aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
127s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1920-66-0x00000000064C0000-0x0000000006860000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1812 voiceadequovl.exe
1920 voiceadequovl.exe
1580 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1812 voiceadequovl.exe
1812 voiceadequovl.exe
1812 voiceadequovl.exe
1812 voiceadequovl.exe

pid	process
1812	voiceadequovl.exe
1920	voiceadequovl.exe
1580	voiceadequovl.exe

pid	process
1812	voiceadequovl.exe
1812	voiceadequovl.exe
1812	voiceadequovl.exe
1812	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exevoiceadequovl.exe

pid process

556 powershell.exe
1920 voiceadequovl.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1920 voiceadequovl.exe
Token: SeDebugPrivilege 556 powershell.exe

pid	process
556	powershell.exe
1920	voiceadequovl.exe

description	pid	process
Token: SeDebugPrivilege	1920	voiceadequovl.exe
Token: SeDebugPrivilege	556	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 888 wrote to memory of 1812	888	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 888 wrote to memory of 1812	888	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 888 wrote to memory of 1812	888	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 888 wrote to memory of 1812	888	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1812 wrote to memory of 1920	1812	voiceadequovl.exe	voiceadequovl.exe
PID 1812 wrote to memory of 1920	1812	voiceadequovl.exe	voiceadequovl.exe
PID 1812 wrote to memory of 1920	1812	voiceadequovl.exe	voiceadequovl.exe
PID 1812 wrote to memory of 1920	1812	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 556	1920	voiceadequovl.exe	powershell.exe
PID 1920 wrote to memory of 556	1920	voiceadequovl.exe	powershell.exe
PID 1920 wrote to memory of 556	1920	voiceadequovl.exe	powershell.exe
PID 1920 wrote to memory of 556	1920	voiceadequovl.exe	powershell.exe
PID 1920 wrote to memory of 992	1920	voiceadequovl.exe	cmd.exe
PID 1920 wrote to memory of 992	1920	voiceadequovl.exe	cmd.exe
PID 1920 wrote to memory of 992	1920	voiceadequovl.exe	cmd.exe
PID 1920 wrote to memory of 992	1920	voiceadequovl.exe	cmd.exe
PID 1920 wrote to memory of 1580	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 1580	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 1580	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 1580	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 304	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 304	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 304	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 304	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 304	1920	voiceadequovl.exe	voiceadequovl.exe
PID 992 wrote to memory of 1888	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 1888	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 1888	992	cmd.exe	powershell.exe
PID 992 wrote to memory of 1888	992	cmd.exe	powershell.exe
PID 1920 wrote to memory of 304	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 304	1920	voiceadequovl.exe	voiceadequovl.exe
PID 1920 wrote to memory of 304	1920	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1888

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:304

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1592

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e95cfbc45adf17baadad1021bf061191

SHA1
12222bc6c6046c2d3fe3cdae6d294a2593c2852e

SHA256
3cc47b1ab074adfcf4951c25d940d58ba73293d9ff888a59a1ffc6c079dbec39

SHA512
b98f55f77a8b9fecf5211f616c394d2db1efaea05c2723bbdb5109423f86f3a2ca8e143ab5ec925bfbbf63d001bee07af79be60d0e8f3bb92cd23e51ec961a95

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
237.0MB

MD5
182c4a25b76fd7ea25783d1a0983ca27

SHA1
550e8ab8695d22665232251dc001835d2aeddb57

SHA256
0983e511e522ffffc81fcbc3570b21fa77a8fa7e4647bbf93ecdec4248396d52

SHA512
9f64c42ef459cbdb1f9ffa510e62afdce759ff4055a914a8eee4af85cfd8a2d33550562184d37eaaab62a8956b179e2ca667ad1a58ddf4804b81c604bca97b48

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
231.7MB

MD5
4fc0c614f4e9db69f3ac464982a7787d

SHA1
59b8241b2c17823191dd44015110f0c3ae359c00

SHA256
fe7a23a7aa5fc3cda8f29754181088e58b0eeb69f76c52a057edc659a8f8eac4

SHA512
b3c1287eb4057398389a7d79ecd408d8224175a9fc7b932e8cc3850f4c7f98e82d2555b0f50215801cad857c6ea519b4e5f0f93951807f13e53ad14272b40ed5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
40.2MB

