aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
78s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1476-66-0x0000000006480000-0x0000000006820000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

872 voiceadequovl.exe
1476 voiceadequovl.exe
1888 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

872 voiceadequovl.exe
872 voiceadequovl.exe
872 voiceadequovl.exe
872 voiceadequovl.exe

pid	process
872	voiceadequovl.exe
1476	voiceadequovl.exe
1888	voiceadequovl.exe

pid	process
872	voiceadequovl.exe
872	voiceadequovl.exe
872	voiceadequovl.exe
872	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 1476 set thread context of 1888 1476 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1088 powershell.exe
1588 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1476 voiceadequovl.exe
Token: SeDebugPrivilege 1088 powershell.exe
Token: SeDebugPrivilege 1588 powershell.exe

description	pid	process	target process
PID 1476 set thread context of 1888	1476	voiceadequovl.exe	voiceadequovl.exe

pid	process
1088	powershell.exe
1588	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1476	voiceadequovl.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 108 wrote to memory of 872	108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 108 wrote to memory of 872	108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 108 wrote to memory of 872	108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 108 wrote to memory of 872	108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 872 wrote to memory of 1476	872	voiceadequovl.exe	voiceadequovl.exe
PID 872 wrote to memory of 1476	872	voiceadequovl.exe	voiceadequovl.exe
PID 872 wrote to memory of 1476	872	voiceadequovl.exe	voiceadequovl.exe
PID 872 wrote to memory of 1476	872	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1088	1476	voiceadequovl.exe	powershell.exe
PID 1476 wrote to memory of 1088	1476	voiceadequovl.exe	powershell.exe
PID 1476 wrote to memory of 1088	1476	voiceadequovl.exe	powershell.exe
PID 1476 wrote to memory of 1088	1476	voiceadequovl.exe	powershell.exe
PID 1476 wrote to memory of 636	1476	voiceadequovl.exe	cmd.exe
PID 1476 wrote to memory of 636	1476	voiceadequovl.exe	cmd.exe
PID 1476 wrote to memory of 636	1476	voiceadequovl.exe	cmd.exe
PID 1476 wrote to memory of 636	1476	voiceadequovl.exe	cmd.exe
PID 636 wrote to memory of 1588	636	cmd.exe	powershell.exe
PID 636 wrote to memory of 1588	636	cmd.exe	powershell.exe
PID 636 wrote to memory of 1588	636	cmd.exe	powershell.exe
PID 636 wrote to memory of 1588	636	cmd.exe	powershell.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe
PID 1476 wrote to memory of 1888	1476	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1888

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:316

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1460

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:1692

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
329.0MB

MD5
c35fe6646759afbc26df4a4279099a71

SHA1
484497ea48669606ac46d2473ca50d5a442f747e

SHA256
bf9d318a5f3d1713e79138202b5d03de59f36a79053bc55c079fe59efb2bcf04

SHA512
1a701f84a42e7899495fe4a915217d69c6d8c03f62638ef8f875d1b3bd9ce6178be6e2d3cd4a6892b5fe531bac45073028d429c531d2cd22325973061eab9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
316.0MB

MD5
1dd643bdaa4a2ed72a4cbc68d05a468e

SHA1
d06bca83b49bbd32f331bda09d83fcc1fa5d6bfa

SHA256
ee651244c1555f61a3b7d0972f76714aa20d0b7c0b0899a85adf6e4433b676ce

SHA512
b54a0b58dffe2b587a182deecaceaee31432b0a36b0d69296301c436a8f63abb591ee923f8e74ec114aa76f6e46735c543accbbd64d6b89246e5bbf581e1e1f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
91c357a47d0e1bb0a8c50804e1501373

SHA1
759394f1e1ec6532fb1cfcda0a923e6e03c49a43

SHA256
d77eeada38769ca81e14ba934ecdb1b1815cc0a6cce83a260d6d07821838fab7

SHA512
49385287fc56ec2a724f77e57f1037f480f77ce76755ce58203a09db9d3d24aab9fb0041166c27705d32048096aed9e6298114d2cabea34988d2f7ccc6eff369

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
213.2MB

MD5
22b28401890574fad7f38d44550e8919

SHA1
1af3f5c505732a226277310a45cf9fe710c912d7

SHA256
caaf00748cf1420ae0efd543660f275ef31e75e9692eeed8c2a3a334040895d4

SHA512
f2217e5ca738f271be87878fbc2248882f834ccd26077e0e54a3b5114cf0b50f1231a82488c2c0142e0758659628fd54a6a7372e5e284a240c75e3dbee69fbd9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
213.2MB

