aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
140s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/724-66-0x00000000063E0000-0x0000000006780000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1244 voiceadequovl.exe
724 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1244 voiceadequovl.exe
1244 voiceadequovl.exe
1244 voiceadequovl.exe
1244 voiceadequovl.exe

pid	process
1244	voiceadequovl.exe
724	voiceadequovl.exe

pid	process
1244	voiceadequovl.exe
1244	voiceadequovl.exe
1244	voiceadequovl.exe
1244	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1692 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 724 voiceadequovl.exe
Token: SeDebugPrivilege 1692 powershell.exe

pid	process
1692	powershell.exe

description	pid	process
Token: SeDebugPrivilege	724	voiceadequovl.exe
Token: SeDebugPrivilege	1692	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1744 wrote to memory of 1244	1744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1744 wrote to memory of 1244	1744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1744 wrote to memory of 1244	1744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1744 wrote to memory of 1244	1744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1244 wrote to memory of 724	1244	voiceadequovl.exe	voiceadequovl.exe
PID 1244 wrote to memory of 724	1244	voiceadequovl.exe	voiceadequovl.exe
PID 1244 wrote to memory of 724	1244	voiceadequovl.exe	voiceadequovl.exe
PID 1244 wrote to memory of 724	1244	voiceadequovl.exe	voiceadequovl.exe
PID 724 wrote to memory of 1692	724	voiceadequovl.exe	powershell.exe
PID 724 wrote to memory of 1692	724	voiceadequovl.exe	powershell.exe
PID 724 wrote to memory of 1692	724	voiceadequovl.exe	powershell.exe
PID 724 wrote to memory of 1692	724	voiceadequovl.exe	powershell.exe
PID 724 wrote to memory of 1632	724	voiceadequovl.exe	cmd.exe
PID 724 wrote to memory of 1632	724	voiceadequovl.exe	cmd.exe
PID 724 wrote to memory of 1632	724	voiceadequovl.exe	cmd.exe
PID 724 wrote to memory of 1632	724	voiceadequovl.exe	cmd.exe
PID 1632 wrote to memory of 528	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 528	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 528	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 528	1632	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:528

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1540

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
251.7MB

MD5
1ddce5d375e55b2711ef81d778f72390

SHA1
54ff06df774db0a3071e485d8a5ffc16134efcfa

SHA256
ff483da44353c5357f7d652c73eddf95a91db0f35412689ef91825518c3c5e4c

SHA512
384c427a926682e467337593532ca07106cbf10546995bfcf47f03984d06c93b634e9db7274d870698de9ee3d8e8ea12abb68a94e6a14f20fd145958bd73f190

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
ed5cf8a2c3962e2d085e2f10f2a72cfd

SHA1
6877318daf00334abc6362dab739b689bfb9ff4d

SHA256
ae53bf9131309dd10f6c4fe2c7be16d72756734037039165e1723ffec7caf88e

SHA512
053a1a397c989b469bc240be7ce5292fdab1923013ef69616a7ba14e9ea2400763fc6ef72e7a88bac99fddd917ce6adf74b6d4b2e7335e923612a780bb6bacad

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
275.0MB

MD5
6724deacd99ba6defe515eda0b625a9a

SHA1
a1c5dc5c00ebd67d5e538f90f231d741fcc25d29

SHA256
99f0b70d63f4a8f3ce576dbdf10c7f33591296d059b9ac650aa1aa47a5dfd5af

SHA512
245eae54b51318c9b3092534b7ac26bb43c1adeeb26c1a011b66be01c0999df6b7b80720e9946b72fdfde4f657d9dc76922e723cbb0fa82a3531bb39ad8938c9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
279.4MB

MD5
8e1b3066cfbd4059e94134904614a086

SHA1
08cf1e45b14a919a95df2edbac7599aa2ed20185

SHA256
9d901b11aa8aaad74ce272e12a9da18ee0abd40f7d27efc70485251637982e7c

SHA512
8e4d2a958595c12af254400ef6984011b917b3a5582a97fd0a36f0555cdf41dc8b80bf896e5604e97678cac13bddb40b2c06ccd182c7f18cc879d89dbbc95d59

