aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
77s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1752-66-0x0000000006420000-0x00000000067C0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1732 voiceadequovl.exe
1752 voiceadequovl.exe
580 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1732 voiceadequovl.exe
1732 voiceadequovl.exe
1732 voiceadequovl.exe
1732 voiceadequovl.exe

pid	process
1732	voiceadequovl.exe
1752	voiceadequovl.exe
580	voiceadequovl.exe

pid	process
1732	voiceadequovl.exe
1732	voiceadequovl.exe
1732	voiceadequovl.exe
1732	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1752 set thread context of 580 1752 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

900 powershell.exe
1688 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1752 voiceadequovl.exe
Token: SeDebugPrivilege 900 powershell.exe
Token: SeDebugPrivilege 1688 powershell.exe

description	pid	process	target process
PID 1752 set thread context of 580	1752	voiceadequovl.exe	voiceadequovl.exe

pid	process
900	powershell.exe
1688	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1752	voiceadequovl.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1412 wrote to memory of 1732	1412	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1412 wrote to memory of 1732	1412	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1412 wrote to memory of 1732	1412	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1412 wrote to memory of 1732	1412	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1732 wrote to memory of 1752	1732	voiceadequovl.exe	voiceadequovl.exe
PID 1732 wrote to memory of 1752	1732	voiceadequovl.exe	voiceadequovl.exe
PID 1732 wrote to memory of 1752	1732	voiceadequovl.exe	voiceadequovl.exe
PID 1732 wrote to memory of 1752	1732	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 900	1752	voiceadequovl.exe	powershell.exe
PID 1752 wrote to memory of 900	1752	voiceadequovl.exe	powershell.exe
PID 1752 wrote to memory of 900	1752	voiceadequovl.exe	powershell.exe
PID 1752 wrote to memory of 900	1752	voiceadequovl.exe	powershell.exe
PID 1752 wrote to memory of 1588	1752	voiceadequovl.exe	cmd.exe
PID 1752 wrote to memory of 1588	1752	voiceadequovl.exe	cmd.exe
PID 1752 wrote to memory of 1588	1752	voiceadequovl.exe	cmd.exe
PID 1752 wrote to memory of 1588	1752	voiceadequovl.exe	cmd.exe
PID 1588 wrote to memory of 1688	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 1688	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 1688	1588	cmd.exe	powershell.exe
PID 1588 wrote to memory of 1688	1588	cmd.exe	powershell.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe
PID 1752 wrote to memory of 580	1752	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:580
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1660
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
287.1MB

MD5
f861edb7d58c3d41458713daf9383f0d

SHA1
bd9fbc9b4d64279ef2fa313f30b30bc404573bd9

SHA256
0d8daf79275d9b5b966e9a17f2f357218cb072ed00f90b13656f062bc55150d5

SHA512
df97e95903a11b58229d3de29c75ce286f1ee3b1e7cc3f3c8a1dd54cbd903afaedb97160940accfc7b1553d15ec9715cbbfc2eea44c0d8cd954ec768f69d55e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
284.5MB

MD5
23b5de21b0768647341f9e726bd30098

SHA1
71ea478776d13ceb2f082c66ee812cdaad5512bf

SHA256
04f2f6fff4cb0a2898642f0f0a9c147a1de3a77f9d7b5840386928adf313a08c

SHA512
1ec52d8071a9f959695b20e5834cc2dc4ed768548a7178e2a472bcf6c04d3bcc7b93d4c35bc57d245a39b740919a3313dd8621407e094cae47cf40ed66f97333

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c0188070385be9c21c920b20d15f4832

SHA1
c20ad0c8fe77cbea9d5780f64b0f0ca20b4233e8

SHA256
d5377732867b8f55afac7f7d81858042b75061b903d57471f870b99f8254ebfa

SHA512
64b1d465120af2b5d097d59eaf78d2f5f477d4b21ae1230d77728dc60546e0177b1b08dcef893296840a645ec62304f260b701a7ade04b4b35dbab46b5c0af2c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
253.1MB

MD5
506b79636067f517256bf6ea9374a359

SHA1
28bd29981492f27ab2f009094a4090ef686d199e

SHA256
d5ba8fc93aac396e5b1cb025ef65812a9b744f580a4d63db22b578c68dcf377c

SHA512
f0f43a26969fac590879415f441da72a3562759626717063ae57a12f84c0201e10858413593932be6ed6feff40204c8c8cc0654ba92468d9a02df302a4f68fea

