aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
142s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1952-66-0x00000000064C0000-0x0000000006860000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
876	voiceadequovl.exe
1952	voiceadequovl.exe
1448	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
876	voiceadequovl.exe
876	voiceadequovl.exe
876	voiceadequovl.exe
876	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1952 set thread context of 1448	1952	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1184	powershell.exe
592	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	voiceadequovl.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 876	584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 584 wrote to memory of 876	584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 584 wrote to memory of 876	584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 584 wrote to memory of 876	584	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 876 wrote to memory of 1952	876	voiceadequovl.exe	29
PID 876 wrote to memory of 1952	876	voiceadequovl.exe	29
PID 876 wrote to memory of 1952	876	voiceadequovl.exe	29
PID 876 wrote to memory of 1952	876	voiceadequovl.exe	29
PID 1952 wrote to memory of 1184	1952	voiceadequovl.exe	30
PID 1952 wrote to memory of 1184	1952	voiceadequovl.exe	30
PID 1952 wrote to memory of 1184	1952	voiceadequovl.exe	30
PID 1952 wrote to memory of 1184	1952	voiceadequovl.exe	30
PID 1952 wrote to memory of 848	1952	voiceadequovl.exe	32
PID 1952 wrote to memory of 848	1952	voiceadequovl.exe	32
PID 1952 wrote to memory of 848	1952	voiceadequovl.exe	32
PID 1952 wrote to memory of 848	1952	voiceadequovl.exe	32
PID 848 wrote to memory of 592	848	cmd.exe	34
PID 848 wrote to memory of 592	848	cmd.exe	34
PID 848 wrote to memory of 592	848	cmd.exe	34
PID 848 wrote to memory of 592	848	cmd.exe	34
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35
PID 1952 wrote to memory of 1448	1952	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:848
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1448
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6a093780ecf7081749cda7e951feebbf

SHA1
088916011bb5878fe6b9f2e69a9d2d39d882ffd0

SHA256
b6b503947568d032579ce122ce373761f7951d808d38c59d0e3289735c18ea4e

SHA512
e9cfdc7686700648c2d5bb99eef15c416595f9fb0b959166bd23d2cd9fc03a896a079f3b37dadaa2deaab7b3709c72cd106b1a9adbec06645298c71415a9fbae

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
218.0MB

MD5
a22a5751f3aa2eae28d5dab239056219

SHA1
bbc115343ebdd66292144ba528b42c8a521af354

SHA256
6b76cd6e00b58c0bd7fd117e3c86caaa78e69e93067108d37ba10b70ce736402

SHA512
fa9d57e9856dc3e48edc8bf2f0bdc79b6cc6ee2d770405d4f29063875633b1e99fa925fe5b9aca235eccefa3c163da2febcece7bc0610ede6f4d351f2cb6b557

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
219.6MB

MD5
d86dcfe4140db03aa0e8f9cf2092ae98

SHA1
cbf0b9331d59e1996301c5bb012d8cd5a1a53f07

SHA256
4e29c10c898c94667dedd399bbff9b5bac488ca5ed9da6bd5bb465b3ab9f29bb

SHA512
86317577f3df875975ce3e774f5342c1927d46df3230cc1d3a43e2201467d4cef38519fe8997728c01757a0bb52c0f4497ce485fa58fe9e1ae902eab2d3a7585

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
28.5MB

MD5
ac99aa5eccbd69a89a3661537e2e66f5

SHA1
fa643956376372714ee299922f3d6454fb7630ac

SHA256
01257bd7c737280ba5cf9653decf86f52c2b0a6775896407e2bcf09f16afca45

SHA512
33ec347c537bf598ae4b4979d4689769b086bdabd8568ab943a5f7e6b73852cc4930342806488a3c3c23b5cebd62b8f02c26a722a3248be24d5c70c6f39c53b4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.5MB

MD5
46672d769a5bdd24a1d4769048677f78

SHA1
38d61d80f1bb87a3e4ea8f54e212942e8c6ea7d5

SHA256
f67a296c1de254a92c9328aa14decb5e0a83ff88692411df2882918e088f8333

SHA512
bfebcb057e3e58a24434989f3caa19b0ea66d582655741ffe2332dd17eb8aad2407074ed66da5094cdbed6eebdc6adf86151fa73d2a82d8f2116034ce690c70b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
218.3MB

MD5
7d262d7af2f5ffbded2958f7bbceb705

SHA1
fe76ce43ae44656dd7cc0637783b7cd92c6582e7

SHA256
7402f8fef9370272900cca3097a73b6394a6ca0552e03c30e99f356186e5ac55

SHA512
039e88e5833913e24b89bcdc74dd2200b15df4a35be1cbf674c4b59fb11b5cb8b807c74a7b2870b5389ee8de73821930d19b61d951f082142267fa32ebc73558

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
220.7MB

MD5
4fd44663f64a5f1f52f809ad6256be6c

SHA1
2936c551ae9d092b4c1eeb69ae033dfcc38990d7

SHA256
04e1e051a5302e694f8f4bd98834c4d4482af7b03f5df11ba43911c6e47c10ad

SHA512
97a4ec8d650d296ed7ddcf914ac329efbf60a8188c3dcf810fd509474fc042b1535510f80824b82acf2cacc55cd8b36f05e6111db29ef067f922ca74613865e3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
231.7MB

MD5
1d0b9db6fdcde3fa3d2ec399fc6771d5

SHA1
2929fd99724ae9ab4a699e0d607a8b02ea0fc501

SHA256
5038a3c388af2cde76d7abaafc77e3ca156cce36f60ff558ffc043f3be678270

SHA512
88085f4a4afe8717e053c755df4e626d9c94ef6fa1cd69c048d4c781f03d1e3f123ebab9dc2953328d06de81c93084dc6fb8cad6c739de5dacdd436283aa15ee

Download Submit
memory/556-96-0x0000000000000000-mapping.dmp

Download
memory/592-73-0x0000000000000000-mapping.dmp

Download
memory/592-94-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

Filesize
5.7MB

Download
memory/592-83-0x000000006F7C0000-0x000000006FD6B000-memory.dmp

Filesize
5.7MB

Download
memory/848-72-0x0000000000000000-mapping.dmp

Download
memory/876-54-0x0000000000000000-mapping.dmp

Download
memory/876-56-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1184-69-0x000000006FA90000-0x000000007003B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-70-0x000000006FA90000-0x000000007003B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-67-0x0000000000000000-mapping.dmp

Download
memory/1184-71-0x000000006FA90000-0x000000007003B000-memory.dmp

Filesize
5.7MB

Download
memory/1448-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1448-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1448-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1448-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1448-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1448-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1448-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1448-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1448-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1448-90-0x0000000000464C20-mapping.dmp

Download
memory/1448-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1952-62-0x0000000000000000-mapping.dmp

Download
memory/1952-74-0x00000000054A0000-0x0000000005612000-memory.dmp

Filesize
1.4MB

Download
memory/1952-65-0x0000000000F50000-0x00000000016C4000-memory.dmp

Filesize
7.5MB

Download
memory/1952-66-0x00000000064C0000-0x0000000006860000-memory.dmp

Filesize
3.6MB

Download