aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
132s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/676-66-0x0000000006380000-0x0000000006720000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

2028 voiceadequovl.exe
676 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

2028 voiceadequovl.exe
2028 voiceadequovl.exe
2028 voiceadequovl.exe
2028 voiceadequovl.exe

pid	process
2028	voiceadequovl.exe
676	voiceadequovl.exe

pid	process
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1656 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 676 voiceadequovl.exe
Token: SeDebugPrivilege 1656 powershell.exe

pid	process
1656	powershell.exe

description	pid	process
Token: SeDebugPrivilege	676	voiceadequovl.exe
Token: SeDebugPrivilege	1656	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 2028	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1700 wrote to memory of 2028	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1700 wrote to memory of 2028	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1700 wrote to memory of 2028	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2028 wrote to memory of 676	2028	voiceadequovl.exe	voiceadequovl.exe
PID 2028 wrote to memory of 676	2028	voiceadequovl.exe	voiceadequovl.exe
PID 2028 wrote to memory of 676	2028	voiceadequovl.exe	voiceadequovl.exe
PID 2028 wrote to memory of 676	2028	voiceadequovl.exe	voiceadequovl.exe
PID 676 wrote to memory of 1656	676	voiceadequovl.exe	powershell.exe
PID 676 wrote to memory of 1656	676	voiceadequovl.exe	powershell.exe
PID 676 wrote to memory of 1656	676	voiceadequovl.exe	powershell.exe
PID 676 wrote to memory of 1656	676	voiceadequovl.exe	powershell.exe
PID 676 wrote to memory of 1580	676	voiceadequovl.exe	cmd.exe
PID 676 wrote to memory of 1580	676	voiceadequovl.exe	cmd.exe
PID 676 wrote to memory of 1580	676	voiceadequovl.exe	cmd.exe
PID 676 wrote to memory of 1580	676	voiceadequovl.exe	cmd.exe
PID 1580 wrote to memory of 1616	1580	cmd.exe	powershell.exe
PID 1580 wrote to memory of 1616	1580	cmd.exe	powershell.exe
PID 1580 wrote to memory of 1616	1580	cmd.exe	powershell.exe
PID 1580 wrote to memory of 1616	1580	cmd.exe	powershell.exe
PID 676 wrote to memory of 1852	676	voiceadequovl.exe	voiceadequovl.exe
PID 676 wrote to memory of 1852	676	voiceadequovl.exe	voiceadequovl.exe
PID 676 wrote to memory of 1852	676	voiceadequovl.exe	voiceadequovl.exe
PID 676 wrote to memory of 1852	676	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1616

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1852

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
256.7MB

MD5
fe74e8a740c47a65be265ade36ed4024

SHA1
e099f578bd94b4629453a83eb2c6ed9787e2122e

SHA256
e439e757c397a8b82cca6fbec022877f647aa1d0388cb7d1ed89e8a4451a1312

SHA512
a1817c2456daddc9b684907a5c68dd59bf92d83619a6a9fafed5a96bb94cb8bffcbf959e9ffec648585b9765e50fe4a5ba97b36a171cc2ad4cecdfaf134cb9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
421b6e0e5423c7fbbe23f4b6139a7a57

SHA1
f3d154cab377874643cd6af8df1542de1a4dd850

SHA256
593f2432ff73b52d2ceb6de5639342291c8764b1ecd8b040663da8b57262a025

SHA512
1e38f844d844f31a5371c3032682f66a1f911158cfc710b4be25aef6fc3f2f07d61fa2f195d9ce842e8cf81f963dad91c2e708d2a25de415442610bb550e2086

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
316.4MB

MD5
49f762797cad6c97ff83e814c1b6300e

SHA1
7b7833550c200185c44095be416d17183e6b78ba

SHA256
37ce718125eee396d75c42253665d07d94f395b1d5e2ad7a9c3c5893bbd0e7f2

SHA512
78fb3fe0b3bf68835a09be5e32e8f0cb729ac70c28aa9650711a1adef3938927cad288092efa419c0389e34fd8d07f8ec7e3405bc8d1a89d6ccb4fc3d2d6a8a5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
319.8MB

