aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
137s
max time network
149s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1128-66-0x00000000064F0000-0x0000000006890000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1360 voiceadequovl.exe
1128 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1360 voiceadequovl.exe
1360 voiceadequovl.exe
1360 voiceadequovl.exe
1360 voiceadequovl.exe

pid	process
1360	voiceadequovl.exe
1128	voiceadequovl.exe

pid	process
1360	voiceadequovl.exe
1360	voiceadequovl.exe
1360	voiceadequovl.exe
1360	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

268 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1128 voiceadequovl.exe
Token: SeDebugPrivilege 268 powershell.exe

pid	process
268	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1128	voiceadequovl.exe
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1332 wrote to memory of 1360	1332	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1332 wrote to memory of 1360	1332	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1332 wrote to memory of 1360	1332	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1332 wrote to memory of 1360	1332	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1360 wrote to memory of 1128	1360	voiceadequovl.exe	voiceadequovl.exe
PID 1360 wrote to memory of 1128	1360	voiceadequovl.exe	voiceadequovl.exe
PID 1360 wrote to memory of 1128	1360	voiceadequovl.exe	voiceadequovl.exe
PID 1360 wrote to memory of 1128	1360	voiceadequovl.exe	voiceadequovl.exe
PID 1128 wrote to memory of 268	1128	voiceadequovl.exe	powershell.exe
PID 1128 wrote to memory of 268	1128	voiceadequovl.exe	powershell.exe
PID 1128 wrote to memory of 268	1128	voiceadequovl.exe	powershell.exe
PID 1128 wrote to memory of 268	1128	voiceadequovl.exe	powershell.exe
PID 1128 wrote to memory of 864	1128	voiceadequovl.exe	cmd.exe
PID 1128 wrote to memory of 864	1128	voiceadequovl.exe	cmd.exe
PID 1128 wrote to memory of 864	1128	voiceadequovl.exe	cmd.exe
PID 1128 wrote to memory of 864	1128	voiceadequovl.exe	cmd.exe
PID 864 wrote to memory of 956	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 956	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 956	864	cmd.exe	powershell.exe
PID 864 wrote to memory of 956	864	cmd.exe	powershell.exe
PID 1128 wrote to memory of 1656	1128	voiceadequovl.exe	voiceadequovl.exe
PID 1128 wrote to memory of 1656	1128	voiceadequovl.exe	voiceadequovl.exe
PID 1128 wrote to memory of 1656	1128	voiceadequovl.exe	voiceadequovl.exe
PID 1128 wrote to memory of 1656	1128	voiceadequovl.exe	voiceadequovl.exe
PID 1128 wrote to memory of 1656	1128	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:956
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1656
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
249.1MB

MD5
4d15d5a14550c7a5a58a805a914b0b23

SHA1
044fc246369ca151974bfc8f1554207e417388a9

SHA256
335b8eb8148f5f77178e612bd7b6143bec5bd3e71b9c22187a7f5df2600f6305

SHA512
48da1e1dd18d3c694059da9d2017c37570e3533b950c7560a8393aedf4b4595c0af2d1f19290c10e666e5f8d42dcd668d239309e5ce6bcdd01cfe97b791f7a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8f7a92c127507db2edc39a818004f688

SHA1
340883bb86fb84562dcbfa1a868be086af35bbc0

SHA256
e6d4d1318943239437f9921158dcc707cf2e89f9bea0b5a77aa380ca1e5ccec8

SHA512
9716f9030888a9ebebdd82d058e53c296c1e93d9162a6b54cedd3875ac82b716cd7c77f6400e1b24fedd170ea6dfb444a6584bb89ab42983e23b6581083e2075

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
229.7MB

MD5
c78dbc4dd99a219038a222a6f54c964d

SHA1
2fb81ba27693bba2e67852ca2d5eaa36ca5e780c

SHA256
bce731978512d02525234a28c34fe91d257a0653672f8455cb4cb9956f278c9a

SHA512
1460241ca209618b52a59041a299e4ab0e4aa4aaf3342bb4c55447d599a36b4725fb8988defc70ec6f194d517d31c1ebee97b8bca001818675dd84872bd6b466

