aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
142s
max time network
154s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1552-66-0x00000000064F0000-0x0000000006890000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1056 voiceadequovl.exe
1552 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1056 voiceadequovl.exe
1056 voiceadequovl.exe
1056 voiceadequovl.exe
1056 voiceadequovl.exe

pid	process
1056	voiceadequovl.exe
1552	voiceadequovl.exe

pid	process
1056	voiceadequovl.exe
1056	voiceadequovl.exe
1056	voiceadequovl.exe
1056	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1348 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1552 voiceadequovl.exe
Token: SeDebugPrivilege 1348 powershell.exe

pid	process
1348	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1552	voiceadequovl.exe
Token: SeDebugPrivilege	1348	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1972 wrote to memory of 1056	1972	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1972 wrote to memory of 1056	1972	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1972 wrote to memory of 1056	1972	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1972 wrote to memory of 1056	1972	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1056 wrote to memory of 1552	1056	voiceadequovl.exe	voiceadequovl.exe
PID 1056 wrote to memory of 1552	1056	voiceadequovl.exe	voiceadequovl.exe
PID 1056 wrote to memory of 1552	1056	voiceadequovl.exe	voiceadequovl.exe
PID 1056 wrote to memory of 1552	1056	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 1348	1552	voiceadequovl.exe	powershell.exe
PID 1552 wrote to memory of 1348	1552	voiceadequovl.exe	powershell.exe
PID 1552 wrote to memory of 1348	1552	voiceadequovl.exe	powershell.exe
PID 1552 wrote to memory of 1348	1552	voiceadequovl.exe	powershell.exe
PID 1552 wrote to memory of 1808	1552	voiceadequovl.exe	cmd.exe
PID 1552 wrote to memory of 1808	1552	voiceadequovl.exe	cmd.exe
PID 1552 wrote to memory of 1808	1552	voiceadequovl.exe	cmd.exe
PID 1552 wrote to memory of 1808	1552	voiceadequovl.exe	cmd.exe
PID 1552 wrote to memory of 1664	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 1664	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 1664	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 1664	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 1664	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1808 wrote to memory of 1796	1808	cmd.exe	powershell.exe
PID 1808 wrote to memory of 1796	1808	cmd.exe	powershell.exe
PID 1808 wrote to memory of 1796	1808	cmd.exe	powershell.exe
PID 1808 wrote to memory of 1796	1808	cmd.exe	powershell.exe
PID 1552 wrote to memory of 1664	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 1664	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 1664	1552	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1796

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1664

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
249.5MB

MD5
ed3e1387d5ab1ae3430f5c2ae5074cff

SHA1
65e22f4d01d4efe65392ecdfad04cde05ab32303

SHA256
afbd5294e54241c9c574a98ef6f65a1039c9fbb9357a3aa3b2e4e705e05356db

SHA512
6ff017ce7ff655e5850d2e868a148ab1be8f6530459a80b0450af670306209489362759491a99f01da5fcfd4aa38e688691d00e57d34890e354c00a5d0facc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
bb11fba6cbc5eb7225cc354af454de9d

SHA1
4285c298090da60e17a84e906a4f33bef6f18681

SHA256
90f053d827fc01040ab7af108eb631c9fba6537bff1d0c0f56d0bf4e191c23b0

SHA512
c4d1e96dc0e49ca8985882234ce07a6322b7fd04e3610bd68ca2accde0488b155ede5fb07b8c0aee8295e97fd0d4627daed592eb49ee748a20b2d0091d03e3ed

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
220.4MB

MD5
1bdbc77cce2b7acc68643b406513dda3

SHA1
6c1bf537147ee7526a42f78178ded02487508b6b

SHA256
52e38ad55987b54bb909b5fb36d394bfd1f2210996c559fc9f14ee12e8114dc1

SHA512
8e3f303f10a851f77a309b0a9958f9068277ad3392404d0bdff2138066049341ca5e8d088d4b1f7ad11a57a15d0b49f9630575ca65b2249f2e93c04b2902f089

