aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
129s
max time network
138s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/888-66-0x00000000065C0000-0x0000000006960000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1964 voiceadequovl.exe
888 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1964 voiceadequovl.exe
1964 voiceadequovl.exe
1964 voiceadequovl.exe
1964 voiceadequovl.exe

pid	process
1964	voiceadequovl.exe
888	voiceadequovl.exe

pid	process
1964	voiceadequovl.exe
1964	voiceadequovl.exe
1964	voiceadequovl.exe
1964	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1788 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 888 voiceadequovl.exe
Token: SeDebugPrivilege 1788 powershell.exe

pid	process
1788	powershell.exe

description	pid	process
Token: SeDebugPrivilege	888	voiceadequovl.exe
Token: SeDebugPrivilege	1788	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 1964	2000	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2000 wrote to memory of 1964	2000	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2000 wrote to memory of 1964	2000	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2000 wrote to memory of 1964	2000	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1964 wrote to memory of 888	1964	voiceadequovl.exe	voiceadequovl.exe
PID 1964 wrote to memory of 888	1964	voiceadequovl.exe	voiceadequovl.exe
PID 1964 wrote to memory of 888	1964	voiceadequovl.exe	voiceadequovl.exe
PID 1964 wrote to memory of 888	1964	voiceadequovl.exe	voiceadequovl.exe
PID 888 wrote to memory of 1788	888	voiceadequovl.exe	powershell.exe
PID 888 wrote to memory of 1788	888	voiceadequovl.exe	powershell.exe
PID 888 wrote to memory of 1788	888	voiceadequovl.exe	powershell.exe
PID 888 wrote to memory of 1788	888	voiceadequovl.exe	powershell.exe
PID 888 wrote to memory of 1624	888	voiceadequovl.exe	cmd.exe
PID 888 wrote to memory of 1624	888	voiceadequovl.exe	cmd.exe
PID 888 wrote to memory of 1624	888	voiceadequovl.exe	cmd.exe
PID 888 wrote to memory of 1624	888	voiceadequovl.exe	cmd.exe
PID 888 wrote to memory of 1328	888	voiceadequovl.exe	voiceadequovl.exe
PID 888 wrote to memory of 1328	888	voiceadequovl.exe	voiceadequovl.exe
PID 888 wrote to memory of 1328	888	voiceadequovl.exe	voiceadequovl.exe
PID 888 wrote to memory of 1328	888	voiceadequovl.exe	voiceadequovl.exe
PID 888 wrote to memory of 1328	888	voiceadequovl.exe	voiceadequovl.exe
PID 1624 wrote to memory of 1324	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 1324	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 1324	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 1324	1624	cmd.exe	powershell.exe
PID 888 wrote to memory of 1328	888	voiceadequovl.exe	voiceadequovl.exe
PID 888 wrote to memory of 1328	888	voiceadequovl.exe	voiceadequovl.exe
PID 888 wrote to memory of 1328	888	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1324
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1328
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:864
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
211.2MB

MD5
b5ceb4d996f33d5f4eb29c16e9134d13

SHA1
390761e833733ec908d1abb1b441994d6c938319

SHA256
b59539c78730ff39080f56cb28b6fb4884fa4e18d7a2ce7324a4cfa6296c6f05

SHA512
81bcafbdce72c28b611ad8fd18b2adb08386a5b71b9e297294ac911486840a392523b6e7565d438d434a41e59b7549ca8efba94300589d50186b9ae4ee9c8186

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
354.2MB

MD5
475f6a10a92d591bc2fff4883bedd95b

SHA1
28cc621c32df4fd9630b4a8925e1efc26868f226

SHA256
d04fc06901cc14ba2fd91773b260f8090dabb3262ab840b249c7438e05ce8140

SHA512
457d4af03289d051290346bcd39a087e0cd5327f6807b2098af62456e61e4f0b1d2ea9b016b1abcfbd5d970ad0d7c3f400886a3c1b878011880a01d74445a1ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
62d3b3371676600c59514bc3c12216b7

SHA1
5d1c72db837d451676907a0c606cb88136c2eeab

SHA256
2134653a64115d811f97e215fca35e323994c1423e0215636b935f11a7919247

SHA512
37ba9cf82f5756fd65ab909ace20764536513daeeb0b2082083a404d1724748ec92cee33e932553247eb3b2496f258a7efee7ad78e9a183d0e6ce82bc0006584

