aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
123s
max time network
138s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/760-66-0x0000000006490000-0x0000000006830000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1756 voiceadequovl.exe
760 voiceadequovl.exe
1504 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1756 voiceadequovl.exe
1756 voiceadequovl.exe
1756 voiceadequovl.exe
1756 voiceadequovl.exe

pid	process
1756	voiceadequovl.exe
760	voiceadequovl.exe
1504	voiceadequovl.exe

pid	process
1756	voiceadequovl.exe
1756	voiceadequovl.exe
1756	voiceadequovl.exe
1756	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 760 set thread context of 1504 760 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

320 powershell.exe
1528 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 760 voiceadequovl.exe
Token: SeDebugPrivilege 320 powershell.exe
Token: SeDebugPrivilege 1528 powershell.exe

description	pid	process	target process
PID 760 set thread context of 1504	760	voiceadequovl.exe	voiceadequovl.exe

pid	process
320	powershell.exe
1528	powershell.exe

description	pid	process
Token: SeDebugPrivilege	760	voiceadequovl.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1264 wrote to memory of 1756	1264	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1264 wrote to memory of 1756	1264	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1264 wrote to memory of 1756	1264	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1264 wrote to memory of 1756	1264	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1756 wrote to memory of 760	1756	voiceadequovl.exe	voiceadequovl.exe
PID 1756 wrote to memory of 760	1756	voiceadequovl.exe	voiceadequovl.exe
PID 1756 wrote to memory of 760	1756	voiceadequovl.exe	voiceadequovl.exe
PID 1756 wrote to memory of 760	1756	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 320	760	voiceadequovl.exe	powershell.exe
PID 760 wrote to memory of 320	760	voiceadequovl.exe	powershell.exe
PID 760 wrote to memory of 320	760	voiceadequovl.exe	powershell.exe
PID 760 wrote to memory of 320	760	voiceadequovl.exe	powershell.exe
PID 760 wrote to memory of 964	760	voiceadequovl.exe	cmd.exe
PID 760 wrote to memory of 964	760	voiceadequovl.exe	cmd.exe
PID 760 wrote to memory of 964	760	voiceadequovl.exe	cmd.exe
PID 760 wrote to memory of 964	760	voiceadequovl.exe	cmd.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 964 wrote to memory of 1528	964	cmd.exe	powershell.exe
PID 964 wrote to memory of 1528	964	cmd.exe	powershell.exe
PID 964 wrote to memory of 1528	964	cmd.exe	powershell.exe
PID 964 wrote to memory of 1528	964	cmd.exe	powershell.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1504	760	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1504

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
262.6MB

MD5
30a05a8a04200d0c7f994650dfd4c8f9

SHA1
86d052593f3f2297fa22b1eb0cca2c8e21c420eb

SHA256
7506ee2f38b8146dad62beab7f7a3436853541ac4375915d500f42e32961cfcc

SHA512
00330d387c9cf5148ac3995103e5cf49e99f228cd6f3dff0c5f6304bcabce2ee7482cfc3635dcb0bd0a8c78dd36788eb217ebef2a877748a3ff11337fc62dbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e6bcbd6646ebe4a4811a8ed59bc12b10

SHA1
70c38181c7658357aa39cd403067e761cc5bfae2

SHA256
51b5ba868e96c0f12581a50939d834ddb30eeddd6cd013420bbef28c6a0a7b2e

SHA512
5364f71fecafdffc73388b957e40936387ebe7642d2c2f6500d41044f0e99cf7ef8e9cd77ffd454c0552ffef4ed800a6d30443553e3b6979503781d12af37cf7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
241.0MB

MD5
626ca97e9f14398bdfee3de55034500d

SHA1
393ad2ff541271e28dc3f69c35f44d91d3f91ef9

SHA256
e2b921c098c6fac919e602eff3161c7cdb87967a0d53a213995200325050cff0

SHA512
9de898d7a48bb539f183db0c29496b6447d12322dc04cfd31ef92b92e56fa2f0ce683cfa8651708a1df5020d05ae72229f3f8c520f7cb7ce92927dcb6b4355bb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
238.1MB

