aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
80s
max time network
147s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/936-66-0x0000000006490000-0x0000000006830000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 4 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1652 voiceadequovl.exe
936 voiceadequovl.exe
1384 voiceadequovl.exe
1940 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1652 voiceadequovl.exe
1652 voiceadequovl.exe
1652 voiceadequovl.exe
1652 voiceadequovl.exe

pid	process
1652	voiceadequovl.exe
936	voiceadequovl.exe
1384	voiceadequovl.exe
1940	voiceadequovl.exe

pid	process
1652	voiceadequovl.exe
1652	voiceadequovl.exe
1652	voiceadequovl.exe
1652	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 936 set thread context of 1940 936 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exevoiceadequovl.exepowershell.exe

pid process

1448 powershell.exe
936 voiceadequovl.exe
936 voiceadequovl.exe
1076 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 936 voiceadequovl.exe
Token: SeDebugPrivilege 1448 powershell.exe
Token: SeDebugPrivilege 1076 powershell.exe

description	pid	process	target process
PID 936 set thread context of 1940	936	voiceadequovl.exe	voiceadequovl.exe

pid	process
1448	powershell.exe
936	voiceadequovl.exe
936	voiceadequovl.exe
1076	powershell.exe

description	pid	process
Token: SeDebugPrivilege	936	voiceadequovl.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1652 wrote to memory of 936	1652	voiceadequovl.exe	voiceadequovl.exe
PID 1652 wrote to memory of 936	1652	voiceadequovl.exe	voiceadequovl.exe
PID 1652 wrote to memory of 936	1652	voiceadequovl.exe	voiceadequovl.exe
PID 1652 wrote to memory of 936	1652	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1448	936	voiceadequovl.exe	powershell.exe
PID 936 wrote to memory of 1448	936	voiceadequovl.exe	powershell.exe
PID 936 wrote to memory of 1448	936	voiceadequovl.exe	powershell.exe
PID 936 wrote to memory of 1448	936	voiceadequovl.exe	powershell.exe
PID 936 wrote to memory of 1796	936	voiceadequovl.exe	cmd.exe
PID 936 wrote to memory of 1796	936	voiceadequovl.exe	cmd.exe
PID 936 wrote to memory of 1796	936	voiceadequovl.exe	cmd.exe
PID 936 wrote to memory of 1796	936	voiceadequovl.exe	cmd.exe
PID 1796 wrote to memory of 1076	1796	cmd.exe	powershell.exe
PID 1796 wrote to memory of 1076	1796	cmd.exe	powershell.exe
PID 1796 wrote to memory of 1076	1796	cmd.exe	powershell.exe
PID 1796 wrote to memory of 1076	1796	cmd.exe	powershell.exe
PID 936 wrote to memory of 1384	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1384	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1384	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1384	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe
PID 936 wrote to memory of 1940	936	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1384

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1604

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
d09acccb34a07ee1c6e78ba021367847

SHA1
43756dc6b22ab87ad25fdbfced45a991c553c3d2

SHA256
ab74a8d115c6f416dd49a1cff1b432c4713f8b42bf8a3eee7841858e8725784f

SHA512
20ed154a05cd47a85224725425ab603dd82ec2d48cd68613c972d557a78d5daf08dd378a53a9244d5da6636b9b103e0757c45065ac388a096f8b9d8cf9f3f30e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
185.2MB

MD5
66467bf8f4c3150bed31e59ac4a8a18b

SHA1
b9aa95e6a577946a1af0fb1e10d122cbc6f5c996

SHA256
eeb23253940f8f6aa35f8715c25633c44da591150e5e1f59661a50ba39c489c8

SHA512
8475db807af5439b7a700151d5e0a43a76050110b825f9472bc1882881ecedc3f9d916ffb3579fd12f938a7b20bfe68ceb438ee6a4239f651426599300256264

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
209.6MB

MD5
5909827699333fd2162b87f9b06b42f7

SHA1
a745be89cad5900ef36fff9fefeda7cdf0b45edf

SHA256
ea73af9f24517769121ca4d8bb9f68c5c9238bdacca8283fe67a8deca151bca2

SHA512
21ba533d24039c9bac50f19c8edfa7b7a20f355a43c4bb43501d9c78be28d9fa401edc2e085f236b2ecc7dc48a67e2befffef23bf50624785cfe6a507d9f2b82

