aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
133s
max time network
139s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/568-66-0x0000000006410000-0x00000000067B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1108	voiceadequovl.exe
568	voiceadequovl.exe
868	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1108	voiceadequovl.exe
1108	voiceadequovl.exe
1108	voiceadequovl.exe
1108	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 568 set thread context of 868	568	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1944	powershell.exe
944	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	voiceadequovl.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1108	1148	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1148 wrote to memory of 1108	1148	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1148 wrote to memory of 1108	1148	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1148 wrote to memory of 1108	1148	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1108 wrote to memory of 568	1108	voiceadequovl.exe	29
PID 1108 wrote to memory of 568	1108	voiceadequovl.exe	29
PID 1108 wrote to memory of 568	1108	voiceadequovl.exe	29
PID 1108 wrote to memory of 568	1108	voiceadequovl.exe	29
PID 568 wrote to memory of 1944	568	voiceadequovl.exe	30
PID 568 wrote to memory of 1944	568	voiceadequovl.exe	30
PID 568 wrote to memory of 1944	568	voiceadequovl.exe	30
PID 568 wrote to memory of 1944	568	voiceadequovl.exe	30
PID 568 wrote to memory of 108	568	voiceadequovl.exe	32
PID 568 wrote to memory of 108	568	voiceadequovl.exe	32
PID 568 wrote to memory of 108	568	voiceadequovl.exe	32
PID 568 wrote to memory of 108	568	voiceadequovl.exe	32
PID 108 wrote to memory of 944	108	cmd.exe	34
PID 108 wrote to memory of 944	108	cmd.exe	34
PID 108 wrote to memory of 944	108	cmd.exe	34
PID 108 wrote to memory of 944	108	cmd.exe	34
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35
PID 568 wrote to memory of 868	568	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:868
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:960
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:2004
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f3b34a9f94ea1bb5d284c084c655647c

SHA1
e5a143a07aff3f5b2555e8235747855be5f2e199

SHA256
958080d7d41c948fa41b27c510335ae14255baddffd2043bee6dbb853d455a92

SHA512
691550b3c6f171d15ac5cfec44f8a227ca4334456653253d7e1b8498510524a08e0a018ed3d2a56db66a268af2c1b472fb200ac154174e2fddcf0c46041419b1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.1MB

MD5
8686322b4ecf8ed7c7192bf4d2a98946

SHA1
d1bc832f7e0d0efc8813a27aa6b710c6147fc51d

SHA256
59e14a35ba4767d6f1f363ce5192b427215b44618e1be9e2a34018e5507d7cfb

SHA512
c53e2ac301dae570544db66f613c141e058e3bee07cd2e1cffe958d3a76fff9bc040266d4a0064d9badae860f0543d72d904ea37f9215c2b5940f4fff27bf3d0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
253.1MB

MD5
506b79636067f517256bf6ea9374a359

SHA1
28bd29981492f27ab2f009094a4090ef686d199e

SHA256
d5ba8fc93aac396e5b1cb025ef65812a9b744f580a4d63db22b578c68dcf377c

SHA512
f0f43a26969fac590879415f441da72a3562759626717063ae57a12f84c0201e10858413593932be6ed6feff40204c8c8cc0654ba92468d9a02df302a4f68fea

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
52.6MB

MD5
b47e1ee28ec2869c0e74d221a7410268

SHA1
0ba9041751ccb66c3fe8551bb65b45e98a99fe96

SHA256
6d75c8fb7c467a284ac00e9bee1e24d5d74b341eb26bb54a1d89ba5e403a79a0

SHA512
5f3e96bca41f4a4c08edcfd5d81212bbb5eadd9c28be0820d71b896dca0c89e904134605b07a884608ee141cd56a8415710485af7f782ac49f68cb6d2d5c65ba

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
260.1MB

MD5
ec1fcac91b797dcfd85d95a8f9e82416

SHA1
1e35f7f52b71362fcf5eac45795983e85074a3ac

SHA256
3786d7eb169bec735d48e582c79c2e4cb3f058cca40b086f838522937d5ac812

SHA512
5e581f0d514e5f8f1c34a21974e4c6e152ef827968268d021a749282c4fce2e3685466bcf7c2026a7d09ad50d9f2fc0e5f5d98986e063a46931d26a06e7e0863

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
232.2MB

MD5
6868f08755fa5ddd7172caffaeb2e214

SHA1
d0ea182ac136fdff8e0befaef5c843b2a1ed8938

SHA256
54fb6a8888fc6f9adc34d153326c58ec6319f2df44df082fd7404c2b1e4bd9b5

SHA512
d1490e308e4e951afd0a63463a0cba5cded96fc4f5a4a361af16c1837ced35e6fc64fc5246b19d1f2df65b1343a0f82cbe73e6330e4eefc2c36b9d4b41d346eb

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
263.9MB

MD5
34bfb030499c762f5cfc316820742ca0

SHA1
68b8390e240bfa61f72c94566f360eeeda4e4cd8

SHA256
9a6ae4fbd72db9d74731df618b1da4308776104b55b23c0b4c3081549efb8a3b

SHA512
2da7377afe4dadfc559301d32b25e48288a251e778bbfb3e798057ed49b86aa804ef20a86724c8e5cb2959ae0f20843a89b7b6fba1026df992d76e57c311ee57

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
265.3MB

MD5
6621c01ecc4d1e5ed9a3a2d1a3d115dd

SHA1
2bbb33fd30c5df2d90faf594e6953ed006a8bdcb

SHA256
c0a3562ae05861018ffabd0555b6da8ac55cb002f315d9a72df1974561c78b03

SHA512
688133ef13356cd7bf54b9680870132446d8d5d4f925fa7b07084465edb86b5d080ee0b630c343ed36406ead634a42b6e85b508c18fe16cbd2f7c44ea01dc85f

Download Submit
memory/568-65-0x0000000000DE0000-0x0000000001554000-memory.dmp

Filesize
7.5MB

Download
memory/568-66-0x0000000006410000-0x00000000067B0000-memory.dmp

Filesize
3.6MB

Download
memory/568-73-0x00000000053B0000-0x0000000005522000-memory.dmp

Filesize
1.4MB

Download
memory/868-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/868-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/944-78-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/944-94-0x000000006F160000-0x000000006F70B000-memory.dmp

Filesize
5.7MB

Download
memory/1108-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1944-71-0x000000006F410000-0x000000006F9BB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-69-0x000000006F410000-0x000000006F9BB000-memory.dmp

Filesize
5.7MB

Download
memory/1944-70-0x000000006F410000-0x000000006F9BB000-memory.dmp

Filesize
5.7MB

Download