA1
8fdedf14f86a1dc1d3b9808c39687193cdc16bbf

SHA256
952ba7215b1645b5e840636b11aed468157dad1dd73bf6e6c544e39a0d7b8a23

SHA512
34256f8df61b84e7382a236d6c897fe1c4abdc6df6410583d6d9535659a21af787efd963ee58498b6a3e48111964a26911b3582cf537f123e85736092c6ab564

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
272.9MB

MD5
86f9ddc3be53eb4ba042ee9d59c0afa0

SHA1
3a439a0c998c88a09427abb46f2835c9f01753c2

SHA256
ff5c5003787841483100ddd3ff95101359251dee68cc646d2ce320944f317c71

SHA512
08689af6e10d8561fbe7380ec7ef3e7708240202734be97802c7c4f0f9bf5281a9dd775e485c39b13e1a0f23243d2985a141a57abc163d77375618b7e69cf060

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
259.2MB

MD5
9f1700be5319ae7be6852dec17da1da1

SHA1
15d818206965c8945f86c3b39a79c67fb9fabe18

SHA256
509bb4ad5afac46d14a082b39e57f383f0799a0b8076c9448a5b847dcba6da62

SHA512
eaea0ffba7935b4251bdc92d9a2e3ec34e33e7dc0baa1b0ae7894c46348b829f504f76549b29fb1e8e29a69f1336332efbcd06afe823fdda52346d12f90cea08

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
283.8MB

MD5
476cf87b6b3135aa0ace06086de850f5

SHA1
bfe659db4ee1e58c835da5989191b9f3df95fd64

SHA256
9b0c754eb151ff8334c80158a691b54d567d219d2cb3b770b91d07241da2d692

SHA512
8aefd3ad8347db0b6a7dcb470fa59d9f7fa51d360de829d22954f4b930fe465bd63344c7a1873a527eecedab6a0ff6d3d7aaad22202120f4994ac5874e40cd4f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
269.9MB

MD5
5a5698e2dc5ae3df7c447dd35a6e8deb

SHA1
48680665286b57b96655555b3b9e9414fe8ad74b

SHA256
efe9779eb46a1442f3c8db295b15c758158184258c5e9e854047fe76c1f9663a

SHA512
5d2b61a01c72fb086a61b879b50f134087566bc9f270b382a41acbacd4d88ca28ee940d47790ca74eda7f3327e62c9accbbc622a1d23b2cb0ec80f0e8ac2e949

Download Submit
memory/776-67-0x0000000000000000-mapping.dmp

Download
memory/776-69-0x000000006F420000-0x000000006F9CB000-memory.dmp

Filesize
5.7MB

Download
memory/776-70-0x000000006F420000-0x000000006F9CB000-memory.dmp

Filesize
5.7MB

Download
memory/776-71-0x000000006F420000-0x000000006F9CB000-memory.dmp

Filesize
5.7MB

Download
memory/888-95-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/888-74-0x0000000000000000-mapping.dmp

Download
memory/888-85-0x000000006F180000-0x000000006F72B000-memory.dmp

Filesize
5.7MB

Download
memory/1008-96-0x0000000000000000-mapping.dmp

Download
memory/1056-98-0x0000000000000000-mapping.dmp

Download
memory/1504-73-0x0000000005260000-0x00000000053D2000-memory.dmp

Filesize
1.4MB

Download
memory/1504-66-0x0000000006380000-0x0000000006720000-memory.dmp

Filesize
3.6MB

Download
memory/1504-62-0x0000000000000000-mapping.dmp

Download
memory/1504-65-0x0000000001120000-0x0000000001894000-memory.dmp

Filesize
7.5MB

Download
memory/1636-97-0x0000000000000000-mapping.dmp

Download
memory/1764-54-0x0000000000000000-mapping.dmp

Download
memory/1764-56-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1876-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-90-0x0000000000464C20-mapping.dmp

Download
memory/1876-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1876-99-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1900-72-0x0000000000000000-mapping.dmp

Download