aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
117s
max time network
139s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1228-66-0x00000000063E0000-0x0000000006780000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1352 voiceadequovl.exe
1228 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1352 voiceadequovl.exe
1352 voiceadequovl.exe
1352 voiceadequovl.exe
1352 voiceadequovl.exe

pid	process
1352	voiceadequovl.exe
1228	voiceadequovl.exe

pid	process
1352	voiceadequovl.exe
1352	voiceadequovl.exe
1352	voiceadequovl.exe
1352	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2000 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1228 voiceadequovl.exe
Token: SeDebugPrivilege 2000 powershell.exe

pid	process
2000	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1228	voiceadequovl.exe
Token: SeDebugPrivilege	2000	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 2036 wrote to memory of 1352	2036	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2036 wrote to memory of 1352	2036	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2036 wrote to memory of 1352	2036	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2036 wrote to memory of 1352	2036	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1352 wrote to memory of 1228	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1352 wrote to memory of 1228	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1352 wrote to memory of 1228	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1352 wrote to memory of 1228	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 2000	1228	voiceadequovl.exe	powershell.exe
PID 1228 wrote to memory of 2000	1228	voiceadequovl.exe	powershell.exe
PID 1228 wrote to memory of 2000	1228	voiceadequovl.exe	powershell.exe
PID 1228 wrote to memory of 2000	1228	voiceadequovl.exe	powershell.exe
PID 1228 wrote to memory of 1540	1228	voiceadequovl.exe	cmd.exe
PID 1228 wrote to memory of 1540	1228	voiceadequovl.exe	cmd.exe
PID 1228 wrote to memory of 1540	1228	voiceadequovl.exe	cmd.exe
PID 1228 wrote to memory of 1540	1228	voiceadequovl.exe	cmd.exe
PID 1540 wrote to memory of 1416	1540	cmd.exe	powershell.exe
PID 1540 wrote to memory of 1416	1540	cmd.exe	powershell.exe
PID 1540 wrote to memory of 1416	1540	cmd.exe	powershell.exe
PID 1540 wrote to memory of 1416	1540	cmd.exe	powershell.exe
PID 1228 wrote to memory of 828	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 828	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 828	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 828	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 828	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 828	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 828	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 828	1228	voiceadequovl.exe	voiceadequovl.exe
PID 1228 wrote to memory of 828	1228	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1416

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:828

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1720

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:1692

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
291.8MB

MD5
70d250bb6090711453d967e03eae81bd

SHA1
86d032ec92dc8811e532d6893266b9ae7f2da6a4

SHA256
f76222e0958b2a71aaa0571666b889c2ddfd724f997ec5be6e40fd14595daaa3

SHA512
8a97d708337ce58efb4024f10f8aeaa48d54ee19eca01e59c1949c0e2b8666581012cd9e286008683b8e171388980d5fefcc00ff5b167bac39486dc3a54dc644

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2d6df5aa1c48c34b7981372b7009bf01

SHA1
101ddff4d63525f12587c9cf41fa10c9b22223bc

SHA256
1c95eb562be8dc5a6679c6447648ec998899b7a9e7ef291cd08d1b109ed58323

SHA512
d832330bfaba51ed454b179990a1e7bc82d88d915e2bea6df94f53d756d242a22d389ae00950f9a69a09c999112a0cad5d38e2bb3eb9e85d779fd04b02a1c541

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
236.5MB

MD5
8aeac8fc7129c2b21909a97f717fa1b1

SHA1
c30577e8d0af3b5b9ff012bba0a6bef74da7f5b0

SHA256
6fc5b27ecf6a6878527dcdf3c99cbf45634c8ab0534ae09ca2bb052dcd5e5ef0

SHA512
2bc088a73c535b995a7e7db86cf8f6ed10673103c135822e84cb8c44228c5710e43d436a15837b21a03879e9fe2b97dbe4563325cc6506c030d269c9d2a8e4cf

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
221.8MB

MD5
90e7c8111992d356c60975cf0907f333

SHA1
bacef1cad47e4cc3623813848dbe7a12ed5ab260

SHA256
7cd61473450b9b764bbabb1fc1f5ba2c03ac05a52b211cc168fca87c4875b684

SHA512
e2e0a251a72718bf38c4ca1f2194405908b52e75466adf09860c1ba444d6290bda928802c308c0cbdf0a24c5c39cfc6a84f923e270b11dc5194483d3ac10fcae