MD5
cda530dd9ee54096cc7a645b65cc519d

SHA1
6ab5b135970b18706b8882f0e1e42dcebd7776a6

SHA256
5a3021a85a80618c8bfe4dc700f9d2606ed598a64d70e544cfb6bb76e7a96e44

SHA512
215cdd9f7e173d67c7274b580d9c9a51de72470333a315bdbd653a11d8a8f14c0a446ab8f3f6852d447497e3c5bcf135a66130dfe270804bdb8cb7d1c9ddc7b9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
32.4MB

MD5
c3e68902a37167e762f5de48552b709d

SHA1
5dc44f096179cbfc1e1b38305525d1f48047bbdc

SHA256
fd8e24b7fa52b0b92f7d8ac501aacea1c10d7e81b5547564ca6fc21e692461b8

SHA512
2926a4ba839f1fe508f9d953b84cd5a1016a6995c744bb7a3774f2535656c07af6f417019e1898b291a71b5622f551b7213ab7c9e7c8c9850ffe41d546a91601

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
217.9MB

MD5
f0249ecd7d3fae39a17ed9eda55ae8c4

SHA1
47f6fd344d1c30c9836c18ffe3021e6f903d40bc

SHA256
50005026ec51f2b7647b900245a7f28d92faa0771cad46a8984a9cdbff66f5e3

SHA512
bc37f8923eba466af59064c72c2746adec47fb96e7587c2de8d416b987cbb7d89e8d77c52b57e6fc90dd04feee8bb5c15b3622eaf5e714651005f108d2f733c2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
229.9MB

MD5
4a7cf0ebc2c1afe7f6771c1dd97c806c

SHA1
c47cfb8f5c208f632a6e4cdf0822c7496cd86884

SHA256
8a5590f449a76b512e00b7e41daac726d3467d4ccc777a43e91b95562d555018

SHA512
b5ba93a110c23d4947e349a7299e19ae70e487985da158968466fb76d35e765f4bd5df692527e5a604781c02dff145f9a89b2e8648106d21cad7ad00fa7f872f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
233.4MB

MD5
dd0b0f5b091a7a037c025e5dc9b8a0e7

SHA1
1f523995e692914a42a29169a5c4c7afac564f9f

SHA256
6febc2b3139495eee5565c1967cc95783988cf8c0241c170c998db0f8b2e3cc0

SHA512
3778821ce4a28a3a4d351b84026ccedad342e3cf626e2a240c99658de91afadbe6f31f3534bf11707710b9dd3555c84c395679885828a47680e1fd6cca1b8d95

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
221.9MB

MD5
76c2d1a975d9a3244ef9459a755e5dd3

SHA1
51ce92296ab0869b6ac1588a2fee77bdb71704b4

SHA256
a17600867d995d7fe9300122f7b661a3dd02995a2729101224560cfd5f8b5f84

SHA512
27b908fa89920d0862161b028e038b5b66f9cd5cd0932a632886a28ce4aaa540d036f07961c335230e6c70065add343fcaddd378714e85a6fceeb843d543f806

Download Submit
memory/304-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-100-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-90-0x0000000000464C20-mapping.dmp

Download
memory/304-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/304-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/364-97-0x0000000000000000-mapping.dmp

Download
memory/556-70-0x00000000701F0000-0x000000007079B000-memory.dmp

Filesize
5.7MB

Download
memory/556-67-0x0000000000000000-mapping.dmp

Download
memory/556-71-0x00000000701F0000-0x000000007079B000-memory.dmp

Filesize
5.7MB

Download
memory/556-69-0x00000000701F0000-0x000000007079B000-memory.dmp

Filesize
5.7MB

Download
memory/992-72-0x0000000000000000-mapping.dmp

Download
memory/1256-99-0x0000000000000000-mapping.dmp

Download
memory/1592-98-0x0000000000000000-mapping.dmp

Download
memory/1812-56-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1812-54-0x0000000000000000-mapping.dmp

Download
memory/1888-91-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1888-76-0x0000000000000000-mapping.dmp

Download
memory/1888-96-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1920-73-0x00000000053A0000-0x0000000005512000-memory.dmp

Filesize
1.4MB

Download
memory/1920-66-0x00000000064C0000-0x0000000006860000-memory.dmp

Filesize
3.6MB

Download
memory/1920-65-0x0000000000B20000-0x0000000001294000-memory.dmp

Filesize
7.5MB

Download
memory/1920-62-0x0000000000000000-mapping.dmp

Download