aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/744-66-0x00000000064B0000-0x0000000006850000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1452	voiceadequovl.exe
744	voiceadequovl.exe
1716	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1452	voiceadequovl.exe
1452	voiceadequovl.exe
1452	voiceadequovl.exe
1452	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 744 set thread context of 1716	744	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1724	powershell.exe
1456	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	voiceadequovl.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1452	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1532 wrote to memory of 1452	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1532 wrote to memory of 1452	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1532 wrote to memory of 1452	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1452 wrote to memory of 744	1452	voiceadequovl.exe	29
PID 1452 wrote to memory of 744	1452	voiceadequovl.exe	29
PID 1452 wrote to memory of 744	1452	voiceadequovl.exe	29
PID 1452 wrote to memory of 744	1452	voiceadequovl.exe	29
PID 744 wrote to memory of 1724	744	voiceadequovl.exe	30
PID 744 wrote to memory of 1724	744	voiceadequovl.exe	30
PID 744 wrote to memory of 1724	744	voiceadequovl.exe	30
PID 744 wrote to memory of 1724	744	voiceadequovl.exe	30
PID 744 wrote to memory of 1544	744	voiceadequovl.exe	32
PID 744 wrote to memory of 1544	744	voiceadequovl.exe	32
PID 744 wrote to memory of 1544	744	voiceadequovl.exe	32
PID 744 wrote to memory of 1544	744	voiceadequovl.exe	32
PID 1544 wrote to memory of 1456	1544	cmd.exe	34
PID 1544 wrote to memory of 1456	1544	cmd.exe	34
PID 1544 wrote to memory of 1456	1544	cmd.exe	34
PID 1544 wrote to memory of 1456	1544	cmd.exe	34
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35
PID 744 wrote to memory of 1716	744	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8f2d4e5c0e720390931ee91b567cd026

SHA1
a668000ef578ab9eada37f2390caf0d55bcf179e

SHA256
2ec97c3efb52fba864d0590ae6b53bf8fae076a92052c6fdb04dcecdc460e825

SHA512
502d01d9caacdb42c96c3ae6d68578a0276d0ff252a1c4ab881ac6d720c4437c3916f0cfb546b0c74a7c1c3b358360faada00d8433dc1bfe7bc6da970b741373

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
251.9MB

MD5
1f138aecdc7451b8844fce22c22903ea

SHA1
9680e19e9e3b5eab30ba99d3d3120a75e47a530f

SHA256
56cd331c908624d8af2a3196536f3a5b2cc313fba3f24fa2e35805b15aa9de55

SHA512
a7425a191fe20f57ac78180390b23aed5119fb691cb7449c590493d6a38bf1dff406cb53e1df45a65b3ba028fbb5f08f19fb8805249127cbc858bb207d405fbc

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.0MB

MD5
4d6ec5ee9394ef8141a6dbc94ab0005e

SHA1
2b322622083bd85173553d9a26347a779db7f48f

SHA256
fe12d13a720ca9f67d4bc8f94f89911668a77dd4c62c56f349520af858266da1

SHA512
ddd83f2323dbe443bfb8cfdd1b7473baccea6097b6c1e03be33166e588fb74467d7eeb2877324bf3c0db2e676c78f350412561b65f24c782ebb7bca9b4b42324

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
56.5MB

MD5
66611af71a179d5c46a77f559f0e1be0

SHA1
dae4617c7ee30f9a670104634d3198e9bcb2179b

SHA256
6ba53d47e06bef03de721be97172dee45965df389b1afc8874b5d8c97ce1184e

SHA512
e456aac2f83ec333d1dacb17b01c209f40d7133ca460d0def2adb5cf341655809179a790a9c8fa68dc32d6fea099acc9db9bd53d117477317db6f7c742f45269

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
265.7MB

MD5
e20e85be57487ef785696aae80ef6e6e

SHA1
c353dbdad47da5b33e9053265589ba24279d2bc0

SHA256
df50ea1505eae0503f49928758eafe649310f3de958edc92c53add79b8459c4b

SHA512
ee04c1a6d0b9e81955acc3ba32128d8bbad0c2fa89cdd21d7c85424c015cfb159b9df954b287cd48807b1f9e26454d975ab7936bd865ad22d1bd807a87393509

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
238.7MB

MD5
ab62da9cf1f6aac48c79866376f134a4

SHA1
4d944d80cb465ac2dfef5045d7651b1e286ec352

SHA256
a9441308bfbfccd79b1240b4f44a09ea132fed07c2d8caeee56f4b3a1a66d682

SHA512
0a330772aebdc75ffb90cc8d3c18e486c940764671cb3393e98e76d412c7421f9c15806ac5d6a664ef7e3ebfb4d7fcc76380009c68e667a0423caa144964673c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
270.2MB

MD5
c60efb298e99e9833e0cae750a676b96

SHA1
341924500e2109188664aabaf3e582c9e2a7c944

SHA256
e9724202b4a7b45523f519d15d99d06660e9409bb7fcd04e2c044d1268924fe4

SHA512
531fa6911b804938aec088ad5b7f6fea14931ad7dd79941a14b9c9631970677b468b41c3bba8f3f62f2345053603f59033ea795f0f484e969fcd47bb83f15326

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
265.4MB

MD5
ef44dfcaa6a258297d24111db857b74b

SHA1
cfd4416291a1d49ccdf995fef3465e80f7163bdd

SHA256
a0fe2b2642762478fd34d23b2705e68b07940fa54f6879a9e8687a96eb1ffa6f

SHA512
1dd6ecb1ebf7c9535c2c6b88c609e8956aae83d1da19cbfbc566a98573b92af57a3894717f7fb33b95a6f3ac1f4299333de2a740c3d8b7e445a0453fc7bd5bbc

Download Submit
memory/744-65-0x0000000000A40000-0x00000000011B4000-memory.dmp

Filesize
7.5MB

Download
memory/744-66-0x00000000064B0000-0x0000000006850000-memory.dmp

Filesize
3.6MB

Download
memory/744-75-0x00000000054C0000-0x0000000005632000-memory.dmp

Filesize
1.4MB

Download
memory/1452-56-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download
memory/1456-81-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-94-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1716-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-71-0x000000006FF70000-0x000000007051B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-70-0x000000006FF70000-0x000000007051B000-memory.dmp

Filesize
5.7MB

Download
memory/1724-69-0x000000006FF70000-0x000000007051B000-memory.dmp

Filesize
5.7MB

Download