aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
127s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/668-66-0x0000000006590000-0x0000000006930000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
2032	voiceadequovl.exe
668	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2032	voiceadequovl.exe
2032	voiceadequovl.exe
2032	voiceadequovl.exe
2032	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	voiceadequovl.exe
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2032	1536	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1536 wrote to memory of 2032	1536	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1536 wrote to memory of 2032	1536	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1536 wrote to memory of 2032	1536	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2032 wrote to memory of 668	2032	voiceadequovl.exe	29
PID 2032 wrote to memory of 668	2032	voiceadequovl.exe	29
PID 2032 wrote to memory of 668	2032	voiceadequovl.exe	29
PID 2032 wrote to memory of 668	2032	voiceadequovl.exe	29
PID 668 wrote to memory of 1516	668	voiceadequovl.exe	30
PID 668 wrote to memory of 1516	668	voiceadequovl.exe	30
PID 668 wrote to memory of 1516	668	voiceadequovl.exe	30
PID 668 wrote to memory of 1516	668	voiceadequovl.exe	30
PID 668 wrote to memory of 1712	668	voiceadequovl.exe	32
PID 668 wrote to memory of 1712	668	voiceadequovl.exe	32
PID 668 wrote to memory of 1712	668	voiceadequovl.exe	32
PID 668 wrote to memory of 1712	668	voiceadequovl.exe	32
PID 1712 wrote to memory of 1664	1712	cmd.exe	34
PID 1712 wrote to memory of 1664	1712	cmd.exe	34
PID 1712 wrote to memory of 1664	1712	cmd.exe	34
PID 1712 wrote to memory of 1664	1712	cmd.exe	34
PID 668 wrote to memory of 1072	668	voiceadequovl.exe	35
PID 668 wrote to memory of 1072	668	voiceadequovl.exe	35
PID 668 wrote to memory of 1072	668	voiceadequovl.exe	35
PID 668 wrote to memory of 1072	668	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1664
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1480
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8f721a76c8939a5e58f398a44be9018e

SHA1
cad81d96dd5162762a45754792052dd70a249d91

SHA256
399381318f56cffe24dc5dd143933a32299f26610bfb29e0552e4ad8236fe91c

SHA512
b35d48d295cb17914cfa546ada81ecd41503bd56b9262ec4ec798fc04e48006b32956325a1ddff6a2afc6f7ff5033f94ef54ca69da926cb6ff1f0123c1cc0c70

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
249.6MB

MD5
37e5423b04b1bf25df7dd48c6d66a520

SHA1
b51cc2951f4e6e19e3aae4403c274e751d33f42a

SHA256
67f7069c1e4cbfe24022421e6ae8462f33418ce48e01dc5abfbaa8d0bec580d8

SHA512
d4b18ef76b9b11736e2beaa06d8241ee298ef6bd41656e4890b4efc18df60a2f8b8920093c762153a0141d96fbf6c33dfa9791414390d0c12f05fc6727a478ef

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
253.9MB

MD5
3330083ffd0f193076e33e05fc5ac3ae

SHA1
f62dc1fe10f1899c487df209192d33cceededc5d

SHA256
f4c74f6d5ebc29c3f3f6278d6dc9330d391a3f34032ea71cee26c38cfcc2c642

SHA512
bdc3c68a8326d02ceb18a219052d2e7b4edab3853bb901d248eba7b1ce6e0e4cd9d4f467ad8af4c9a90c7b3266dd3564d5bc4750c464f76dcad6f9a9ad6ee3ec

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
25.6MB

MD5
faf46f74e865db083a3ab7add1df916f

SHA1
259a56a97a06909768dd4f9538bd3d9ee9f3432d

SHA256
aaca532bbf95c63157fcf89a4a6c8c19e1c9dbfa7bf2d8097114a7e0077d8f83

SHA512
5faff443911a7008e9417ab87ad90e909b367775895f29ba676f5d73d8ee9d46fcea60cded0975f5ffeb25dddabbae871571e44b01d342b1133c13c8be7830dd

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
249.0MB

MD5
fa8b37c6e614144415dc3432ba090c67

SHA1
0316aceb26f41747f1881b00581845ea64d2a92e

SHA256
b5c37ec74ac4170fc5ff17865e77eb6b228d0973d755c556afc1c041f76bb8c7

SHA512
bdc85c4644e1a1ebe23f59d783a9d15cfa6d5cd92b6a7eb7e13c4a7ca2485460a71b970f994f38939b491432497d3810d86070e4bed5f567201fe864dfe68264

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
275.6MB

MD5
53255d0dd268a0456ff21bdd6004158f

SHA1
b6553ceee5684d6dea93cc2c326314aa78612eeb

SHA256
e8e012c90787d912d6152acad4c8e147406742373dd07ab33971bb7245fdf3f1

SHA512
228d57ac44c136bd7bb7fe22c4e5789d02d2b6af0462ed93454f0edeb82525a0709edb69b943a6800bf4e10ae9a785e7d350fa3b3d2b08ba8680d30c7f5b6f60

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
273.3MB

MD5
2837a19d8b194318a1a58002eee1418b

SHA1
0aeb0599e6d780f28aeab8fc344790ba7688bafd

SHA256
a6058488e1f0fb2a2226c6a28ab644b1418c715d42cfdfd8a47df2d18d799e16

SHA512
367e877924762b7dc185945e59aee8550964a012b27a74a5d83abe98bbd757f37724823fee32a6a3b8c516cd84e2b22c087375ba30fcbdc70da50c0682eb1e6f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
276.1MB

MD5
a05887c105a5fabde254dd8578e69169

SHA1
aabfe2d0cde05069a5a71d1276996cdd627926b4

SHA256
b517a8fdf49bda843ace37aff04228e840a1d79e1c3d2913c502c23aeb967e3a

SHA512
d8e4465dbf16e4330b21632e5562a8da984219e5b232152c5969c43fb41e41648f6d64978e5fea2a64bc01a26879f2817323f05fd4755607af86266c6f99c482

Download Submit
memory/668-73-0x0000000005570000-0x00000000056E2000-memory.dmp

Filesize
1.4MB

Download
memory/668-66-0x0000000006590000-0x0000000006930000-memory.dmp

Filesize
3.6MB

Download
memory/668-65-0x0000000000B00000-0x0000000001274000-memory.dmp

Filesize
7.5MB

Download
memory/1072-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1516-69-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-70-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-71-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-80-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/1664-95-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-56-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download