aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
124s
max time network
146s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/572-66-0x0000000006670000-0x0000000006A10000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1416	voiceadequovl.exe
572	voiceadequovl.exe
1712	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1416	voiceadequovl.exe
1416	voiceadequovl.exe
1416	voiceadequovl.exe
1416	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 572 set thread context of 1712	572	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1508	powershell.exe
112	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	voiceadequovl.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1416	1736	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1736 wrote to memory of 1416	1736	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1736 wrote to memory of 1416	1736	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1736 wrote to memory of 1416	1736	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1416 wrote to memory of 572	1416	voiceadequovl.exe	29
PID 1416 wrote to memory of 572	1416	voiceadequovl.exe	29
PID 1416 wrote to memory of 572	1416	voiceadequovl.exe	29
PID 1416 wrote to memory of 572	1416	voiceadequovl.exe	29
PID 572 wrote to memory of 1508	572	voiceadequovl.exe	30
PID 572 wrote to memory of 1508	572	voiceadequovl.exe	30
PID 572 wrote to memory of 1508	572	voiceadequovl.exe	30
PID 572 wrote to memory of 1508	572	voiceadequovl.exe	30
PID 572 wrote to memory of 1784	572	voiceadequovl.exe	32
PID 572 wrote to memory of 1784	572	voiceadequovl.exe	32
PID 572 wrote to memory of 1784	572	voiceadequovl.exe	32
PID 572 wrote to memory of 1784	572	voiceadequovl.exe	32
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 1784 wrote to memory of 112	1784	cmd.exe	34
PID 1784 wrote to memory of 112	1784	cmd.exe	34
PID 1784 wrote to memory of 112	1784	cmd.exe	34
PID 1784 wrote to memory of 112	1784	cmd.exe	34
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35
PID 572 wrote to memory of 1712	572	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1712
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:632
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:968

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c26091e0d5eff8345f759ce5f3ce26af

SHA1
9ab4935a829dfae70a144eb3b77e78865af81b8e

SHA256
641828831d03c6fc37d355e2e919c1a63919773851a287d8d933a7794107928b

SHA512
d4318a638257fba2c5dbaf5583011960178159762964382b3b1c6e93b02d1cc0f7885f7efcfdeed805566f64c9fe101f45e5a23f6b50dbf78ad71bc71d82f1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
251.7MB

MD5
8a045a124ba32aee200aadee6dd78ff6

SHA1
a806d4570c0c8c1627d7330c2e52de733d643702

SHA256
2004b48b3dbbd2671cbf4c0b6933b4368a6da8ff50c90c10477416e05ca496f2

SHA512
6073935e2a25448f8ad686685f1144c97e32488599781cbafd642a0478c0808a4119b199b6605fee5ff9dc1a2a9b1e36c4de7cdf27db0f6c41251f3c349fb006

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
227.1MB

MD5
a349e52b02efac0a1a99991b39ce49c7

SHA1
9ffa7bd39fc13a668212c8caca13b7de7c2b1e1c

SHA256
f8904a6e15b1707e1c187b97acea3568abedd38be2b822600af703a48a4e700e

SHA512
4b48e5528163555a941c65b8444d6dfd5ea546f854e8528347973dc959f17e221fee15c6c37c41986f750d652ebbae5601bfa0abfb8987c60704725c7369c7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
77.3MB

MD5
e2869c66db6c68113eec6bc9c7a2e7dc

SHA1
a598fd7dcb11cafdd3d893088d3c9a4d5c8843fe

SHA256
0e0aad9f7fd9d86624665cb93882f8ed5cf0b56e403c9d6e860a9a1c8e910e88

SHA512
3601ae5b6dea239eaccf730571a55c2e17b426af7196a7b5794e02ad8a8743185e43944e698ddcc39ff15ad3c9a04dc8ea1d809ced22d42fb89bdc9b01fe33f1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
239.4MB

MD5
5c2702ccb30e028d6766de3a501d0736

SHA1
5f8dcc4dcf6fd5653e7d7b4bdeec996fc8c32b2d

SHA256
7841ef17a21400c00bde15cfc418171838f78ed4b782db3603844e0bd4879a22

SHA512
8e3ca2a6a7854643c444db53b3c1ef4f00ce66b4746582c9d0a108d557a993d79645d17f6dfb7ae3a3fc7985c2d999b8c34696d86bfc805741766f5e08e200bd

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
252.5MB

MD5
71ef5085dd6e2722f83544ff05006105

SHA1
cce541399da8f6230151ffddea8f473dcc93625b

SHA256
19c48bc91469e649fe22f02f24a4cf8821f08158e18829d8f5a6e3442952b6cf

SHA512
69b80795a5909b9bf054daed847f5193cefa3c52219c75a025ba52b572b416c787b58d544e883a8d5d16e7cd53400f2b4f521b62b9663fe6326734ba5ca04afe

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
252.1MB

MD5
b4503132bf6e00b7e760f342cfb26938

SHA1
7a7edf5a32d9d06a622abb5f8e6433b201f0baa4

SHA256
cfb0a2fd40f8afe2b0bd10b26670b22dc95a0b647e1797bcaac7a481fb174939

SHA512
5a00cfaa237497c993dda33d2db7b2f897ca97ac80d5033bc756016c305546f806066e9e0bc211a971d50a922b08ed5738b371a207f1f0c10b17db990e4999ad

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
249.5MB

MD5
90f62994f8656711949c73d23aa6ad8d

SHA1
9ac58518ee59f38d66750eedba084533b5cf5d62

SHA256
2140aa6819f55be038ccb7ab55808e35f8826107426d1b1dd80669b2a3ea1b5b

SHA512
e7aaa88cb87498b7af585b2eb572b83f99898349e2e75bfd1ddee0e1bdb2b7e8d96ef0d186bd5275fa65d1da7f8b81df6b232e48ff4161bed5914ce2082ebfef

Download Submit
memory/112-86-0x000000006F9A0000-0x000000006FF4B000-memory.dmp

Filesize
5.7MB

Download
memory/112-88-0x000000006F9A0000-0x000000006FF4B000-memory.dmp

Filesize
5.7MB

Download
memory/572-66-0x0000000006670000-0x0000000006A10000-memory.dmp

Filesize
3.6MB

Download
memory/572-65-0x00000000009F0000-0x0000000001164000-memory.dmp

Filesize
7.5MB

Download
memory/572-73-0x0000000005460000-0x00000000055D2000-memory.dmp

Filesize
1.4MB

Download
memory/1416-56-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1508-70-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-71-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-69-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-99-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1712-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download