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
100.4MB

MD5
996bfffe4160eab432431c63308974ed

SHA1
c9cc560106a21733be2e3f5331ecbb114df50dba

SHA256
123c0912990239b1f62b7f2b1e901c09c8259a26e87c339e0aaacd082818d19e

SHA512
8da21e1dfd83b835e79d31b2dff2467910c14ac62d90e9599e24a93a5668f5f75c6aa4e03c81f90618c38f873e1bae71b8f75705307f109b72a3742f54562f7d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
101.9MB

MD5
22526777cfcba83f747d10736a10e616

SHA1
2f3ab87ee16d868df2a66c6949db6deacf533411

SHA256
1165118afa66981b41b45cd37d40e0a7c8c46a1fa9fe3a35da923c4e2cc91296

SHA512
933df063e81ee2fcd69dfd0a165e31573bd5012d86735458bd29eb07684def060386e4a0455bf97e85142966432e69f2a11985e88cf42b73f868dbe1a79c3054

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
212.8MB

MD5
d4e5116e6f2441d785661926b71905e5

SHA1
bd4415146056624f9751bca5caa2b80fb9e09ccd

SHA256
479493c46d0a0548109fee3287e90059b472f2bc75efba542d88f0184b8aa46d

SHA512
eaf731f0ee7eb122fad4eec43289918bfb2fdf67b8d219205b487d4483e2c1b5a6926ba3c72983f0017d773b6c8f0b0b8aba1fe0f2646d9a3a9d8267ce469732

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
197.7MB

MD5
f23eaff6a11a91df147ab2b7307a96b8

SHA1
500bd6cca5ef96fffbb3a92f298a6cbeaab2be13

SHA256
698d2d91d092c6ac307c6d1f4bb8458b122f6feb1b79911cd9f594758dd65e10

SHA512
12baf263c499c74b6111ec9ecc95d731ae064e188720fe58f1f6e25988062a9851c6f6da3f0948b01b8bf34023e08e39bdd1ddeaf91bd5793f6dfdbaad062c9c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
204.4MB

MD5
57373b33ea8ca2e1442e47246dd969d6

SHA1
1082c2f82fef7d48a1b6685fc503174ae1d90b26

SHA256
df27c6ac4b5b1aa31553840237970b53b0409d764ed131f6ecc2fad1d7d47e97

SHA512
bd0ea446edd4a5ad3277ac5c7c59c5935162051dce59fbbe8c70f26e52ffcaf478e91eeb04e7cfdfbc759755d1b80976950632d9f20ae9f66ecfe70ff6f3f960

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
215.1MB

MD5
23b525a43cfab51883e1127cd0eaa837

SHA1
869e3dc3a32b203fd82f83066d8491288b40af47

SHA256
e21e4ab4dedd0bbbda75144d1fe2e3202a781e48d8783d16c3efc249efd6b4a7

SHA512
97b6789a823ce5e02b042d1b69818c3f23b71ef87d298cebed60c17b43ddab8ea67c65ef8c199851eb862cb7fa5a01b2cca1e2a5136954004663e6a0a622c447

Download Submit
memory/936-62-0x0000000000000000-mapping.dmp

Download
memory/936-66-0x0000000006490000-0x0000000006830000-memory.dmp

Filesize
3.6MB

Download
memory/936-65-0x0000000000DE0000-0x0000000001554000-memory.dmp

Filesize
7.5MB

Download
memory/936-73-0x0000000005470000-0x00000000055E2000-memory.dmp

Filesize
1.4MB

Download
memory/940-100-0x0000000000000000-mapping.dmp

Download
memory/1076-94-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1076-96-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1076-74-0x0000000000000000-mapping.dmp

Download
memory/1448-67-0x0000000000000000-mapping.dmp

Download
memory/1448-69-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-71-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1448-70-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1604-99-0x0000000000000000-mapping.dmp

Download
memory/1652-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1652-54-0x0000000000000000-mapping.dmp

Download
memory/1796-72-0x0000000000000000-mapping.dmp

Download
memory/1940-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-90-0x0000000000464C20-mapping.dmp

Download
memory/1940-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-98-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1948-97-0x0000000000000000-mapping.dmp

Download