aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
133s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/868-66-0x0000000006530000-0x00000000068D0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

2016 voiceadequovl.exe
868 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

2016 voiceadequovl.exe
2016 voiceadequovl.exe
2016 voiceadequovl.exe
2016 voiceadequovl.exe

pid	process
2016	voiceadequovl.exe
868	voiceadequovl.exe

pid	process
2016	voiceadequovl.exe
2016	voiceadequovl.exe
2016	voiceadequovl.exe
2016	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1128 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 868 voiceadequovl.exe
Token: SeDebugPrivilege 1128 powershell.exe

pid	process
1128	powershell.exe

description	pid	process
Token: SeDebugPrivilege	868	voiceadequovl.exe
Token: SeDebugPrivilege	1128	powershell.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 2004 wrote to memory of 2016	2004	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2004 wrote to memory of 2016	2004	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2004 wrote to memory of 2016	2004	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2004 wrote to memory of 2016	2004	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2016 wrote to memory of 868	2016	voiceadequovl.exe	voiceadequovl.exe
PID 2016 wrote to memory of 868	2016	voiceadequovl.exe	voiceadequovl.exe
PID 2016 wrote to memory of 868	2016	voiceadequovl.exe	voiceadequovl.exe
PID 2016 wrote to memory of 868	2016	voiceadequovl.exe	voiceadequovl.exe
PID 868 wrote to memory of 1128	868	voiceadequovl.exe	powershell.exe
PID 868 wrote to memory of 1128	868	voiceadequovl.exe	powershell.exe
PID 868 wrote to memory of 1128	868	voiceadequovl.exe	powershell.exe
PID 868 wrote to memory of 1128	868	voiceadequovl.exe	powershell.exe
PID 868 wrote to memory of 920	868	voiceadequovl.exe	cmd.exe
PID 868 wrote to memory of 920	868	voiceadequovl.exe	cmd.exe
PID 868 wrote to memory of 920	868	voiceadequovl.exe	cmd.exe
PID 868 wrote to memory of 920	868	voiceadequovl.exe	cmd.exe
PID 868 wrote to memory of 1672	868	voiceadequovl.exe	voiceadequovl.exe
PID 868 wrote to memory of 1672	868	voiceadequovl.exe	voiceadequovl.exe
PID 868 wrote to memory of 1672	868	voiceadequovl.exe	voiceadequovl.exe
PID 868 wrote to memory of 1672	868	voiceadequovl.exe	voiceadequovl.exe
PID 868 wrote to memory of 1672	868	voiceadequovl.exe	voiceadequovl.exe
PID 920 wrote to memory of 1940	920	cmd.exe	powershell.exe
PID 920 wrote to memory of 1940	920	cmd.exe	powershell.exe
PID 920 wrote to memory of 1940	920	cmd.exe	powershell.exe
PID 920 wrote to memory of 1940	920	cmd.exe	powershell.exe
PID 868 wrote to memory of 1672	868	voiceadequovl.exe	voiceadequovl.exe
PID 868 wrote to memory of 1672	868	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1940

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1672

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
8aa12cbc8cc2920a4b48da2e77d4fc6f

SHA1
83e362dc0b0b30eb73e64b7a7cd44086228109ea

SHA256
3b42e217fee7b59a06ed23c85e9b2ad55c4712dc7cc8e60caaaf3f02b7939807

SHA512
543cfc6dd1274115588475bb82b57c765ce81ea12cde03be3fd3b22aa6097983b5b81d360e3ba6c5a911ccea89261599f5cbf96cc3d9c7057b82a86502bb6411

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
222.9MB

MD5
740cd6bf08c6135e399282094e184841

SHA1
c9179227f47d197c541be59a3e5ec3d54a5f6468

SHA256
f78069468958af55426b014bb196a500edd2c9ea54acc2f549f9f43185dec3ec

SHA512
ac28c802dc13411f704720b523cbb400e07e4d1dfd0bd1130275c2ccb122f96f5dd6ab3ee398c2a9b83a0d3464aaf659ec0117748509f8f326b2f3115ff30caa

