aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
128s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/320-66-0x00000000064F0000-0x0000000006890000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1352 voiceadequovl.exe
320 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1352 voiceadequovl.exe
1352 voiceadequovl.exe
1352 voiceadequovl.exe
1352 voiceadequovl.exe

pid	process
1352	voiceadequovl.exe
320	voiceadequovl.exe

pid	process
1352	voiceadequovl.exe
1352	voiceadequovl.exe
1352	voiceadequovl.exe
1352	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

904 powershell.exe
880 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 320 voiceadequovl.exe
Token: SeDebugPrivilege 904 powershell.exe
Token: SeDebugPrivilege 880 powershell.exe

pid	process
904	powershell.exe
880	powershell.exe

description	pid	process
Token: SeDebugPrivilege	320	voiceadequovl.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1428 wrote to memory of 1352	1428	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1428 wrote to memory of 1352	1428	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1428 wrote to memory of 1352	1428	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1428 wrote to memory of 1352	1428	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1352 wrote to memory of 320	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1352 wrote to memory of 320	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1352 wrote to memory of 320	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1352 wrote to memory of 320	1352	voiceadequovl.exe	voiceadequovl.exe
PID 320 wrote to memory of 904	320	voiceadequovl.exe	powershell.exe
PID 320 wrote to memory of 904	320	voiceadequovl.exe	powershell.exe
PID 320 wrote to memory of 904	320	voiceadequovl.exe	powershell.exe
PID 320 wrote to memory of 904	320	voiceadequovl.exe	powershell.exe
PID 320 wrote to memory of 316	320	voiceadequovl.exe	cmd.exe
PID 320 wrote to memory of 316	320	voiceadequovl.exe	cmd.exe
PID 320 wrote to memory of 316	320	voiceadequovl.exe	cmd.exe
PID 320 wrote to memory of 316	320	voiceadequovl.exe	cmd.exe
PID 320 wrote to memory of 1456	320	voiceadequovl.exe	voiceadequovl.exe
PID 320 wrote to memory of 1456	320	voiceadequovl.exe	voiceadequovl.exe
PID 320 wrote to memory of 1456	320	voiceadequovl.exe	voiceadequovl.exe
PID 320 wrote to memory of 1456	320	voiceadequovl.exe	voiceadequovl.exe
PID 316 wrote to memory of 880	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 880	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 880	316	cmd.exe	powershell.exe
PID 316 wrote to memory of 880	316	cmd.exe	powershell.exe
PID 320 wrote to memory of 1456	320	voiceadequovl.exe	voiceadequovl.exe
PID 320 wrote to memory of 1456	320	voiceadequovl.exe	voiceadequovl.exe
PID 320 wrote to memory of 1456	320	voiceadequovl.exe	voiceadequovl.exe
PID 320 wrote to memory of 1456	320	voiceadequovl.exe	voiceadequovl.exe
PID 320 wrote to memory of 1456	320	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1456
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:964
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
339.5MB

MD5
084d9cc92cf7f28b4f22d23a4a6b6e8f

SHA1
41adf1e9d87bb4b3954dbed2dab7995e256adc7f

SHA256
9ebffd2212e4a6665ebffbb7d22908ffbec33268cf097cd9776253c0f8ec0777

SHA512
724dc674d8ff555abf67f2e2847bf44a82b94983518803f69e48123a7fcdec327c67186177d4ea07c3b20c1327b050f651fd438d69d38397375fed2b99306865

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f65d9dfc13590f1bb9e1dc80a905e7da

SHA1
bcc664d9c63ff2ee3f222b827e54f84fe2c31da6

SHA256
bee9de93c0da5d08d8704957e53faa5b93fa10e1b5f39cf143a1553b7b050ce7

SHA512
37d71f1c8b62a89d6554448f158ec4ece2397bbdfd15e5d37c540cfc38dd05020d4e264db73929f486ff9426cbb200746580b75163fcea02933ffeecf3b0fa85

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
260.0MB

MD5
9297b3e06cdd76953b7ac5998518c801

SHA1
425f57913fc56ccc3831f4f2bfd7f566583c0ae0

SHA256
0dc9792f10ea254be57cd0306a66b1e2616c53d7845d02b179a863716845fac5

SHA512
21d6a5e144386e74d63ebb486e84563cb933a80a1a78eea490ea8ced73509c2a772b6e8432a18cf08763a44102278e3fa593058d4a958a80f8a86406c7d86c5a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
250.7MB

