aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
112s
max time network
149s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/760-66-0x00000000065A0000-0x0000000006940000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1772	voiceadequovl.exe
760	voiceadequovl.exe
1328	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1772	voiceadequovl.exe
1772	voiceadequovl.exe
1772	voiceadequovl.exe
1772	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 760 set thread context of 1328	760	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
320	powershell.exe
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	voiceadequovl.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1772	1264	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1264 wrote to memory of 1772	1264	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1264 wrote to memory of 1772	1264	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1264 wrote to memory of 1772	1264	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1772 wrote to memory of 760	1772	voiceadequovl.exe	29
PID 1772 wrote to memory of 760	1772	voiceadequovl.exe	29
PID 1772 wrote to memory of 760	1772	voiceadequovl.exe	29
PID 1772 wrote to memory of 760	1772	voiceadequovl.exe	29
PID 760 wrote to memory of 320	760	voiceadequovl.exe	30
PID 760 wrote to memory of 320	760	voiceadequovl.exe	30
PID 760 wrote to memory of 320	760	voiceadequovl.exe	30
PID 760 wrote to memory of 320	760	voiceadequovl.exe	30
PID 760 wrote to memory of 1856	760	voiceadequovl.exe	33
PID 760 wrote to memory of 1856	760	voiceadequovl.exe	33
PID 760 wrote to memory of 1856	760	voiceadequovl.exe	33
PID 760 wrote to memory of 1856	760	voiceadequovl.exe	33
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 1856 wrote to memory of 1504	1856	cmd.exe	35
PID 1856 wrote to memory of 1504	1856	cmd.exe	35
PID 1856 wrote to memory of 1504	1856	cmd.exe	35
PID 1856 wrote to memory of 1504	1856	cmd.exe	35
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34
PID 760 wrote to memory of 1328	760	voiceadequovl.exe	34

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      PID:1328
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:240
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:1600
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        
        PID:832
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:524

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
238.1MB

MD5
6a3ea0a86dcc04161facc79b8e5c05d1

SHA1
09d6ad830acd8245c17675037a4269dc743c8254

SHA256
1192c0c732693d8408cb9398f71b740258f3092c04e818ef15afa4bc22c76f71

SHA512
383bd84f8246f67b0b1bb886a9f5414ac430215f38282e85a78e99c4a1d30a2466db5d2a69b39451d6dbbbfa5b4df709f073f05dd4326c6c50d59eeb979b4f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
351.7MB

MD5
32ac13791d32f7d100245d2adaadcb8d

SHA1
c60e0b8af3328c4b7f5c38a580846747c214eb2d

SHA256
3862428068591fef14a507f3fd08c5b130e2561c2c2c6d545eba6151d3ccee7b

SHA512
3407840e6400c7fa9fed422b6d6de099f3886016a71a1052dd6fdf24fd295c6193261a4d0fdb16d17b52af7e93578f03166ca119b0076562616e52730b1f9128

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
50166a7d99ea2ef1b4532cd9cb9c9cfe

SHA1
0c2f171d8473f9901c4246eb0f5683bb5e8279b0

SHA256
d9ad04c985df1d105bbe14410e4b65d9ad6f22ad184d594f76f366f4109da717

SHA512
0b4c3cc54a1435a9896eb4bdffb0bd9ada497c87ae7943e51775ba0d2189848e0ca1e8477fe2c1d186fc9a58cbdeec64df52b61cc731d9d6fd66145723654244

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
267.1MB

MD5
98959cd7127322d2771d701a667f65bf

SHA1
a8e5ffeaed39028b4047d5b110cea8b96d842307

SHA256
f3def768291a46b3ff6f54ad8653fb699929f6f42c89553c180dd3905412acd2

SHA512
465c81f089910e3f90bbf5f67f3965d82d20df5f4a53d907bead6fcf77ddfeb63de5821aee10257d800ce24be62d96de63bbec82cc74f7c99a903d79b0f8d7d5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
238.4MB

