aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
79s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/952-66-0x0000000006420000-0x00000000067C0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 4 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1988 voiceadequovl.exe
952 voiceadequovl.exe
1944 voiceadequovl.exe
472 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1988 voiceadequovl.exe
1988 voiceadequovl.exe
1988 voiceadequovl.exe
1988 voiceadequovl.exe

pid	process
1988	voiceadequovl.exe
952	voiceadequovl.exe
1944	voiceadequovl.exe
472	voiceadequovl.exe

pid	process
1988	voiceadequovl.exe
1988	voiceadequovl.exe
1988	voiceadequovl.exe
1988	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

voiceadequovl.exe

description pid process target process

PID 952 set thread context of 472 952 voiceadequovl.exe voiceadequovl.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exevoiceadequovl.exepowershell.exe

pid process

1184 powershell.exe
952 voiceadequovl.exe
952 voiceadequovl.exe
1000 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 952 voiceadequovl.exe
Token: SeDebugPrivilege 1184 powershell.exe
Token: SeDebugPrivilege 1000 powershell.exe

description	pid	process	target process
PID 952 set thread context of 472	952	voiceadequovl.exe	voiceadequovl.exe

pid	process
1184	powershell.exe
952	voiceadequovl.exe
952	voiceadequovl.exe
1000	powershell.exe

description	pid	process
Token: SeDebugPrivilege	952	voiceadequovl.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1628 wrote to memory of 1988	1628	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1628 wrote to memory of 1988	1628	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1628 wrote to memory of 1988	1628	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1628 wrote to memory of 1988	1628	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1988 wrote to memory of 952	1988	voiceadequovl.exe	voiceadequovl.exe
PID 1988 wrote to memory of 952	1988	voiceadequovl.exe	voiceadequovl.exe
PID 1988 wrote to memory of 952	1988	voiceadequovl.exe	voiceadequovl.exe
PID 1988 wrote to memory of 952	1988	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 1184	952	voiceadequovl.exe	powershell.exe
PID 952 wrote to memory of 1184	952	voiceadequovl.exe	powershell.exe
PID 952 wrote to memory of 1184	952	voiceadequovl.exe	powershell.exe
PID 952 wrote to memory of 1184	952	voiceadequovl.exe	powershell.exe
PID 952 wrote to memory of 1636	952	voiceadequovl.exe	cmd.exe
PID 952 wrote to memory of 1636	952	voiceadequovl.exe	cmd.exe
PID 952 wrote to memory of 1636	952	voiceadequovl.exe	cmd.exe
PID 952 wrote to memory of 1636	952	voiceadequovl.exe	cmd.exe
PID 1636 wrote to memory of 1000	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 1000	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 1000	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 1000	1636	cmd.exe	powershell.exe
PID 952 wrote to memory of 1944	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 1944	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 1944	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 1944	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe
PID 952 wrote to memory of 472	952	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:472

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1592

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:1924

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
315.4MB

MD5
55ae0c04cc546d3e5235846f86c25388

SHA1
85de1f2ce17361036eb78552d9bf56865021807a

SHA256
8fb7c2f4a9e74e06f360a1c67fa191e50d5640da1c303233d7a5120912db19d4

SHA512
fad2792d7164430749afbec53721d7a86f2b21bc351e7b75bd690e1aa6b16556c6798e81bbde3d6048117cca2d1a275e9bf39dd41414e8b88df915d1b51140ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
307.9MB

MD5
cff1507835bfab500a2246e9116d9ec1

SHA1
b9fe88dd29135b09f18130155cc7e7e7c02bd68e

SHA256
09c21185a07456305e43f8aad5819a3dc9ec5a5b1711c96e9e6f6b69d6d8a5e0

SHA512
d41ee00c581b837db013ae25ef5b170d307319f2595ce733bf9ec42f5b1b98f374de9b89f4c610a490faf90f833f53aca0baa341eebcb07ee3b5aab2fadc80bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
1ccbcd2a6be3018f4544ebbe2c5a075e

SHA1
272045061f79e0e90fe7e1babf0f37acda71bdbb

SHA256
105b80f20732622495f3b50504f43c82bca393e9ce82a18f5c20c0b9213f8aa6

SHA512
7f305cf7a6ed0e45ba9490dcc940b4f9a945e0c4ceece539f93be8fdeb0344357cc7d565f60b9bd7ac022d89d5944b4697f21434d8005f565edf11294626973e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
193.0MB

MD5
8bac2afd16a17bf428e35295cc47c9db

SHA1
46fa2a38694fd9853c3700f15fc058789d6a8334

SHA256
098097e59c2df893fb5c58646f1c6a65ea8e53214423d1eec879a7c330eaa0e2

SHA512
f642f289121cdbe17c358af7207d02b91de27d5d4a92954d48f82acee1fd4294067d243873f9d05472b95e0c3adb73b1997109262988b737d78b1bc168647252

