aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
136s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1488-66-0x0000000006410000-0x00000000067B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 4 IoCs

pid	Process
2032	voiceadequovl.exe
1488	voiceadequovl.exe
1084	voiceadequovl.exe
1556	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2032	voiceadequovl.exe
2032	voiceadequovl.exe
2032	voiceadequovl.exe
2032	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1488 set thread context of 1556	1488	voiceadequovl.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1428	powershell.exe
1488	voiceadequovl.exe
792	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	voiceadequovl.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 2032	1776	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1776 wrote to memory of 2032	1776	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1776 wrote to memory of 2032	1776	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1776 wrote to memory of 2032	1776	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2032 wrote to memory of 1488	2032	voiceadequovl.exe	29
PID 2032 wrote to memory of 1488	2032	voiceadequovl.exe	29
PID 2032 wrote to memory of 1488	2032	voiceadequovl.exe	29
PID 2032 wrote to memory of 1488	2032	voiceadequovl.exe	29
PID 1488 wrote to memory of 1428	1488	voiceadequovl.exe	30
PID 1488 wrote to memory of 1428	1488	voiceadequovl.exe	30
PID 1488 wrote to memory of 1428	1488	voiceadequovl.exe	30
PID 1488 wrote to memory of 1428	1488	voiceadequovl.exe	30
PID 1488 wrote to memory of 924	1488	voiceadequovl.exe	32
PID 1488 wrote to memory of 924	1488	voiceadequovl.exe	32
PID 1488 wrote to memory of 924	1488	voiceadequovl.exe	32
PID 1488 wrote to memory of 924	1488	voiceadequovl.exe	32
PID 1488 wrote to memory of 1084	1488	voiceadequovl.exe	34
PID 1488 wrote to memory of 1084	1488	voiceadequovl.exe	34
PID 1488 wrote to memory of 1084	1488	voiceadequovl.exe	34
PID 1488 wrote to memory of 1084	1488	voiceadequovl.exe	34
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 924 wrote to memory of 792	924	cmd.exe	35
PID 924 wrote to memory of 792	924	cmd.exe	35
PID 924 wrote to memory of 792	924	cmd.exe	35
PID 924 wrote to memory of 792	924	cmd.exe	35
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36
PID 1488 wrote to memory of 1556	1488	voiceadequovl.exe	36

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1428
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1084
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f3ad714f75973c0bef203998144c3694

SHA1
06b59f4460ba3541fd15ffc7f39bd3d8f1a034e3

SHA256
23b32d87b662d85938e9debf6eacb6d7be0417927b6b328b66800bd22e8e79e0

SHA512
130d1f32cbc9234e790e60f7f823006221d393b6fa088fa255f58cf87ac9015001b485bcfa5448a6703359450e6fb49072ac404f83e37de041f40f4a53c83213

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
199.3MB

MD5
d29611c72a97f96d787b0d021ffbb412

SHA1
b67b460255f9e49a9f9963ba745aeb57d4cbcc5b

SHA256
2aeb6348d950606c7cac7b7ef8828edf770ff93694de1e5f9631694fad96fb9c

SHA512
9523d587de5050aaf533de5790c96c4e0486191a65f8dcdd23735426fa7ca97bc240d8f5bb1bdce9efa885e1d7adc7625f8b4c05536c10ec33ab9323f1ff71f5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
201.2MB

MD5
3757d308c012da2344c827540d035cb2

SHA1
e8e23cee83f0b8728388572ccf2d6196cd9d0ace

SHA256
c97b572dcbd666e0fe2695be0464a8d58bc3a74a5157a492573306fd11ad48e8

SHA512
800727ad161a5e5fc8819e4e5ac91305ff83727b818ad3a113b7980252ada1a62a3761fe6ec3994033c33159e9491880e52c51112809c0b6f0d2175c210f492c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
29.6MB

MD5
82f4215878313f4ce1e44c42f595ed1b

SHA1
9a4abf7d268619bd1c5aaaeb7bdaef88d47ea171

SHA256
158430ad92ce2deefaa4412cf736c8890234a8b396ad36a1bdc229355e8b93da

SHA512
0d4c926c945633a95e5205058994fb28936670f71b99781052d0808e6cad0e186b8ae98200fcd08091c66ce9cbb2c74f7368e112a807bc7d3d79afd1a7ae8b94

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
26.8MB

MD5
95098533f71b469bd3ea24fdc23422f4

SHA1
e79fef416cd6ef955211f90c1703671c05155753

SHA256
082df32d34da3538fcd27392727cdec4d80b7c7b5fecea2c9ed79ad2ad6d0bbc

SHA512
0341fee9a7090e5f291ba8c73c755aa81e32d5088a4d5524a8089048c5dd93c4770f36f87c1f8d8dd3f8f798e8f09bc9632f00036b60085eb215d396dca54eeb

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
241.1MB

MD5
0fedd507ac73a8d01232c663c392b045

SHA1
2976ce08ed829397b186f1aaad877d0f28449c34

SHA256
bdfcc6190e2e011057c7572cb6b59623dfc0587b8952a5e97a4812391f323a63

SHA512
8a3ea558eaa2a8d73697d9092137f21ce251eb63c71da9b0859b4723008e7c492798aa67085a0529ea5cd8ef336f98257c9ce1d6be6e8e1831b273f7719b9321

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
241.2MB

MD5
585edf44154d6f55d2a673d9ac45e3af

SHA1
8fafac4f74ab57d5c0657ab4872654efca968f3d

SHA256
42c68251b21cc16ae5a90bb34a0fdaa0c6922a416bd4f0e1e10291a6af022a38

SHA512
2cc0146313aeb2477d2bfaf21812c02095545bb2efffa7206308de1cbb59c726c3c0d80a8d2ff4a3970a5497c459ab74e724750ad958b6821a6cb0db1cd7c194

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
239.4MB

MD5
c34b7abe0294d3a3367e1c4c1459d6e0

SHA1
57dbd751596512a06eaf5d67c34e2123af9858ea

SHA256
fdb153f85ac7fef59e9a80d805d73c1486b84cd36df76a0854005d1f6af35ff7

SHA512
33484c64aeb01aad9c1abc0bf7706cf7f48ee7a686460603beeb8ce74dd191082ed22983bdcfff37afda563720d94f2007ad97e9fdcc546f73931e99b5f2009f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
240.3MB

MD5
f83429a0e5348402a8b17aab67cce792

SHA1
bc58d5ffe82321869c1056876ae57b6761126f55

SHA256
2c0d482cbcbb934c1d36dc0c87aa12cea9105e6b4e673b2bc4a595be9f8b1df9

SHA512
5edaf2ebda39a7648eba6458ade52decd1d09510fe7a68f9650c5afe1df2ce92d5212ca8f9ef000d65f7fc0204ab4f7278cdfa44c335df28878943e5eec812d2

Download Submit
memory/792-89-0x000000006F400000-0x000000006F9AB000-memory.dmp

Filesize
5.7MB

Download
memory/1428-71-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-69-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1428-70-0x000000006F6B0000-0x000000006FC5B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-66-0x0000000006410000-0x00000000067B0000-memory.dmp

Filesize
3.6MB

Download
memory/1488-73-0x00000000053E0000-0x0000000005552000-memory.dmp

Filesize
1.4MB

Download
memory/1488-65-0x0000000000A60000-0x00000000011D4000-memory.dmp

Filesize
7.5MB

Download
memory/1556-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2032-56-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download