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.9MB

MD5
af15ddb82bab00425707a75795cb273b

SHA1
344ed57a0605963e614b8c2d8d626ef2f85f235b

SHA256
b19e3bcf04dd9eb618b05390e4f16cf7cedf3ee3b4a1b72594b70f6b8c5e8ae3

SHA512
c86aa71c7e24900811b9676d47c6b6cfea3ab438c29d839609a5ed0e1d146066834e117508da27d781358a392342b3510101209ec8d2b5021614e6e60b4a159f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
14.1MB

MD5
0f9a0e061e1c5e61c310f1498b38e2af

SHA1
b3b06e2fd21d66e73166540c46218bc1bc6cba04

SHA256
0ba531b951ce05c242f6822d8ca10f595594776e08cfb82851224f884f91502f

SHA512
f9f2188f8cafc59559fc564867705ec576088713b472cab3f44087e0a3af2c0bd745fb7688125deaa0176685b4e2674f4afd109ce86557e00036c80b761f452a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
279.7MB

MD5
bdaf112fbad3fbc08fd5a843ae544bf6

SHA1
70ae3ba2a75050fba63994eab403802b71602898

SHA256
04556298b3865bfb28da353d09c00f2fbadf22b826db9c273835a0fdf751456b

SHA512
f7c299cc8cee965f2bf1f06f04fec0097af34854a8fb06931714fe6437dd6b14cd63fe806b1be55d1c8398aea7edb924f8807b584d14906b444631c06c0843d0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
281.4MB

MD5
6798472d90ce0bbc6be3020281446a0f

SHA1
65cd3e82727e8d92f139cca905e40391c32bb1aa

SHA256
2eb72373d5209e3cdc6dd3e2cab4ec2d33a995f8387e1294222eb06c2b0d2c15

SHA512
e28c96aff36e2b682aec82b6066991c018def44534636642a68b4e53794623a2ff92e10d41d0e73e4e8c0043e45ad436ad6dfea0803a3e6f4b8e874cc5e74f22

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
269.8MB

MD5
995780816137eec101d50c8e090f3a71

SHA1
6451df478a69704c38847e111721c4dfe9080651

SHA256
3a463b514665baf1429d360b8311932f46f36c58aa24f4a8c9a0d840db84e485

SHA512
caadd431600830dee2c8259ac3514e084a3e66a33380ae07401af4659e242c4457aa1b1887adff77fbb33cc54e8d95856f1819b3bc6d4ca7c43f13b25e192161

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
289.7MB

MD5
3279a5f205d961d449879a2fb133dba9

SHA1
a8364ca51ba4905364a2cce880ea5a7b9ede0d4a

SHA256
8932891f4c62c60b4574d21884d5df39820424ed2f3d98e95cc488ca7dbb852b

SHA512
f4d1ce92548d699eecd7e95ff9e0acd66bc126cd32a8ef32f3d8fb42a4f5e9e3516b2496bed5451555f6d543170cc1c122ca594a5c81f1f97303d3f6e5c73f9a

Download Submit
memory/268-67-0x0000000000000000-mapping.dmp

Download
memory/268-69-0x00000000700A0000-0x000000007064B000-memory.dmp

Filesize
5.7MB

Download
memory/268-70-0x00000000700A0000-0x000000007064B000-memory.dmp

Filesize
5.7MB

Download
memory/268-71-0x00000000700A0000-0x000000007064B000-memory.dmp

Filesize
5.7MB

Download
memory/864-72-0x0000000000000000-mapping.dmp

Download
memory/956-74-0x0000000000000000-mapping.dmp

Download
memory/956-84-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/956-96-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/1128-73-0x0000000005550000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1128-65-0x0000000000F20000-0x0000000001694000-memory.dmp

Filesize
7.5MB

Download
memory/1128-66-0x00000000064F0000-0x0000000006890000-memory.dmp

Filesize
3.6MB

Download
memory/1128-62-0x0000000000000000-mapping.dmp

Download
memory/1304-95-0x0000000000000000-mapping.dmp

Download
memory/1360-56-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1360-54-0x0000000000000000-mapping.dmp

Download
memory/1656-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1656-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1656-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1656-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1656-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1656-90-0x0000000000464C20-mapping.dmp

Download
memory/1656-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1656-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1656-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1656-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1656-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download