aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
123s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1472-66-0x0000000006510000-0x00000000068B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1756	voiceadequovl.exe
1472	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1756	voiceadequovl.exe
1756	voiceadequovl.exe
1756	voiceadequovl.exe
1756	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
548	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	voiceadequovl.exe
Token: SeDebugPrivilege	548	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1756	1016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1016 wrote to memory of 1756	1016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1016 wrote to memory of 1756	1016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1016 wrote to memory of 1756	1016	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1756 wrote to memory of 1472	1756	voiceadequovl.exe	29
PID 1756 wrote to memory of 1472	1756	voiceadequovl.exe	29
PID 1756 wrote to memory of 1472	1756	voiceadequovl.exe	29
PID 1756 wrote to memory of 1472	1756	voiceadequovl.exe	29
PID 1472 wrote to memory of 548	1472	voiceadequovl.exe	30
PID 1472 wrote to memory of 548	1472	voiceadequovl.exe	30
PID 1472 wrote to memory of 548	1472	voiceadequovl.exe	30
PID 1472 wrote to memory of 548	1472	voiceadequovl.exe	30
PID 1472 wrote to memory of 892	1472	voiceadequovl.exe	32
PID 1472 wrote to memory of 892	1472	voiceadequovl.exe	32
PID 1472 wrote to memory of 892	1472	voiceadequovl.exe	32
PID 1472 wrote to memory of 892	1472	voiceadequovl.exe	32
PID 892 wrote to memory of 1372	892	cmd.exe	34
PID 892 wrote to memory of 1372	892	cmd.exe	34
PID 892 wrote to memory of 1372	892	cmd.exe	34
PID 892 wrote to memory of 1372	892	cmd.exe	34
PID 1472 wrote to memory of 1480	1472	voiceadequovl.exe	35
PID 1472 wrote to memory of 1480	1472	voiceadequovl.exe	35
PID 1472 wrote to memory of 1480	1472	voiceadequovl.exe	35
PID 1472 wrote to memory of 1480	1472	voiceadequovl.exe	35
PID 1472 wrote to memory of 1480	1472	voiceadequovl.exe	35
PID 1472 wrote to memory of 1480	1472	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:548
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1372
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6a56310124c6560a3a253f40b937da0d

SHA1
cd1a4ca316f1f3475b5bc8c9445a2aabba15ce0e

SHA256
dc66affc162f3c7895473a8625f2b472f70cdb01e3f8ca25ddf05b27319acfa0

SHA512
c9ae5c6d68aaf42e961d5328877a114d1043f00058e8f619426d647f0dff2cc2b09e0c8b1635205905b280eae5150dab6cb63b8c3de0d90d492e682a1e693fc1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
236.1MB

MD5
0c8a843e6deb413c2412e97c30e2724b

SHA1
9dbbc200dcb0e139f0b6192d9b624a6631344583

SHA256
37a5f7ff127157fee668c7c01dca213963dad7a9b06296cb34e481ee22a0262e

SHA512
88c8506af305660e4d8e40bbc17fd676e6e1a9f51093e2ab6cf6ad4522860bc663235655b6a5dff59b6d0b44542018454430033ab430c6637fe20716b55b5207

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
232.2MB

MD5
ce01d3031e92eaf6ca86082faa14c214

SHA1
4d4e8c11eb22aae2a33d11aede99195786b30617

SHA256
886b2f5ffab239ea71ad16fe4a40e08f04da73617f544eb062e18b0c75ba4800

SHA512
d0bc8cb4759eaf2ce9f176a65a15ffe315e05dff13583520b489e5d352928f208aa14561273cc622708811dc20688bb0e4c63c0ef692c6ed662b9363b12923e8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
42.3MB

MD5
a6028612632c21299e3913c3a85288c1

SHA1
e92deb43bcc4b3698557fa9abab101c819ef5bf4

SHA256
1a6f71316596d9d680fb55db9cb1c46e98e4d66808925d9b0f5a8400048bcf5c

SHA512
edddcd7da03c836498cb77c5a3ca918dd38761cc0f8435f580c08007fd3b915350f6eab1999ae4dad9b7ba764118226895eb98713ed2739cfb51e49ad5484505

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
226.6MB

MD5
3ec3a45b07514360b27b160fef9b87f0

SHA1
90e9c6d7c360044cceb5015bcb99f2b1b8857991

SHA256
60308027dfc8211c3276a45b23c3e190a5f0500784dd75f4b765b7051e9ef859

SHA512
2143e67819a79723e8549f24344e1d73d1ef5fb01085867d6baf1bc63de1ea7bb0ba8abba7654074385a5fb81971616900e0b76c8cf40dcc7baa8fc32d34700c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
232.8MB

MD5
6bf8a9b0cf60c6315e4d5cca4e38ce7c

SHA1
1a4ebafbe09af33dc3dab47065ae5f463569dafa

SHA256
a0120cea6eca0d89fc4780e0c17c44649487639744b08a8ac939fd69e7e869a7

SHA512
cb1720e8501a5d5b15cc08566cad90a48a6f1443da82f4bdad6df1ac03c426cb244dd1e19540e0ad85f5dc42ef1617322657c0d97dd7f0bed5d3ee19c73cf512

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
236.6MB

MD5
58c72bcb621a9a53e1a21b3696c26787

SHA1
40c4a869baa6b084ce65489f136f073d5219ae7e

SHA256
bdb9086f980a7f6d01d1a44ed26730c2ffe073c4fbff712751f6f6be1f5c34a7

SHA512
5e70b3b376ea57b812390bf8818e40c7e56fd1287a82e3cf9fe15ead568d1127d7a5ec0bae050a2a4ac9d0ee561d2e30adea46db866882e66577bc53f5f84e4a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
210.8MB

MD5
33d3ccbaeb9f272e1243e20b7895b165

SHA1
5c85db99c9ce26a51c3f4fb3c61d03af074ceb11

SHA256
c0540fa274b2178d861c4f3fd9be243f94d92d67145f9434fe7d7dc949fe2067

SHA512
df6e9e89d93af374b0e6b7837bf8cd3fabc45f9278135de9fdf7dcb28f7222a01fb4785becd499e82ce07e2d54e13055e6ae97fde93d3383ddabe311e483be68

Download Submit
memory/548-71-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/548-69-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/548-70-0x000000006FE80000-0x000000007042B000-memory.dmp

Filesize
5.7MB

Download
memory/1372-94-0x000000006FE40000-0x00000000703EB000-memory.dmp

Filesize
5.7MB

Download
memory/1372-82-0x000000006FE40000-0x00000000703EB000-memory.dmp

Filesize
5.7MB

Download
memory/1472-66-0x0000000006510000-0x00000000068B0000-memory.dmp

Filesize
3.6MB

Download
memory/1472-73-0x0000000005310000-0x0000000005482000-memory.dmp

Filesize
1.4MB

Download
memory/1472-65-0x00000000008D0000-0x0000000001044000-memory.dmp

Filesize
7.5MB

Download
memory/1480-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1756-56-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download