MD5
9a8a35dd56fd6abfab655cafd2c2d549

SHA1
7c3ac3e333e1c7939425d550fd52d1da8403709a

SHA256
a7c6fc8cb93ce265a2c853da07f11af9314896244b58ff6fb5ff375d17a14ee6

SHA512
d7fd07f89bd5ee8d8ed60e3c91b41c16d8e19d4e1328f34ce0644bdc1c157c8a0ad30719af84889da319197ba178076227d1720bddcab90d4e86468add305472

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
41.7MB

MD5
5fe33a3481125450b3e737d1bdad1db5

SHA1
045a7c0ef52eb57b98a37cb8bc3a4994f560af8f

SHA256
1a8ed0c0c2ed76b782815089a120da6d3381434a169b13e298939f2f73f71ae1

SHA512
82e39c90723de402a84db3944978ae41475d7e8024315ed7a299e065965d2ad5f0ede082b57a5b38e5c5a03d437f497c24058d5e06dbe8a14dcbf1cb0bffe37a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
261.8MB

MD5
43db4dc829660dc66334a370dbfba064

SHA1
ffc780bbf01c83c6bdec9df131d0d5b2d757a174

SHA256
b2a9adec379ea7027b8534689d089cbec9f022073c932c001a742f2542829de3

SHA512
e56409ea9b9c87d899f60e4de930875a94ac059d5d825355244ec94d8e66b1f35b5deb3a87f30ff65efdc35b33d30592f13659e87a204d5a60cf7f839573585b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
261.2MB

MD5
dcb9131ebb85c34ca32814f3f44a13b1

SHA1
c6640d719629c7956392582e9863c12296f1a997

SHA256
8b5de0ff88e779848cfc8470f8dfda1c973156f6b8048e9556ce4679e895f599

SHA512
2b53dafc603704bda183822d344f5e43672e9ed4b8e3aa0937d816a451810fb61a6372d498269be6cb66f041ac7f6fd23e351578193115bf3339af7959184d80

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
248.0MB

MD5
4c3ec08601ab208d790de6b1597944fc

SHA1
6186aad18a22d059534681e102f6c429c39b91e7

SHA256
710b607cb8422a77ab97332d10d7426c854fdf389cbdf31d7f358819cd5cf680

SHA512
574d2c1751043d7be3bf65591bd86858f4dedcf6d3a4d203556ab128c94c274436b86eb7888905bf84a4cfa29850b2d016d0e8e231fd3d90266550177526feb3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.2MB

MD5
55e90a5f2e656da4e141748f5b3da23e

SHA1
58c1cd7704adf4d0b1cdd732f82c80a962edf4d3

SHA256
3ae29912ed4f64ddf939031cf2ed7ba48eaa2c01f417ff81aedf23e80473d3fb

SHA512
8ebe5c63dcbed56d0f29183915af867274a929c6794216a1cc5030d0ab5021727a3ddc1fcc2d1c700c88481aa672eada2c7259b3a7c4df98f3de62d1d504fdf3

Download Submit
memory/316-72-0x0000000000000000-mapping.dmp

Download
memory/320-73-0x0000000005440000-0x00000000055B2000-memory.dmp

Filesize
1.4MB

Download
memory/320-66-0x00000000064F0000-0x0000000006890000-memory.dmp

Filesize
3.6MB

Download
memory/320-62-0x0000000000000000-mapping.dmp

Download
memory/320-65-0x00000000013E0000-0x0000000001B54000-memory.dmp

Filesize
7.5MB

Download
memory/540-98-0x0000000000000000-mapping.dmp

Download
memory/880-75-0x0000000000000000-mapping.dmp

Download
memory/880-94-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/880-89-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/904-71-0x000000006FAF0000-0x000000007009B000-memory.dmp

Filesize
5.7MB

Download
memory/904-70-0x000000006FAF0000-0x000000007009B000-memory.dmp

Filesize
5.7MB

Download
memory/904-69-0x000000006FAF0000-0x000000007009B000-memory.dmp

Filesize
5.7MB

Download
memory/904-67-0x0000000000000000-mapping.dmp

Download
memory/964-97-0x0000000000000000-mapping.dmp

Download
memory/1352-54-0x0000000000000000-mapping.dmp

Download
memory/1352-56-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/1456-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-90-0x0000000000464C20-mapping.dmp

Download
memory/1456-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1456-99-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1632-96-0x0000000000000000-mapping.dmp

Download