aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1540-66-0x0000000006220000-0x00000000065C0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1880	voiceadequovl.exe
1540	voiceadequovl.exe
1912	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1880	voiceadequovl.exe
1880	voiceadequovl.exe
1880	voiceadequovl.exe
1880	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1540 set thread context of 1912	1540	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1308	powershell.exe
276	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1540	voiceadequovl.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 1880	1884	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1884 wrote to memory of 1880	1884	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1884 wrote to memory of 1880	1884	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1884 wrote to memory of 1880	1884	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1880 wrote to memory of 1540	1880	voiceadequovl.exe	28
PID 1880 wrote to memory of 1540	1880	voiceadequovl.exe	28
PID 1880 wrote to memory of 1540	1880	voiceadequovl.exe	28
PID 1880 wrote to memory of 1540	1880	voiceadequovl.exe	28
PID 1540 wrote to memory of 1308	1540	voiceadequovl.exe	29
PID 1540 wrote to memory of 1308	1540	voiceadequovl.exe	29
PID 1540 wrote to memory of 1308	1540	voiceadequovl.exe	29
PID 1540 wrote to memory of 1308	1540	voiceadequovl.exe	29
PID 1540 wrote to memory of 1040	1540	voiceadequovl.exe	31
PID 1540 wrote to memory of 1040	1540	voiceadequovl.exe	31
PID 1540 wrote to memory of 1040	1540	voiceadequovl.exe	31
PID 1540 wrote to memory of 1040	1540	voiceadequovl.exe	31
PID 1040 wrote to memory of 276	1040	cmd.exe	33
PID 1040 wrote to memory of 276	1040	cmd.exe	33
PID 1040 wrote to memory of 276	1040	cmd.exe	33
PID 1040 wrote to memory of 276	1040	cmd.exe	33
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34
PID 1540 wrote to memory of 1912	1540	voiceadequovl.exe	34

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1912
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
52908221f045e9ddc86d692d8c363a47

SHA1
66ef4bc5afc4c7692db5bcca97dacf32ade78890

SHA256
37b6f6f078f772a348e0ba4fd751307e80b435a3997994f3df6296c19145891b

SHA512
6e66f5a605c23d3ccee2272190c6258d5b9c796663e36d4b7148df560ab29da43257973dc1e31c81639f26461c390d5c540412a7a36f6918ffeb09580558a735

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
229.9MB

MD5
77e1460e025fef59f8d0637d2ae34de6

SHA1
9779f9a79e86a112dc972f3565a267ec0bbe7033

SHA256
ed40738ddfe5110c9fe2bb6c8e21c56eda2cb747b9eec0bf7266f62a9607a73d

SHA512
54515516760146886f372053c0a97430d616621c06f0c108f6c8ce0f072e2130c8f392d1f3c0f652bf1ef70cd144ef889b58646b9cb061be3a6ec8b18588ddd7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
273.3MB

MD5
365b374233ef9fb3516d8faaf4d338db

SHA1
d85095a0f9908e59ae88938700453ddab10a9ff1

SHA256
714652cb9b1c0751bcb22376adefcff488d354833b97f1fe2f21b051a0551734

SHA512
17696977cd59a46eb2febbd264766a8c7ef8ec3f36210dc813a7d30810d15d7566874b3b536b02b63a893cb953c88bb944492f9b2ac14c59d6dd95eb81a6011c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
19.3MB

MD5
d777bf414942b038ec322eb76e801210

SHA1
31a38b1abe90f5100a67e6c43fabe9794bb82f80

SHA256
480d9cec8582821d87de0b82f456498a468f75dd16162948e03214af33220592

SHA512
59f69b6b5f869b4140a34b536476a216ac7dca18c59b02c097774678497e3e6c7b6f900128e93a48dc1c004a4e1a30bb1038f78760a9578287c2cd3b375d3317

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
281.7MB

MD5
b8a6dafde2f272ae8ceb5a1854d2b5ed

SHA1
1a80b50521f4d10da21315bd07c12605e6837065

SHA256
aa6e18bf2178425c4e1fb78b1e637c6cd76ca06581904a2202c906132924a301

SHA512
c04eb155f82bb30a775c1d8b03e7ad0ae7d951bc0c83197f9f9ac4eadec72340084b30c4f9598a3a1d8ace510ef4031aaad1fac2619363d531b8082edb738cc8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
260.7MB

MD5
24ef3eb65eed14623c8564f038c7df04

SHA1
5f4d8165de5cab009bd50836f7f2584afb2f81b9

SHA256
cde2e1171d8be4ad046d9df3fc430be25cedee40350f3008b644eeae5a0f02f7

SHA512
312a3925e91e7f685b46083bc1040f1b02c29d2591709c4d9a388073fa6bb984c860ae5b5541e7e7d8d0106f878b1ef0de9931cc57278fe72b0b9236b3d8a243

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
269.6MB

MD5
6535fb4c05f45f20d5f44176e2e6917a

SHA1
a720d9540ebcf9ec86cfb97d1f40f542507f8134

SHA256
9d4563675179dd5b07ff67c334dc7d455df3763961f4504e9b008b63fbe5c8a6

SHA512
2fd6b1487ea900ef8d218b8af7552406bdcdfe5b8c64c1b4065f965419d743f65b378a7c4ee23f33270be2c1a9d809dc9e81a2113db09aab62e85dfea4dbc11b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
275.9MB

MD5
f03d76204f6021c458e8ce5a97c9e382

SHA1
00e95d2d4cf43003c95db68701c30190ac309764

SHA256
72a2cebe30bc8625b43b859ed22a6423c972852e139d1a38903f0d303b5a41c3

SHA512
3a6ca951dad09a75e770adc35ac6409a3b1117ea17986f52aa298cd900acc797dc01ea5a67da4e5b6916eeb2372b29b8efada727508d16eb22410c8e4b54f284

Download Submit
memory/276-81-0x000000006F790000-0x000000006FD3B000-memory.dmp

Filesize
5.7MB

Download
memory/276-87-0x000000006F790000-0x000000006FD3B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-69-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-71-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1308-70-0x000000006F7D0000-0x000000006FD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-73-0x0000000005230000-0x00000000053A2000-memory.dmp

Filesize
1.4MB

Download
memory/1540-65-0x0000000000BF0000-0x0000000001364000-memory.dmp

Filesize
7.5MB

Download
memory/1540-66-0x0000000006220000-0x00000000065C0000-memory.dmp

Filesize
3.6MB

Download
memory/1880-56-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1912-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1912-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1912-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1912-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1912-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1912-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1912-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1912-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1912-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1912-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download