aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
127s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/564-66-0x0000000006580000-0x0000000006920000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1716 voiceadequovl.exe
564 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1716 voiceadequovl.exe
1716 voiceadequovl.exe
1716 voiceadequovl.exe
1716 voiceadequovl.exe

pid	process
1716	voiceadequovl.exe
564	voiceadequovl.exe

pid	process
1716	voiceadequovl.exe
1716	voiceadequovl.exe
1716	voiceadequovl.exe
1716	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 564 set thread context of 1244 564 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1676 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 564 voiceadequovl.exe
Token: SeDebugPrivilege 1676 powershell.exe

description	pid	process	target process
PID 564 set thread context of 1244	564	voiceadequovl.exe	voiceadequovl.exe

pid	process
1676	powershell.exe

description	pid	process
Token: SeDebugPrivilege	564	voiceadequovl.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 748 wrote to memory of 1716	748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 748 wrote to memory of 1716	748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 748 wrote to memory of 1716	748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 748 wrote to memory of 1716	748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1716 wrote to memory of 564	1716	voiceadequovl.exe	voiceadequovl.exe
PID 1716 wrote to memory of 564	1716	voiceadequovl.exe	voiceadequovl.exe
PID 1716 wrote to memory of 564	1716	voiceadequovl.exe	voiceadequovl.exe
PID 1716 wrote to memory of 564	1716	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1676	564	voiceadequovl.exe	powershell.exe
PID 564 wrote to memory of 1676	564	voiceadequovl.exe	powershell.exe
PID 564 wrote to memory of 1676	564	voiceadequovl.exe	powershell.exe
PID 564 wrote to memory of 1676	564	voiceadequovl.exe	powershell.exe
PID 564 wrote to memory of 1624	564	voiceadequovl.exe	cmd.exe
PID 564 wrote to memory of 1624	564	voiceadequovl.exe	cmd.exe
PID 564 wrote to memory of 1624	564	voiceadequovl.exe	cmd.exe
PID 564 wrote to memory of 1624	564	voiceadequovl.exe	cmd.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 1624 wrote to memory of 1052	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 1052	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 1052	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 1052	1624	cmd.exe	powershell.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe
PID 564 wrote to memory of 1244	564	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1052

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1244

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:276

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
PID:1908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
344.9MB

MD5
fcdf9facc863b8e726c64e0e85f3ce39

SHA1
200b45cc766370fb8b9cd5449fb545c4e817e1fb

SHA256
27a7c791bf891add02b635098e2adb457e53d007fefda72b59ae3e77b60ead70

SHA512
0c6c2fe7cd9faafd081a450f2493b0d424f6fd16a5d466b33b71030927c1909c81785edee5594b0e3cf16d5d9d1c5c01478abe906982bfa7849dcfd4ad8320e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
329.3MB

MD5
e67d094745c11f7bdb59a923ebac2cba

SHA1
deb11d7ab8d431eae6624a8a667adc91478857b3

SHA256
26c5f2310c5f44cb5347047d4dde314fa6bc629c5306f0a16e15699ed740588e

SHA512
bf497d7a6918a8834686cf6483f759168b1dfbcb4cf6a78838f10905adf5033922efebdc2e5832fc9c268558ff6574b5b274147c410d24e5f57f4bb875f9627d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e4f70c853b68f0d9cda4d47949b35cb8

SHA1
b8b6cd13a8c499c47272c1873e4bcb9b08665fa4

SHA256
2804b890380a348cb14a26f1e2421ecb4ef94b44c2db5fd16c025a3e7e48ce89

SHA512
71ce9c3658405955661d1eacc2894545116a3455819bc6e4cd1c1fb9178d0f5bc6b72d971e0501c6ed22504819a12176bf6ecf1c3bc89e51c1d3dfb9b4ff183d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
290.2MB

MD5
1b6734b6065a2aedc718dac098cb7ab8

SHA1
7ac104affc28914ffcf034686e9d27b6f64dea21

SHA256
8c07e69832d0886bdf8fee7d83ff8392a3e855c66258aafccb26dc7db6ba640c

SHA512
89438959dce5c4e30e86ec26c9530c9876d21ccc640edcda512f836818b902b2bb46f6c6193a4f63cb45ce42a3ddf736d932a04877691bc070d820a3b4387fc1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
295.1MB