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
12.3MB

MD5
58ac57c055fe1070944fc8f1ed29ae60

SHA1
6b6a91796831676743cf1da0f33c90f82e21ac36

SHA256
8767944930ae9fe3df0c7309237eb8541b158d8e139727d686fde2207f620af0

SHA512
6e02f14da25f537851e9bef7db736910abaef8aeef3844ce4cb06f38aa7665c0533f5b586dafb0b5f05b6089ec351c2b848300b4a0264aefd70648c462365487

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
254.8MB

MD5
0c242edbbd7651c92fbb8723bbb8c1d0

SHA1
729e2af3a7c4c8dd7916c76c839ece112aaa21af

SHA256
30eb0d6249909373c573130626120e35f74163a7633cc75a14bd16fd8446104a

SHA512
550fcb5cf3e8c4b38ad94114472994ff9729c22869a68760dd386d6de396e4da262318a6856e11832f51f0573d63cda8b472018f0111e42346b2625e6a4a0d82

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
279.4MB

MD5
adaf3a252257a79ddd09676e72905be6

SHA1
58e82da08e66024df5cd3ce9091c8df2e47c7d59

SHA256
bb01235b196c50749b5d5ac749941749b382647593a67be5c5b77616cc776ae1

SHA512
a4130a858167702586a87c7e02676f5f4ff8201d8c9b0930afe086a02c1e791eda509f4d80dccdee8d40cbd64ddb479337ce2a0c3e96f1530a0ec06026b14392

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
267.4MB

MD5
4e696b7da43717178bbebadabf499782

SHA1
e56e1c727ab11accd101e7e0ffbd12ee80c30d63

SHA256
53727c08c81915532a8cf7fe0c4a320fbe100048a05b579fc697090cab9ca66c

SHA512
51418cfd2425d49398a9c54d5c5a24bbda12571d96ccd870ed5e471fc68389d51db55f06e018aed2e3c2b131e84bee46150f3fae85f41e657c0b5a8ab4d6fdea

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
283.2MB

MD5
5751ca04eec684ddbef1de3736bfafdd

SHA1
e26bf57853ee8c7e6cc8216b549c04da0a35b1c5

SHA256
560ca84a6e796e783f3aa400c9fd2931b9b4662685a20ed416ee25f2d98cd80e

SHA512
fa6077b181e31fc45c61ffadd68b89e604f4b62bdb453e0316db2f1600d4efe7c29c91d595723e89b84fd2b63019dd2ddf7c374da6de72b9c42718cb2e7c62ce

Download Submit
memory/528-74-0x0000000000000000-mapping.dmp

Download
memory/528-93-0x000000006FBE0000-0x000000007018B000-memory.dmp

Filesize
5.7MB

Download
memory/528-80-0x000000006FBE0000-0x000000007018B000-memory.dmp

Filesize
5.7MB

Download
memory/724-62-0x0000000000000000-mapping.dmp

Download
memory/724-66-0x00000000063E0000-0x0000000006780000-memory.dmp

Filesize
3.6MB

Download
memory/724-65-0x0000000000ED0000-0x0000000001644000-memory.dmp

Filesize
7.5MB

Download
memory/724-73-0x0000000005300000-0x0000000005472000-memory.dmp

Filesize
1.4MB

Download
memory/1032-96-0x0000000000000000-mapping.dmp

Download
memory/1244-56-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1244-54-0x0000000000000000-mapping.dmp

Download
memory/1540-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-90-0x0000000000464C20-mapping.dmp

Download
memory/1632-72-0x0000000000000000-mapping.dmp

Download
memory/1692-70-0x000000006FC30000-0x00000000701DB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-69-0x000000006FC30000-0x00000000701DB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-71-0x000000006FC30000-0x00000000701DB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-67-0x0000000000000000-mapping.dmp

Download