MD5
0091cea8f3b5162a58740ad12d7d7cf1

SHA1
a28a1566e50e91b953c063efde0004dd7486a451

SHA256
89ac6a9138ab668805b7f691f7900da8d70e4743fe86e4c31dd5eb0434f31035

SHA512
3d75862bfc6ebcbd4828d6ccef4ce800515f922c5cb7374ae4bda9f6fe6a2df4f1fca5e3306730d22c90a9558d738b0c217a006bfdfef830980fe2014b61cbb8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
65.7MB

MD5
d747941e7e1453560b22dbd532b4c173

SHA1
6a0b0eeb63ead91bd792dcd50f76fb4ef0fdbb65

SHA256
9bb913c351b749d6c900576788814e29bba662df9b5754ea62d7cf66a309e56b

SHA512
41f489a877067fb2c6780e4e6fa200fe02924e8936fff5ec1bda29fd74532803767df4e762719ab7401d7df3e497c43a1505a12d6055cefb0f5256e88bcf9edb

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.8MB

MD5
a235d3694b35b2e33d6e3764ea74c890

SHA1
1187900fa2a5f6574f0e0d6bec3b82952716e59d

SHA256
4db6f1d3462c21f320839448195115bb809b42bc000feb3d5fef3543900c30aa

SHA512
637de7a67e85f3992234408eeb56bfaa79d597e7c9315604bf630ba92b10045e8a81f87863b356ec0c9f1574905e870d1ac5e12bb39f607f34644ff404d0f655

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.7MB

MD5
4863233eb5ca2bbc8ea3a137a79dab1a

SHA1
cbbc29555b57a5dd1acdd613851a81c4ad8d8d92

SHA256
7935aceebc5ae739abf9225d25ca3571f3747fafbf5e1833f1388b1a3d5b5929

SHA512
fcf0b25bc6b5f8acf54810906936b56a002802c337292840057b437fd4eb625797beaa8b11c66baf771bb906ebafd0be94cc503651528398b1356ee16dc7a085

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.9MB

MD5
caf2a4d426bf09710b859eb460d05329

SHA1
1acb3f9b847937c141b12e7f72a660331d216586

SHA256
f03be43b53d92da2eda6b34663b6e92cd9bc28e08eb36b4ed7fc704bf54f2cf5

SHA512
ce87937226cd0af56505ddf5c6dae1019cc94c8effa5a0df803ed7e0367bd910465fa8a037a0fea3cfdd8cba020ab479d9f976f5e93eda8530b8db1a18c1bce8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.7MB

MD5
be5bde58a08d6d533c7b7234a970a7dc

SHA1
f7d0dc4ffd0014e8036538dd82bf1d1e8e3dd184

SHA256
3adc28d0299d8ea6300efe7696b48fc0e1434a4794bf4b541911e25f5eec1c99

SHA512
2885bd3f5fef187905432e3d1997bfe7b619a9e717bd49f2a617b172b3fca4ac435ce94da2d0f0b49106e5ceb335d51692eb35db349a84730560ddb29fbe406e

Download Submit
memory/320-69-0x000000006F700000-0x000000006FCAB000-memory.dmp

Filesize
5.7MB

Download
memory/320-70-0x000000006F700000-0x000000006FCAB000-memory.dmp

Filesize
5.7MB

Download
memory/320-71-0x000000006F700000-0x000000006FCAB000-memory.dmp

Filesize
5.7MB

Download
memory/760-65-0x0000000001030000-0x00000000017A4000-memory.dmp

Filesize
7.5MB

Download
memory/760-73-0x0000000005490000-0x0000000005602000-memory.dmp

Filesize
1.4MB

Download
memory/760-66-0x00000000065A0000-0x0000000006940000-memory.dmp

Filesize
3.6MB

Download
memory/1328-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1328-99-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-95-0x0000000073A50000-0x0000000073FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1504-94-0x0000000073A50000-0x0000000073FFB000-memory.dmp

Filesize
5.7MB

Download
memory/1772-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download