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
205.0MB

MD5
32e69bc883fa5176bd126ecca0e1c3f9

SHA1
b52ba24550e13104af8c86100180e0253ea2d2b9

SHA256
eb5b7716ccbaf215a4fc7c42e1b8ad39c7235b1eefc3bf0e17264d26eabbe254

SHA512
73ed427c468dec9dddb49c883d302028cbfebe7267b4d7353e50bf7bf3bf301efdfa16e38f66a0ec74997dc4a98dd675b249c6b241ff18cefe23e368a337ea7d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
106.6MB

MD5
ef5b458d38cd1e4bbbf42a079fcbf1fa

SHA1
a32b3f3202fffbe8a7a5474fc483b7f1fd8c25bd

SHA256
1cba31a5e4efcf1e639683ce600df2ef1ddea2d858f32bfc1b0d499323bb9878

SHA512
28c6571260af0c7c0c235dfb58a331e28b7fb2b050b53e8485f52c362ee2a8193c5db123d23bc64ef2473df8b8baececd55e21fae24612f1904a834d498f7661

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
105.8MB

MD5
bde91f83ecb1a3ff3eca94f89d40213a

SHA1
8949734438c9f53c850e375b37d8e8d2aeee4c4d

SHA256
2d024133fd4f7f813edc81df12b0a23ee3a5c7b31c2f2d7d9aca2478fb74cde5

SHA512
b211e0e93c43efcc254b6aa866f8b10a334409b0b739dc173e32e575414bdc8d5e53d28e7cf623d99022f6d79c9460bc9c7b1f65a60a8a5603bf76e652a533f4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
206.3MB

MD5
c2d84e22c1db292437084b8633d6adc0

SHA1
4d58ff1292b9cc3a0150ed777c7040e09518e3e5

SHA256
bc42d9ccb973ef3c922b501abb43684db727d7b30115368c9bc2921c764e3097

SHA512
f2a62bdc8d32e77e430135f71339cf69f813368246966527c5f7400087be3a9ac9674ae7b0f7b677835401cbc153cd0091b4dcf89c7a3ccf38c09db9c80f5767

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
206.9MB

MD5
bf179ba2a2ab083755fb65210673cecc

SHA1
484747b441744010d7e10dbcd67cbe4ee79ce43a

SHA256
57ef8678be679765c06034b54b9b21925a856512cfcc8abef0f5dd3817c6914a

SHA512
c220d5c92104226792ea742487c451ce2471885608a7bac0f8ef813129e32673bfb098f160e916019e13151806399db8ca2803ee706ab414327995dd0ec6d51f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
176.7MB

MD5
b1375748973702cd90c9e658871e5466

SHA1
b15b986770dca95128451ba60484436dc8f40975

SHA256
c30f498b8713fc46bb28255ed7e89e5c86f99c0ceb642af02b2c43e8af5f572d

SHA512
39aa4446389253710bcf11757b93432dc2f009b8ed9f28674db49814948ca60854acfe3fd3ed92a8b0a37cfeccfed329ed7099d85fa9124c715c99f6bb171a8b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
191.2MB

MD5
43c5c4e26f7ae2f753840abeba09ca73

SHA1
b42e2111ca494856581c2ac4cc2288445eb7a82e

SHA256
fecbb6dce3f4f17b12202e49dcc0e2982bde7f7c90a91f735f174d8850090ac8

SHA512
48c3db06a179b7f8c8d30140f7ea60392ad6f822f5871a8a994cde82beedd76b9c911231370de844fe198a745e23e8acf06d6d8afaab338af7ee2d8749d77045

Download Submit
memory/472-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-98-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-90-0x0000000000464C20-mapping.dmp

Download
memory/472-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/472-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/952-65-0x00000000011C0000-0x0000000001934000-memory.dmp

Filesize
7.5MB

Download
memory/952-62-0x0000000000000000-mapping.dmp

Download
memory/952-66-0x0000000006420000-0x00000000067C0000-memory.dmp

Filesize
3.6MB

Download
memory/952-73-0x00000000052F0000-0x0000000005462000-memory.dmp

Filesize
1.4MB

Download
memory/1000-74-0x0000000000000000-mapping.dmp

Download
memory/1000-96-0x000000006FD30000-0x00000000702DB000-memory.dmp

Filesize
5.7MB

Download
memory/1000-94-0x000000006FD30000-0x00000000702DB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-67-0x0000000000000000-mapping.dmp

Download
memory/1184-71-0x000000006FFE0000-0x000000007058B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-70-0x000000006FFE0000-0x000000007058B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-69-0x000000006FFE0000-0x000000007058B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-100-0x0000000000000000-mapping.dmp

Download
memory/1592-99-0x0000000000000000-mapping.dmp

Download
memory/1636-72-0x0000000000000000-mapping.dmp

Download
memory/1816-97-0x0000000000000000-mapping.dmp

Download
memory/1912-102-0x0000000000000000-mapping.dmp

Download
memory/1924-101-0x0000000000000000-mapping.dmp

Download
memory/1988-54-0x0000000000000000-mapping.dmp

Download
memory/1988-56-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download