MD5
64a3beab6696ef086221bfc486b3c9d4

SHA1
b8d36c8ec26276811a8495501685e0aeda38ce55

SHA256
996b96dd7a93b0d9afdc8d88d05a54efc83067d8752527fc6f2ac42e00567a0c

SHA512
6723c5929762d9216ffd138897fe995ff7ab85cc914566ba88d1a7359eda2b9384dd10636125af4a3dd0c94880554247b9d4aeba54c6f7cf3f7dec9c36bd65a7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
43.7MB

MD5
f8086839296a7172d76d7e1537e4ef3e

SHA1
4b26012c94029366a54b54b44297d87185e4feea

SHA256
dea708e3ce09bc31c2a77adbc1aee639f1290cee0b1a4015c1d15177478e0a33

SHA512
415dcc89c6e41e1803920834d01efe20c2776b43f1e29c571b2ecd300df8a0042d2f1a13740e526b761662e12191d1d4866970e2116e3aa49b469475e90daf2a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
303.0MB

MD5
57e8157c9f01a8516b67753718fb1c32

SHA1
10c5003cb816b1091a1e321d77ff4d5e42fdf221

SHA256
7181c2d3cf9452a49bfc41140a98bea85d39b3143e25189139cdff1854394e10

SHA512
29af36ea9211f9523b5ddb4d5b124ea65fae35561267ca0cc2cdfc512fb109328530a98f3f87adb17780404daef47c6dd1be93175067b89c8237d883e564ffba

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
303.6MB

MD5
b62de86a6b9b969135b59acf65fd7e97

SHA1
3d30d820e85f706a425e16920df6d0f5433770b3

SHA256
bda99b1c0e28afd662b761578e944d046d421b6170076ec2a1433ca5c3530541

SHA512
f563dc509eecbae08809840be944dcdf562d0d127ca10e6ed011e2f31c4c01c02270b87f158aebd552fc6a3a9a4607b911283c5e4e8cd2b3737a0ab1f97239d1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
302.0MB

MD5
25b642f5d70cb3373a1f5b810dfb822c

SHA1
0912e90a3fd50a6a9673d2ef544a1b26f4ea3c63

SHA256
03e33070e624756266ff54cf1f4c8a5abf729eb5b8c811edd6fa970e0eee2e57

SHA512
8234a8cb62c9d3ce3666c8691c5ded300d2bbb7d70fe4cb24c4e1eafc49e7449cdef3a68d50404ef57c91111d3f41e56c645239da2bc960f3a7dc4c9683237ba

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
303.3MB

MD5
6dfc0fefa4b467533c0184f8dcd83ba3

SHA1
55caa6aeb8b64d3f539bde9d0f2e9f0d63411f0c

SHA256
3eb54ed0525ba2dcc6e4533a612caa5ea7e9a383d0cc7b89f5420db90cc3bf18

SHA512
ffb056cfddad8d68c1c38985ae51edc7043509822e54701327df79de80228e22b78b5457db5df62b8cbe63f8a44a466ee4af668c4dbcbbe10afe9156bac15f89

Download Submit
memory/276-97-0x0000000000000000-mapping.dmp

Download
memory/564-73-0x0000000000F80000-0x00000000010F2000-memory.dmp

Filesize
1.4MB

Download
memory/564-66-0x0000000006580000-0x0000000006920000-memory.dmp

Filesize
3.6MB

Download
memory/564-62-0x0000000000000000-mapping.dmp

Download
memory/564-65-0x0000000001320000-0x0000000001A94000-memory.dmp

Filesize
7.5MB

Download
memory/1052-76-0x0000000000000000-mapping.dmp

Download
memory/1052-96-0x000000006FC90000-0x000000007023B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-95-0x000000006FC90000-0x000000007023B000-memory.dmp

Filesize
5.7MB

Download
memory/1244-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1244-88-0x0000000000464C20-mapping.dmp

Download
memory/1624-72-0x0000000000000000-mapping.dmp

Download
memory/1676-71-0x000000006FD40000-0x00000000702EB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-70-0x000000006FD40000-0x00000000702EB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-69-0x000000006FD40000-0x00000000702EB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-67-0x0000000000000000-mapping.dmp

Download
memory/1716-54-0x0000000000000000-mapping.dmp

Download
memory/1716-56-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1908-98-0x0000000000000000-mapping.dmp

Download
memory/1924-93-0x0000000000000000-mapping.dmp

Download