aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
131s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1124-66-0x00000000064E0000-0x0000000006880000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
2028	voiceadequovl.exe
1124	voiceadequovl.exe
276	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1124 set thread context of 276	1124	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
960	powershell.exe
1064	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	voiceadequovl.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2028 wrote to memory of 1124	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 1124	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 1124	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 1124	2028	voiceadequovl.exe	29
PID 1124 wrote to memory of 960	1124	voiceadequovl.exe	30
PID 1124 wrote to memory of 960	1124	voiceadequovl.exe	30
PID 1124 wrote to memory of 960	1124	voiceadequovl.exe	30
PID 1124 wrote to memory of 960	1124	voiceadequovl.exe	30
PID 1124 wrote to memory of 1548	1124	voiceadequovl.exe	32
PID 1124 wrote to memory of 1548	1124	voiceadequovl.exe	32
PID 1124 wrote to memory of 1548	1124	voiceadequovl.exe	32
PID 1124 wrote to memory of 1548	1124	voiceadequovl.exe	32
PID 1548 wrote to memory of 1064	1548	cmd.exe	34
PID 1548 wrote to memory of 1064	1548	cmd.exe	34
PID 1548 wrote to memory of 1064	1548	cmd.exe	34
PID 1548 wrote to memory of 1064	1548	cmd.exe	34
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 1124 wrote to memory of 276	1124	voiceadequovl.exe	35
PID 276 wrote to memory of 548	276	voiceadequovl.exe	36
PID 276 wrote to memory of 548	276	voiceadequovl.exe	36
PID 276 wrote to memory of 548	276	voiceadequovl.exe	36
PID 276 wrote to memory of 548	276	voiceadequovl.exe	36

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1124
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:276
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
353.6MB

MD5
98609de04e4d8ceab602cb96b4b0cc26

SHA1
8be4fd5c3a1f0ee124d97abda5a7258ee37e4bf4

SHA256
240376954b7846da104d4fc0ecfcd8ae40c0d2cd4d97f08da49b6741284ec105

SHA512
1879c05b87348afbf83db38c235a86ca6dd4af99e45e7f2de4b81b975e07e2fa4bc223a9c697575b2c29894dd03f3b8874346ba7db1c09284694858c4bafff55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
347.6MB

MD5
9e92902dab79e8259a638f640eaa0952

SHA1
08e400fa7f8c4814e8281ba819e6a063600620fb

SHA256
750194ae3866d316a67ed453f654cc80662d00dda23a8cd620b9876fcb2efadd

SHA512
cdde9fa1cbbd3b8c370681080d77b8bb3cc47b053a7ee1b417100c826daec72f17b7d1e3f1936c072ff88d19b47b75de6bfd9630c9657be6c88bed9bcab74413

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
37255378e5e801475080517e918d4443

SHA1
ea1258b3f1bb54ccedfc513fbf1aa4807454d3db

SHA256
2c1bc9299ad737b0e4cea971eb7213abbc84820e985de5448f58b090781700f7

SHA512
cf3d836ee92bc45370b61bc9368a60db5efa6dc88ad10bbb278346a4476f996efa0672bfa57cc3c68620853f46f453b45a8cb9b3c292b2c29ddf687945742310

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
244.3MB

MD5
788fb70d74de440ad67ee10c97bf7ff4

SHA1
cfb9dd8cdf62e583c9630ec4066a37f13e43432e

SHA256
c92342c141359dbd99b94594ad5690a10da94ad21abcf0330251a6593cae70db

SHA512
e8c3745b4a48efa74b5bf89a7c1390e9b304fbb30935d5e4bb2dc48aca992b724933af0628d69f195cf0fe9f16fa9eae0eae450e297cabb4d729781234ca236b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.8MB

MD5
0765a2b42756a1355c9abec22628233f

SHA1
8d14582f05769bfe460272a68326006c91e23cd4

SHA256
44ec3bc128291e9f85dab361e9f239cf45d58f04d89120dd78c3913f789e5107

SHA512
52d5c3a56b26f997b48aa5d172af88df63331b6fba4bbce956a796ef89602598688e57e83e364731dc4e7957f0f2217dc9eef5a1860d6b86be835a59a15cbcb8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
102.4MB

MD5
1ec650b5440db7b987d3433d6bc66397

SHA1
a81addde74f31f44952c64738eaae05a47488cf0

SHA256
3b7cfef4e603f6ff27b323ae562e52daacb896b0b48edafb3cb854b545d7f28e

SHA512
828c9260c2292164aa44d0e95090e6c3a8fae8024f9f1edd6c0468517ebdf59afead911e4334ffa7ddc580a8593f343278f73eab3374a11b86804da404999d12

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
252.0MB

MD5
a1ac4a374067c91573403ee0b6fa1cc0

SHA1
25b11099d1b3d614cea97931ce56a46908d5a29b

SHA256
ad6c67ba65883ad9dca8dcbee0ff4c03b5a280e5bad881db9ff7f3182b650c47

SHA512
2c2ce69fb5126ba0c514f18c300355a9e99472f27eafaab6476c16f87a91a48363d36b284547ddf96b446b161cc9cfe8aeaed0f0e19e0483eff878a198247469

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
240.2MB

MD5
514b7e459505e4bda5fe8a5993f8ecca

SHA1
6f75ca89f2d77167566d560cea21e3eb56b75440

SHA256
fd0c6d39edf5d1bb93cd5d3b11d5b981ebecf6f68e20624abea288f2375e6d9e

SHA512
18ca656fe9aaa2ed7c61dc496ec711f4301e83b97bb86c13178d7d6d4ab0f5233e45781c2fba79a7c344c307b070e9a6318a1ca132479970c547a95bb513fc20

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
250.6MB

MD5
b8e6258e4f94ab40476e7abfe5c1b057

SHA1
a1cbf12d9ec576eb1bf57f82af285a432004dc3a

SHA256
27e8b005f2acc76011d925790a63638c0b5e0669fb138e3771f6d7467c701239

SHA512
7be44bc8e3b30275ba988a2927108cd4e8c5e754212b67edb59a8f99cd9a7e2c1ca11a509e36efadaf104bc2db457118c96846931a9e3b5b2a512cac361df533

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
228.9MB

MD5
807044531f36181cdd7e0727261851eb

SHA1
a995284fbd3b53ee6506ff87874f46d45240f1d3

SHA256
48805cd777e8ca1f984be80def6dc05f9d0526cb85c378e8ef415bb8f9101582

SHA512
6380d6b96f5db1f0523967547594e7661ba94d646a453a19dbaeca4c3ea528fc09e275de1075a8a54e9d0940296c02b1b3296869a69f1bc374b6451865dac43f

Download Submit
memory/276-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/276-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/960-70-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download
memory/960-71-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download
memory/960-69-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download
memory/1064-82-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-94-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/1124-66-0x00000000064E0000-0x0000000006880000-memory.dmp

Filesize
3.6MB

Download
memory/1124-73-0x00000000054D0000-0x0000000005642000-memory.dmp

Filesize
1.4MB

Download
memory/1124-65-0x0000000001200000-0x0000000001974000-memory.dmp

Filesize
7.5MB

Download
memory/2028-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download