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
220.7MB

MD5
4fd44663f64a5f1f52f809ad6256be6c

SHA1
2936c551ae9d092b4c1eeb69ae033dfcc38990d7

SHA256
04e1e051a5302e694f8f4bd98834c4d4482af7b03f5df11ba43911c6e47c10ad

SHA512
97a4ec8d650d296ed7ddcf914ac329efbf60a8188c3dcf810fd509474fc042b1535510f80824b82acf2cacc55cd8b36f05e6111db29ef067f922ca74613865e3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
7.4MB

MD5
998fd3f476e30ccc4590384f7a1f414a

SHA1
6285c943daee7b9a5ecb3495bda7f48bab89055c

SHA256
fba21a41d2e69aa6f646bca3ef46355188067ee0129313660b2b153ae344f713

SHA512
b5c65724019e21d82e3d4179bf60f60f91773c9b801c4cf37a418f18f4f3c1f68bf5004ff2d86e2f8fde269a73344df5017b912c507bdc8e3f35ee7059d94ea0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
244.8MB

MD5
c7e57c586b16a9eef51ab116d4bf0daf

SHA1
b8cf1361734ebd296b8759bb13ed5b7e7b423f6a

SHA256
5ac3c0fadfb3d11b655560aaf19efa94a8718dcd0c842d7ffb07419eccb4f7d2

SHA512
458dfb7d476683b7b9f6d11593f4f32f9dbee2a4a603947b791d5d0502d177f0d2f3e66be57d39c66efa45503aa0eb065b955f09d5697caa5a84d08d11701aae

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
249.4MB

MD5
9540d7358137a8ac61e616c87e42d98f

SHA1
7c4eaf5536f636360c8fb0aec12a953ebf8a38ac

SHA256
e859cb6e71cc41ab56ab88b31f33617cfde0cbc856d7b1f70e2d809ffe54bf29

SHA512
b6f8ffd93d7ff145cd703adfe737a0a31cb7f92b76a277f32e688f18e0b6f60e19bad6ce0e704d05207ce37490c81e7f9f8af0782951edfe5c0b71a0bd018d08

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
237.8MB

MD5
da1d91a6ccac6d8060299085659f9626

SHA1
32c61dfd38967c757fe48318a3c8760df1ac559b

SHA256
570c96288ef4630242b68295b34bbbbd23ebf41aeae09188a03ecf74c367e7f1

SHA512
3b57db1d1b8c68eb2d84792ab1c8e120b5d0b89d056b9facd71e973ca985858ed66fde9c7f51f67a869bcf09a42ab7ad8716f81ba1f0bd6123b708ddd8879c23

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
239.7MB

MD5
3f6842383856ef9e54f9b06d88e78b03

SHA1
cf68fd04f346a23a0b6ffcb5b3e64084c8df2e80

SHA256
baaf955d1dd90c855af63ed636a9a5a526469e010a183a55555f48a2df5ea30d

SHA512
8fa75268e50d8c594c18663a85bf1692d25608941e9c709cf3148efed9cacfa7f0ff5e8e90c05f151c93fd05bc313d29377d7f4609e31d56aa5e5d9dc93efca1

Download Submit
memory/1056-54-0x0000000000000000-mapping.dmp

Download
memory/1056-56-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1300-96-0x0000000000000000-mapping.dmp

Download
memory/1348-67-0x0000000000000000-mapping.dmp

Download
memory/1348-69-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-70-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-71-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/1552-62-0x0000000000000000-mapping.dmp

Download
memory/1552-73-0x0000000005330000-0x00000000054A2000-memory.dmp

Filesize
1.4MB

Download
memory/1552-65-0x0000000000930000-0x00000000010A4000-memory.dmp

Filesize
7.5MB

Download
memory/1552-66-0x00000000064F0000-0x0000000006890000-memory.dmp

Filesize
3.6MB

Download
memory/1664-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1664-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1664-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1664-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1664-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1664-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1664-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1664-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1664-89-0x0000000000464C20-mapping.dmp

Download
memory/1664-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1664-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1796-90-0x000000006F170000-0x000000006F71B000-memory.dmp

Filesize
5.7MB

Download
memory/1796-76-0x0000000000000000-mapping.dmp

Download
memory/1808-72-0x0000000000000000-mapping.dmp

Download