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
229.0MB

MD5
1058e6af7a12002968fe963af446b012

SHA1
e27121c5e338d09810db67bc318ee26eb6f3bd07

SHA256
c2b2d41f8dc1e9e3be9f8fc506c86fe3bac716896434788c789d3dfb064b7f09

SHA512
d8f758ac9b5e4b0b52a79f1e8e1b76d67f3417a3341cc5511b714a5269158ce8ad049e4372a15329ba1e4a8ad10aa533b3a1fadf7574815d7a8623fdb2d3bb11

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
28.4MB

MD5
31117a5adc496c68dbcf3e4ea60d2bd6

SHA1
32e8ed24fe6be21c9e5001aa20a3a0ae133915ec

SHA256
397ff2001b26ab1bff4f9981f3aaa7722613081817b46b6c42321b4b09d74a24

SHA512
f06aea31c95aa88dc4e6ed00ccfbdbb2f01d6f8d6dd68f8e4b429e6805995f5559a01092e49a3435f5178c68173333f67023bf4a8f2953f6bdaa33dd2c43acb6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
242.3MB

MD5
fd6dd6f1d5c1bf88dc97c94703b84916

SHA1
6999780b84b6af4d45a16d319fc32138844a58ae

SHA256
be0757a24b67a5231d171b86791b1d57e313ec26bf1498dad3ae7a5b5ddc57ee

SHA512
a5a14111db7b540894327338e189d0bf7adf18a2f24d0ae7c17e97d70d96d506cefe2c4d0f2f08dbc5f3dce10926bb9b82dd772b728539d02b6c0a8652f1bdc1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
251.3MB

MD5
1561d572d414ec4c5e87f70242c8a206

SHA1
147c9d07581c0cfd21b0d874161aafa6206fe76c

SHA256
f0cc3ce1ff54f5423907ce35a512e74e11d994274b998b75d2c5c4b613a30961

SHA512
cb250d29094c66cc04ef36e6901ab6dd2c96b99b9687eb83b7afdfc85ca5a20eba64710217265b5a022837b308f55d71393930ae13270228914aa0de2b6459d4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
243.8MB

MD5
ee2edd6e2d5b2251a476a6b6271626cd

SHA1
54c38128f575e281be2c961f7e9730ef09f4da6e

SHA256
d70ff8c2d6fa829521b23a78a4119ec3cd184a4fb8b83f30094768e068337710

SHA512
8a11137a740170f40d149aa9dd58a904be256b7638ce84055b3315909ff76bda75fe6e1ea59093504b049a05f64d67be8c2cec77ccea52bcb52b9ae99ca75109

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
239.6MB

MD5
7acf0418de36d8657a000b633d6884cd

SHA1
e88b16d1f58ea72f6f843396d658cc128c6a434d

SHA256
ecffaeee1ac04e90960eed88f3b5ca36f7965386650a15fdbbb3d0f954933eaa

SHA512
25c2efbb5499b2e1d216a40435508233d0978e94a05e04aa5b3436290d43a969851debc19bf72ae21426d8f588d49569bc51248eb3ddae23726803592156a886

Download Submit
memory/868-73-0x0000000005430000-0x00000000055A2000-memory.dmp

Filesize
1.4MB

Download
memory/868-65-0x0000000000B80000-0x00000000012F4000-memory.dmp

Filesize
7.5MB

Download
memory/868-66-0x0000000006530000-0x00000000068D0000-memory.dmp

Filesize
3.6MB

Download
memory/868-62-0x0000000000000000-mapping.dmp

Download
memory/920-72-0x0000000000000000-mapping.dmp

Download
memory/1128-67-0x0000000000000000-mapping.dmp

Download
memory/1128-69-0x000000006F5E0000-0x000000006FB8B000-memory.dmp

Filesize
5.7MB

Download
memory/1128-70-0x000000006F5E0000-0x000000006FB8B000-memory.dmp

Filesize
5.7MB

Download
memory/1128-71-0x000000006F5E0000-0x000000006FB8B000-memory.dmp

Filesize
5.7MB

Download
memory/1260-96-0x0000000000000000-mapping.dmp

Download
memory/1672-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-89-0x0000000000464C20-mapping.dmp

Download
memory/1672-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1672-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1940-90-0x000000006F340000-0x000000006F8EB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-76-0x0000000000000000-mapping.dmp

Download
memory/1940-94-0x000000006F340000-0x000000006F8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2016-56-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/2016-54-0x0000000000000000-mapping.dmp

Download