MD5
12247b323abe712b39b8cd4998dbd19b

SHA1
818d6d3edc4bb9be83b62cdc0836a04314786cf8

SHA256
a4c0a58dfc778845193de56ded8edca19145687e1c61d027842754dc53516346

SHA512
f2449706bae274605bcc6b0180950ada84ab39735c9668e9b6a3913d3ed06104cbf097d0fdbc21952e629d6ca6f7872ac9a0c5f28058d1424dc3a485aac5f457

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
98.6MB

MD5
258dbca7504368ffe25001006cbfec81

SHA1
4e50f1927d0ce24869383c754506a7fd53a843ff

SHA256
6063055d6d042f730495e4ba40810dce002ea9c8f632d9bfe54d9908f18cf19d

SHA512
7499fc23c5ae44f462f1750dbc7d4f0f35ba333bc4743743db017c378bf0badb4ce0b1a0e057353648765ced04076ba6a5dc236581317110dec5915c0db2e2d7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
204.4MB

MD5
57373b33ea8ca2e1442e47246dd969d6

SHA1
1082c2f82fef7d48a1b6685fc503174ae1d90b26

SHA256
df27c6ac4b5b1aa31553840237970b53b0409d764ed131f6ecc2fad1d7d47e97

SHA512
bd0ea446edd4a5ad3277ac5c7c59c5935162051dce59fbbe8c70f26e52ffcaf478e91eeb04e7cfdfbc759755d1b80976950632d9f20ae9f66ecfe70ff6f3f960

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
219.8MB

MD5
e068d116351c13fae2c5818f840e79e1

SHA1
5b105e4cab198e17bdbfd5d598234205553ab20a

SHA256
34d3ab75fb76c79c45582ca2cefe0ca85bf57564996793b07856bdcec81dbfb7

SHA512
87ca82fa0b6cb7b7522911ad654fba557bd2868cb6e15aacf80d0746d4c131fd935426851986966707677582de7ac383f0ce0d9f14f797987db755070c50558c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
213.2MB

MD5
22b28401890574fad7f38d44550e8919

SHA1
1af3f5c505732a226277310a45cf9fe710c912d7

SHA256
caaf00748cf1420ae0efd543660f275ef31e75e9692eeed8c2a3a334040895d4

SHA512
f2217e5ca738f271be87878fbc2248882f834ccd26077e0e54a3b5114cf0b50f1231a82488c2c0142e0758659628fd54a6a7372e5e284a240c75e3dbee69fbd9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
216.9MB

MD5
01d53f401f1d763a8d96c21084a05b59

SHA1
1a2760f04f327df6ff099d31272814168dfff7b6

SHA256
f336649d0bd0fec63054a159ab8984e967678a5864c978bde33a4167da2b3d20

SHA512
d6f1f0ff50194a9c9d529a99ca56e3795937f89372b1538a5f7f518cb4874a037dce8b1809fec57adcd3f83a30301212d6a2764b4938f85d018cefa61afe04d6

Download Submit
memory/316-96-0x0000000000000000-mapping.dmp

Download
memory/636-72-0x0000000000000000-mapping.dmp

Download
memory/872-56-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/872-54-0x0000000000000000-mapping.dmp

Download
memory/1012-101-0x0000000000000000-mapping.dmp

Download
memory/1088-67-0x0000000000000000-mapping.dmp

Download
memory/1088-69-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1088-70-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1088-71-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1460-98-0x0000000000000000-mapping.dmp

Download
memory/1476-66-0x0000000006480000-0x0000000006820000-memory.dmp

Filesize
3.6MB

Download
memory/1476-65-0x0000000001360000-0x0000000001AD4000-memory.dmp

Filesize
7.5MB

Download
memory/1476-74-0x0000000005350000-0x00000000054C2000-memory.dmp

Filesize
1.4MB

Download
memory/1476-62-0x0000000000000000-mapping.dmp

Download
memory/1588-93-0x000000006FAE0000-0x000000007008B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-80-0x000000006FAE0000-0x000000007008B000-memory.dmp

Filesize
5.7MB

Download
memory/1588-73-0x0000000000000000-mapping.dmp

Download
memory/1692-100-0x0000000000000000-mapping.dmp

Download
memory/1888-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-90-0x0000000000464C20-mapping.dmp

Download
memory/1888-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1888-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-99-0x0000000000000000-mapping.dmp

Download