MD5
c7fe3e33f4abbef0065a3804d98e5cb5

SHA1
c2b1fa9be63fa7e81421b14928c317bf19622ef8

SHA256
f0e3b88081ad500accd36fcab259df92b8731ac68e892596c7359f40102f83cf

SHA512
4ad5e1f893994e728da5b8bd1f4f59ba65bde13262c98bbb811b30f95e4545d91ae8104e489fbedc2ba89f5d67a9e5233833f72c382d77daf169de4daaaf2813

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
51.0MB

MD5
5a7f81b112422cc1a510878053c71a23

SHA1
bfc1a9e473f5fa48a5f160cf2538623d5f29e2d5

SHA256
057628565329e79724cad897abb856c2f5491a656b5c4d8c52e365a92e5e26c1

SHA512
00124bc7dc0a29ef23382ee068db182f442ebce9c063dfda6817e8802b5b1526353bddaf819d720a416ddf4edddcb3221c618e18b2df26d0590f059d4b8974ed

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
248.2MB

MD5
f60f515f3eef637d3ae0b6af1eb8ac31

SHA1
e809531f495ec088750a6b20aa24a1a71a474409

SHA256
4a1d68c3336bf86ba46637c5cbc22bdb996177221d5a5329538e0fda160e2316

SHA512
1f9e5dfc59a5aba10e131e942ec86f72f0b6c99f3697f27a2842b606fac72a6d6765d128d9f9cf9119d404f352e0148c9a5b30d7e79beb2d30c8cbc0e1f7d514

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
247.1MB

MD5
d7e73274bb4611ce7a710931febf8da4

SHA1
fcb5d78c6be9c9e13b5b97c424056f61f5f6db4f

SHA256
9093fdd615964f9b41492cf651ce2db8cc4a28edbc71825865b138b76e9add90

SHA512
2e5cc6903d7e407706991bdef6e5f055efbc027c9d40563b39095090f29b8482bde1bf104b9955e3bbc734699903ee15b21cc0be81ab8ee13fcbfb4c1a3ee2df

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
246.8MB

MD5
8ab0055c015344b4fe6ef0ed9e5466fb

SHA1
2960d72deadb045e4af255c296d40a177fc51dd6

SHA256
76854af86c84226df2bda15e663e7a8aec6c887b45e877b86758fda341339fea

SHA512
b23278a9e4e0ca0c89b825dacaeec078fd032af67593e0784e38cd4ded5645a631e26d8d116e30fe54dca8d96bfadadfe38cfdcbfa25228c4b17ad3d488a00c1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
246.6MB

MD5
69879de934b18b58ce43ed6af510dddb

SHA1
75c2d5bca0a04260ad6ab25cc1800a16cbf8f039

SHA256
e0ee93605ecbebfdf1d5a48f424d23fdeea430671763a177ea266ee0d6cb489d

SHA512
310041800833984719b07942e75aa729b05935e61b4f9f395c6387b501f24557857231ea24948644da66951931d8eb0c7436ba1d473941b808d24b775c223dff

Download Submit
memory/320-69-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/320-71-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/320-70-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/320-67-0x0000000000000000-mapping.dmp

Download
memory/760-73-0x0000000005440000-0x00000000055B2000-memory.dmp

Filesize
1.4MB

Download
memory/760-66-0x0000000006490000-0x0000000006830000-memory.dmp

Filesize
3.6MB

Download
memory/760-65-0x0000000000B20000-0x0000000001294000-memory.dmp

Filesize
7.5MB

Download
memory/760-62-0x0000000000000000-mapping.dmp

Download
memory/920-96-0x0000000000000000-mapping.dmp

Download
memory/964-72-0x0000000000000000-mapping.dmp

Download
memory/1504-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-89-0x0000000000464C20-mapping.dmp

Download
memory/1504-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1528-94-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-95-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-75-0x0000000000000000-mapping.dmp

Download
memory/1756-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1756-54-0x0000000000000000-mapping.dmp

Download
memory/2036-98-0x0000000000000000-mapping.dmp

Download