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
239.1MB

MD5
e1f5a683c987a88fd39f0245a54eae87

SHA1
31f12b8ab290496a8229ec3a896e2c5e56d167c8

SHA256
1f8a6fe3cffcbdafe34e759cbc2e2696010e38eb15145fc2a6abf0c432142a48

SHA512
da0557d1c10aa38b53945a3aac2bbcfc903b762ee96312f6949f98de76c848e94225d4805a13fc830630592302811bc67936c3a3044845916fd20ff449378e09

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
124.8MB

MD5
a354ced6b9ff95e2eb9397f53ba521f9

SHA1
1552f80f0beb8977f13e64a14bda6dd0d1870348

SHA256
4d11694378458611bb055ac3bd8d136f5dd1e1ae0399bc0bd460b5f02cd08d70

SHA512
0cddad7d56939700eecf617ffcf032aabecd71396314f742a1a7b3898e2f1a64aff8f5b0bcb6213230b63f8a24b06e39918f61cba1687769263e64f7fe61a9ff

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.0MB

MD5
4d6ec5ee9394ef8141a6dbc94ab0005e

SHA1
2b322622083bd85173553d9a26347a779db7f48f

SHA256
fe12d13a720ca9f67d4bc8f94f89911668a77dd4c62c56f349520af858266da1

SHA512
ddd83f2323dbe443bfb8cfdd1b7473baccea6097b6c1e03be33166e588fb74467d7eeb2877324bf3c0db2e676c78f350412561b65f24c782ebb7bca9b4b42324

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
251.8MB

MD5
0a20860b0759550d54757c248af5b950

SHA1
1995fb62ec7c76cb39317ffdde0137498689336c

SHA256
a528253915a164a3165e9a954cc7d3451d1e88bc21cac169dba686bf41b69614

SHA512
6cee1743f17bc7ed07127c2440824d25b6ea5fd03a42e683bb2b95176817caf0b2d46777c4d5fe5a6e51d73981a7ad45b17eb19c02e358cac607fb8ca659aadd

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
247.6MB

MD5
4128c945979fcc27ae145621da3ef79e

SHA1
939d76c1c7c8c051955f064e6f87e9a71df0e1e7

SHA256
5dc48355d105c0d180265c432428af83eb12710e80f87c861f4cc98e7ec6ba97

SHA512
c5df8b466840bbf32e31f99d413fde64c252848625a0dd405d9e70a37c06d045804f169f2d338ab75718bfa107acd913ff0bcb7705b7adc2904fe37d1e2be7ad

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
257.0MB

MD5
6b8d779a2014f60918ad661c1ab7f238

SHA1
e84139c854e501b61504afc28018525ca9c5f0a9

SHA256
2a3fa1df8b67a7226cc1100a532c164ec157e98880d477a0cda4e3f46222af8c

SHA512
3e6f4aebe8230d76f21a054a26de5baf1a42181c1097f50548bbf11461724d18207ba9172ec5beb02a5f95d64567abd51a10ada81b29852604dcd03a26f8acc8

Download Submit
memory/580-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-90-0x0000000000464C20-mapping.dmp

Download
memory/580-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/580-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-67-0x0000000000000000-mapping.dmp

Download
memory/900-69-0x000000006F260000-0x000000006F80B000-memory.dmp

Filesize
5.7MB

Download
memory/900-71-0x000000006F260000-0x000000006F80B000-memory.dmp

Filesize
5.7MB

Download
memory/900-70-0x000000006F260000-0x000000006F80B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-72-0x0000000000000000-mapping.dmp

Download
memory/1660-98-0x0000000000000000-mapping.dmp

Download
memory/1688-85-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/1688-91-0x000000006F210000-0x000000006F7BB000-memory.dmp

Filesize
5.7MB

Download
memory/1688-73-0x0000000000000000-mapping.dmp

Download
memory/1732-54-0x0000000000000000-mapping.dmp

Download
memory/1732-56-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1752-65-0x0000000001050000-0x00000000017C4000-memory.dmp

Filesize
7.5MB

Download
memory/1752-62-0x0000000000000000-mapping.dmp

Download
memory/1752-66-0x0000000006420000-0x00000000067C0000-memory.dmp

Filesize
3.6MB

Download
memory/1752-74-0x0000000005420000-0x0000000005592000-memory.dmp

Filesize
1.4MB

Download
memory/1772-96-0x0000000000000000-mapping.dmp

Download
memory/1800-99-0x0000000000000000-mapping.dmp

Download