MD5
15cf46cd95c4453413e5b64903f2e9f6

SHA1
9592a5c5596015a1a22ced9c3d810d14ff0da3c3

SHA256
a96c74af71710c338064a03064eb83eee2435537aa69521cac9e4c1d097a58da

SHA512
22ef6d6f577800982ae10ed66114170d2fb17cc7c172a69110a5816be321c860d432f9018d8836bafc4b13043b6e141b2aace533913633c59bc629b29de96792

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
31.2MB

MD5
0413e4d7480a9d63c5c787761e28157f

SHA1
28361aec99610dcf72bcaf766f40862470665828

SHA256
6efce18268f39ce550a04fbbe05929f0f8612db8787b267d8699e77b9e7d76a2

SHA512
65b08ad6df7c931624e584297f39a008189d332122061801327ca3e7de6f1a7844443592a90126f8b76f4368f2ef01cddec5ac5d61a050d6a4c6b83cb7fab13b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
318.6MB

MD5
2c02263d7006696070bf5ed891ab8178

SHA1
042ada3d820aea551f78ea574253991ecfe8d356

SHA256
c7d30a06534c5b0a41672837848e639c54d317131083de6c4433bfceddfd036c

SHA512
f1f462c3ff1b2a67c080f26497a46c22a1944d916bd2a14efcbe10536ccd7e007953c754d03e618ff761dc6e08df1c128a1f17165413167b22109e7d054ea6ee

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
325.5MB

MD5
e9275f355b41a80aad8a915756613cd5

SHA1
b318b2f418da84ecbbb4e22e13b4ab68f127867f

SHA256
9f372e97306f4437e05af113c1285e5b99919162bc99335d04dc5e9c8adeea66

SHA512
9bdc836eb4cb1b755d28d3f620072b4c817cc81c7c9e8929bb9e99637c10afd034f5d52395e41720b3d650eb83deb351ffed10c4027e4a75b7d202cc9bb85e64

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
317.9MB

MD5
2aa16aeb8941b91a67fe4c9540e7a050

SHA1
99b3fa9d77c360ff8fca2f2664a0fc198ab77893

SHA256
416678fd848e92439b6a94e275649ff085497cbd4cbe44927faa234792552da5

SHA512
e61f739b22aee60cfaf45e6352d91b5c01c64cb71b2dccb19d8b9ba7d427f2a3b9d523cbc65f48d372109cb4162a1fc0409f5231fe3395a714be49eaedfcfd3d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
281.9MB

MD5
4625217e6d1bbc4f22d1d6355ebcaac2

SHA1
b4a0358698fbe6c315a449ad9497d2dd7b47ea6e

SHA256
0472bb12a72310a67861ad7b129627f261dc76ccccef7457ea7c872b6e8e33e0

SHA512
6313befcdf76d3f9d56f4bb041a7391432f9ada39a41a2730c4042027f0cb373fa91b663ef68340d8dff050cc8ec314b8999a9c99383491d667a2b2544202759

Download Submit
memory/676-73-0x0000000005280000-0x00000000053F2000-memory.dmp

Filesize
1.4MB

Download
memory/676-65-0x0000000001190000-0x0000000001904000-memory.dmp

Filesize
7.5MB

Download
memory/676-66-0x0000000006380000-0x0000000006720000-memory.dmp

Filesize
3.6MB

Download
memory/676-62-0x0000000000000000-mapping.dmp

Download
memory/1544-96-0x0000000000000000-mapping.dmp

Download
memory/1580-72-0x0000000000000000-mapping.dmp

Download
memory/1616-74-0x0000000000000000-mapping.dmp

Download
memory/1616-87-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/1616-82-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-67-0x0000000000000000-mapping.dmp

Download
memory/1656-69-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-70-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-71-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1852-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-91-0x0000000000464C20-mapping.dmp

Download
memory/1852-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1852-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2028-56-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/2028-54-0x0000000000000000-mapping.dmp

Download