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
59.3MB

MD5
35de8c3eb20053932049e54399235b4a

SHA1
98ea098817bfb15466eb4088166cade0d38294c5

SHA256
6d7483f46878a95a280f970cc61ebc0ad1debf9ad62d5f76733ebd7f7946b82a

SHA512
e903d2ff88f8c05db53a05a113058a7ff9fc0fabe620067a2d80d26237a5f2cd952539539edd52106579b98b621e8e92c7dbc97d50c458d590da51c721810482

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
237.8MB

MD5
da1d91a6ccac6d8060299085659f9626

SHA1
32c61dfd38967c757fe48318a3c8760df1ac559b

SHA256
570c96288ef4630242b68295b34bbbbd23ebf41aeae09188a03ecf74c367e7f1

SHA512
3b57db1d1b8c68eb2d84792ab1c8e120b5d0b89d056b9facd71e973ca985858ed66fde9c7f51f67a869bcf09a42ab7ad8716f81ba1f0bd6123b708ddd8879c23

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
237.6MB

MD5
0e86ee20bddc39a11ac9add907f98c16

SHA1
d9c24805e7a5bd738c566790e0b4c20bde94fbd9

SHA256
fa0bbec3a7bef86b3ce647c528ec12bb7a0b32c0702a91335158fce2d7862898

SHA512
244a8392c3983d57d84280775e5c36fe8fdf7f2fed87fc74df25a9fe5bf8611e07c289bf9a4d6aef6cbf0cfff6740b1d09c22e3e890b9904fa832e80be2bc38b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
236.7MB

MD5
9eda6b93efb23ba824183eeec191a3a1

SHA1
1ff3cfed2b6f74c569adc92214e18713417e6d0b

SHA256
44c5e354c532dc475553147b9ced35b30455b34aed930efd33268016759c9436

SHA512
aff0179d8a3eb4d16aadfda0438ef7ae6c004008c6e824d56f0f0238ff86129d19761de90e91aec4d90ce3538d291a72ec58fb422d553e246770c9d660999022

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
227.9MB

MD5
cd92ee76056bf286d9e9bb528aba47b4

SHA1
82656b07ec948a036d3f561d02e50e80d74fa93e

SHA256
ba5b9e402e6456f94bd986ed46198d377c91cc77f9fc5d01f3dae60a55fd3a89

SHA512
3492e982de3c267a2d9a920cacde7d4162db727672dbf232781402e9c35f0912a978838032281bd11d039b24881543e83e8ed149ddfaf39722080df0b63a4e0c

Download Submit
memory/580-100-0x0000000000000000-mapping.dmp

Download
memory/828-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-89-0x0000000000464C20-mapping.dmp

Download
memory/828-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/828-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1228-74-0x00000000052B0000-0x0000000005422000-memory.dmp

Filesize
1.4MB

Download
memory/1228-66-0x00000000063E0000-0x0000000006780000-memory.dmp

Filesize
3.6MB

Download
memory/1228-62-0x0000000000000000-mapping.dmp

Download
memory/1228-65-0x0000000001180000-0x00000000018F4000-memory.dmp

Filesize
7.5MB

Download
memory/1352-54-0x0000000000000000-mapping.dmp

Download
memory/1352-56-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/1416-73-0x0000000000000000-mapping.dmp

Download
memory/1416-93-0x000000006FE50000-0x00000000703FB000-memory.dmp

Filesize
5.7MB

Download
memory/1416-95-0x000000006FE50000-0x00000000703FB000-memory.dmp

Filesize
5.7MB

Download
memory/1452-98-0x0000000000000000-mapping.dmp

Download
memory/1540-72-0x0000000000000000-mapping.dmp

Download
memory/1692-99-0x0000000000000000-mapping.dmp

Download
memory/1720-97-0x0000000000000000-mapping.dmp

Download
memory/1976-96-0x0000000000000000-mapping.dmp

Download
memory/2000-69-0x000000006FE90000-0x000000007043B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-70-0x000000006FE90000-0x000000007043B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-71-0x000000006FE90000-0x000000007043B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-67-0x0000000000000000-mapping.dmp

Download