aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
130s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/760-66-0x0000000006380000-0x0000000006720000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1868 voiceadequovl.exe
760 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1868 voiceadequovl.exe
1868 voiceadequovl.exe
1868 voiceadequovl.exe
1868 voiceadequovl.exe

pid	process
1868	voiceadequovl.exe
760	voiceadequovl.exe

pid	process
1868	voiceadequovl.exe
1868	voiceadequovl.exe
1868	voiceadequovl.exe
1868	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1752 powershell.exe
1056 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 760 voiceadequovl.exe
Token: SeDebugPrivilege 1752 powershell.exe
Token: SeDebugPrivilege 1056 powershell.exe

pid	process
1752	powershell.exe
1056	powershell.exe

description	pid	process
Token: SeDebugPrivilege	760	voiceadequovl.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 364 wrote to memory of 1868	364	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 364 wrote to memory of 1868	364	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 364 wrote to memory of 1868	364	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 364 wrote to memory of 1868	364	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1868 wrote to memory of 760	1868	voiceadequovl.exe	voiceadequovl.exe
PID 1868 wrote to memory of 760	1868	voiceadequovl.exe	voiceadequovl.exe
PID 1868 wrote to memory of 760	1868	voiceadequovl.exe	voiceadequovl.exe
PID 1868 wrote to memory of 760	1868	voiceadequovl.exe	voiceadequovl.exe
PID 760 wrote to memory of 1752	760	voiceadequovl.exe	powershell.exe
PID 760 wrote to memory of 1752	760	voiceadequovl.exe	powershell.exe
PID 760 wrote to memory of 1752	760	voiceadequovl.exe	powershell.exe
PID 760 wrote to memory of 1752	760	voiceadequovl.exe	powershell.exe
PID 760 wrote to memory of 2016	760	voiceadequovl.exe	cmd.exe
PID 760 wrote to memory of 2016	760	voiceadequovl.exe	cmd.exe
PID 760 wrote to memory of 2016	760	voiceadequovl.exe	cmd.exe
PID 760 wrote to memory of 2016	760	voiceadequovl.exe	cmd.exe
PID 2016 wrote to memory of 1056	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 1056	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 1056	2016	cmd.exe	powershell.exe
PID 2016 wrote to memory of 1056	2016	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1540

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
32907542777fb824d05d9d2650d18a47

SHA1
f5509cc50dd0a5a71aefd13fc01516809d823877

SHA256
d3bac2578494176f210d2d0b13fecc46b2b110196590c42756d82479cfb7fbd2

SHA512
e049e960701c7213b1b59e05bcc5185b06fbd3e37065dd1ae7693bbca8dcb63580bc53ad31b9b5636453d3da323f7f1c210141e12c5eeb0003225f3aa8cc15ca

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
231.8MB

MD5
33f26be4a3ea87c3cdd9b366888c0210

SHA1
d212d8ee700c2b62589745e8ce3eaee134b92d0e

SHA256
3daeb18894c348a18419d7047bdce4c496348211f566d21f4cff365a4bbe2230

SHA512
77eb958b2f9b50cb1bc93cc195d1b4cb10b316928f74c8c4fa2c27c6047b79dcc2b98c191ab2c079f9b36aede92e8a84d2f6cdf9f1cb9b2f31e343f43a178bdb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
221.2MB

MD5
3f2a466a4405dd4dfe8fea46e0032b0a

SHA1
ebe85cad051b0471202fefcfff5853b140025aa0

SHA256
75be964b268b5886340ec1175baaf2537bf4951da2ea04b2f311259e36928fa5

SHA512
1b8028c01c196d02d326474af076752c5dfc4dde956b3ad067d3a099d9801fb0f4dfb16e736a9dfebab331bfb1028391a73f0a15ddb534634619e18781f6c13a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.1MB

MD5
f3b5bca69f7fe3c65b2b3e515220fbb3

SHA1
8b8d98888a85b4a9d2aec931143673d7e98db4b9

SHA256
0bdebe1738d555f88f6ca77babced26281036a687f3d3234219491705878beef

SHA512
a56c9e94008ab86b4c4298b6a04ea1f2957ae220be8b70d25d55395bb716c2f851b67e387db280d39199c45aec7679377746be0693df30e3ef00e27503a4822d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
257.3MB

MD5
6a5803ecf9bcaee8a7dd67e4412d8f5c

SHA1
5e1949f067ed8f35d5125e59a6864d188056ecc2

SHA256
99b90b2dc99d19984d599bd77d2aa2c2009a57bfe94068a1d2fb3fc87ed13d9f

SHA512
d7e25534c41ed478b835600b1e83ef02d506df8a71be34b9cc7aa22e533aa0b4c2b99c914490abdcf235ab70265d399db9fd1b884d495fa413f19c30e49af9cd

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
256.2MB

MD5
5c20016a84adcf16016c9e37e8ff5e69

SHA1
b859a886d4a9527c7a90aa79c45d7543e7f91274

SHA256
e8ae1c958526a6e38c02247bc07090bad38d207ca1c4b39b534207e2a4a12171

SHA512
c521b4519b94475dd53ece84a123c2c549d64474a7a043ff398514e4f6b97fe6daf061c068d92f208d53705c37d0875869c84eee0acdf2b3df86b68840ade7d1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
256.1MB

MD5
ef838c9caae0590a34a9d2580328c7a4

SHA1
d8217d87b59b4582bea51e00192532f8ac189303

SHA256
2d4e27398733d480ace11364f4e0b08829693983ce044e3ab9cc8016f49c47b6

SHA512
f7d3bbd58394176c53f3646da00c1c118244468006cd6544b014383334ad8467030880e93163dc141cf07ccf3ffc4cc227012e2998b81fdc9d23813c9b081607

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
244.2MB

MD5
bcec1ecf3640a76540f56553eed125ae

SHA1
fa9a2d233a0d83d3a6681414852b4d583295638a

SHA256
70bc9d5dd4a2a52b47645508523a5686dc229885822b3d404aaba3f0a49da6dc

SHA512
ef8f1802845a1b2c4f0cbfc0e627d10ec9aa47148042f28dbdfeaddaa86590105f65f1e8f2d89bf47b7ead04f7ec43dabd8f7e49e08c3e8ea9136bb71c805865

Download Submit
memory/760-62-0x0000000000000000-mapping.dmp

Download
memory/760-76-0x0000000005370000-0x00000000054E2000-memory.dmp

Filesize
1.4MB

Download
memory/760-65-0x0000000000AD0000-0x0000000001244000-memory.dmp

Filesize
7.5MB

Download
memory/760-66-0x0000000006380000-0x0000000006720000-memory.dmp

Filesize
3.6MB

Download
memory/1056-73-0x0000000000000000-mapping.dmp

Download
memory/1056-77-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/1056-86-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-91-0x0000000000464C20-mapping.dmp

Download
memory/1540-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1752-71-0x000000006F730000-0x000000006FCDB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-69-0x000000006F730000-0x000000006FCDB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-70-0x000000006F730000-0x000000006FCDB000-memory.dmp

Filesize
5.7MB

Download
memory/1752-67-0x0000000000000000-mapping.dmp

Download
memory/1868-54-0x0000000000000000-mapping.dmp

Download
memory/1868-56-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1996-96-0x0000000000000000-mapping.dmp

Download
memory/2016-72-0x0000000000000000-mapping.dmp

Download