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.5MB

MD5
7e7b931a8527006f75e61111caf85ec3

SHA1
cb787d4244dbc08fbd990b281a84541c4639787d

SHA256
f972071d9504f3ba24ea0456e50f3e2451791d8548940a3b4c5d3528520ab836

SHA512
b46ead997f41c1275a57d2fba110a08beab470cef35db69b1f3bd8088f72803e8619a7b9c11c6938464e912019794e2950e402f33313d96e837224cf38da7749

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
264.4MB

MD5
a3fa70e6eae1edcc1a5e393fcb7f2ced

SHA1
c216181add65c44a5220b12217295cb8485e9b10

SHA256
cc68fbc390b803ef3eb3dc648b46b7a8d360f3e57d8317dba970463c690a12d5

SHA512
49db3f12825b405d1019b3b56e55860769841323ac1388292289dc020b2552325c89862fb6473e44fa1d60323f89ffad3ee13ee4309a1f3a4ef63a8c84156b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
30.1MB

MD5
e4fa68358cbde86bdd695254c46270f6

SHA1
1d014e5e4f14985ec37670fb44da47a6fbea880c

SHA256
d9546622cdf9d3e1b6d2243201b6b5808df5bb5a5e6d9c38ea1088501b148152

SHA512
1e5d76726e95ff44144341fde63590c1371741caf77680529c79d1e2f020b2caf7303e0751236ae4d732047ebf7293318610d002136fbcbd1a816aceb12b1253

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
274.1MB

MD5
7b6d7650a174f545a834fc9c6ce3d99b

SHA1
5e31bb95b86af522f13784d407075d54ea41153f

SHA256
f466c38a0e3b74d437e77e2fe58c4eea7fcec24086c075838ef3b5482f97c704

SHA512
94f57d8ef5d0e92648fc2473f8bccb3bbae22054f666a81a1cf8750157bf745f27e719ed2ed80b909cd914d00fc8af6388cc405c652c1f2b56273688a732b947

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
264.4MB

MD5
c2e1d1780f6038652ba2cba03c024634

SHA1
f1de8f8c641a772e83913b721be4aef6756850eb

SHA256
d3a26b8adccdab8a934338ab23ef4c30411fab7636534dba0695200d580765f6

SHA512
dcd2a3888dd9e315d3eba3be57e67e64b5c3d9039b99083df4ed5452f3964b4de4bf657853bb42da402a07042af6f4915a8f9dc61cda3f85692076e54d3b4a20

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.9MB

MD5
9587d5f90b198f5eb9f7db12fc9448cf

SHA1
6f115d5be96019ef1423daa77a29ac4392ccf14e

SHA256
44a30329ed9a454d18976abd0c2e813ca068c0a773cc6f1bf47292d80108ee79

SHA512
d6288b1f95887c17354c3380ecdb9a38680947fb31213fa8b7f42cdab439449248dbf115a2672702f510fc7182607994e8ffe75f635332ef41173a1127d970bc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.5MB

MD5
b5dc36aac74da74af29c8457eb9ee442

SHA1
a2c83b71255412056defd9269abfa4ed11b5dfd7

SHA256
56eaaa5b8b2a67f8ae193b6fbca6d8efe2c83dfa4290f14e0a6a504cdcfd63bb

SHA512
57099785b6c0acc6677d3b937917f3bfd5709afa32629e31bb47f56128d187a7ef17e7067e6e5e0a77d30ff3e5cb5fe975aaede54bcb6529fabb3750b5ccbee3

Download Submit
memory/864-95-0x0000000000000000-mapping.dmp

Download
memory/888-73-0x0000000005490000-0x0000000005602000-memory.dmp

Filesize
1.4MB

Download
memory/888-62-0x0000000000000000-mapping.dmp

Download
memory/888-66-0x00000000065C0000-0x0000000006960000-memory.dmp

Filesize
3.6MB

Download
memory/888-65-0x0000000000EA0000-0x0000000001614000-memory.dmp

Filesize
7.5MB

Download
memory/1324-76-0x0000000000000000-mapping.dmp

Download
memory/1324-96-0x000000006F2F0000-0x000000006F89B000-memory.dmp

Filesize
5.7MB

Download
memory/1324-89-0x000000006F2F0000-0x000000006F89B000-memory.dmp

Filesize
5.7MB

Download
memory/1328-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-90-0x0000000000464C20-mapping.dmp

Download
memory/1624-72-0x0000000000000000-mapping.dmp

Download
memory/1788-70-0x000000006F730000-0x000000006FCDB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-69-0x000000006F730000-0x000000006FCDB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-71-0x000000006F730000-0x000000006FCDB000-memory.dmp

Filesize
5.7MB

Download
memory/1788-67-0x0000000000000000-mapping.dmp

Download
memory/1964-56-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1964-54-0x0000000000000000-mapping.dmp

Download