aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
111s
max time network
146s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/752-66-0x00000000064F0000-0x0000000006890000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 3 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exevoiceadequovl.exe

pid process

1688 voiceadequovl.exe
752 voiceadequovl.exe
1476 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1688 voiceadequovl.exe
1688 voiceadequovl.exe
1688 voiceadequovl.exe
1688 voiceadequovl.exe

pid	process
1688	voiceadequovl.exe
752	voiceadequovl.exe
1476	voiceadequovl.exe

pid	process
1688	voiceadequovl.exe
1688	voiceadequovl.exe
1688	voiceadequovl.exe
1688	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exevoiceadequovl.exepowershell.exe

pid process

1276 powershell.exe
752 voiceadequovl.exe
1504 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 752 voiceadequovl.exe
Token: SeDebugPrivilege 1276 powershell.exe
Token: SeDebugPrivilege 1504 powershell.exe

pid	process
1276	powershell.exe
752	voiceadequovl.exe
1504	powershell.exe

description	pid	process
Token: SeDebugPrivilege	752	voiceadequovl.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 940 wrote to memory of 1688	940	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 940 wrote to memory of 1688	940	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 940 wrote to memory of 1688	940	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 940 wrote to memory of 1688	940	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1688 wrote to memory of 752	1688	voiceadequovl.exe	voiceadequovl.exe
PID 1688 wrote to memory of 752	1688	voiceadequovl.exe	voiceadequovl.exe
PID 1688 wrote to memory of 752	1688	voiceadequovl.exe	voiceadequovl.exe
PID 1688 wrote to memory of 752	1688	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1276	752	voiceadequovl.exe	powershell.exe
PID 752 wrote to memory of 1276	752	voiceadequovl.exe	powershell.exe
PID 752 wrote to memory of 1276	752	voiceadequovl.exe	powershell.exe
PID 752 wrote to memory of 1276	752	voiceadequovl.exe	powershell.exe
PID 752 wrote to memory of 924	752	voiceadequovl.exe	cmd.exe
PID 752 wrote to memory of 924	752	voiceadequovl.exe	cmd.exe
PID 752 wrote to memory of 924	752	voiceadequovl.exe	cmd.exe
PID 752 wrote to memory of 924	752	voiceadequovl.exe	cmd.exe
PID 924 wrote to memory of 1504	924	cmd.exe	powershell.exe
PID 924 wrote to memory of 1504	924	cmd.exe	powershell.exe
PID 924 wrote to memory of 1504	924	cmd.exe	powershell.exe
PID 924 wrote to memory of 1504	924	cmd.exe	powershell.exe
PID 752 wrote to memory of 1476	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1476	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1476	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1476	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1560	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1560	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1560	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1560	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1560	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1560	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1560	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1560	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1560	752	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
- Executes dropped EXE
PID:1476

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1560

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1472

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1576

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:936

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:1404

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
289.8MB

MD5
d1bb9951b974182d842ca4668d2605a0

SHA1
9906add9dc0bcd70d267fc89a26db22b6b628cea

SHA256
ae0400fd611c70fe3344bd14a5e503bfdb962789735a215df0004bea5585f426

SHA512
8da7fa2fdd2029e72b95a042d7bbeba8f12a0d3f5dc9b43f7bcec08df3fd4fb58d4629951c9520311180f6607019836d0c931a1bf1d66f535f6c8ec1937c45f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5c7046f81ca4d097870a3dfd4d1c7e33

SHA1
9f45c44d212763273b44642e6457bdb9a7419fe2

SHA256
ad0a6b05cf451e9b3bbb9bc9e1838c4da277eaf5874d5b691c135e3fee9caf14

SHA512
21b790fcea5cd5707a707e5a7b52f72f5eb04402112199c8da246d3962999f8c6b094aa9d0f1a4d17dceeb533d97c701e3c50a378f891466b297470215d21104

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
257.5MB

MD5
1196f6681f430b8d1838215ca9028834

SHA1
f21a68dcdc5bae179deb9f66648a033b9b18fc25

SHA256
797ec079fdb06c02ca0cdcd64798714b86931d10a15f3421fa36edff0f4af234

SHA512
9ae96380e3cb9e27e3cc99971391886a553080b14aae3d51cf07a396a94693f91cbe6619def229dbe89fb4e6a588038b3fb326bf8070558d7159391f88699d73

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
258.2MB

MD5
f54f9fa91a40555f0383a57c29653dc2

SHA1
796ddd59c3fc68de0a22ed0ff17d0ee52728043b

SHA256
ea18787c42cbdb469079866629d3b6e76ff95540205b2c5d8c68d5a866cbb6c2

SHA512
61f6e3d5992b153694517a0802d816fa2ce489f94991517e08cd17db5559183d429488489b0d68b6c841ee3d03e036ac8690ade4dae273e9be23e4013cc14765

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
71.5MB

MD5
c4f9ddb41f0e151291cc4c64160b0b40

SHA1
31806f4065b67b185941bf85fde9962c01bcef16

SHA256
e44a2aca9b8826caff1aa8ec8fec8543e29be2d472592b0032c5d7d8c5f5b180

SHA512
637b36c591f72dc3fa8e3b7f6c133b3561c17329a5199a1bff8a2d131becaeb83eb43c70f3ac2818beeb9b228903702e75b9a971dc94c3fa9efa09a9a7a7eb77

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
62.9MB

MD5
da59dc27cccc22c35e31549700521808

SHA1
318853be177f64b01d36ad0f3dab8831a5166a5d

SHA256
a3dc04ab507fe0f8e759d7ae83386a4473b1369411c5caf5868738cb07c5baa7

SHA512
e3cdd3178d6c7b57c66ae9de735f49ae502d270f8a5b20654cc2b46ab3278b3c5f78c1686711f3c2af4606a9d1f3f606c6d123dd90d95ef3d5923877f3b29436

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
262.6MB

MD5
74d24145c9ddcbd9b5c7c1c411da96c7

SHA1
8709e56ccfccd1be5f805b11808efe343dbdf8fc

SHA256
b3b82ebc50def11ea608b81bd89371c1cdddf0cef6478137a61517cba3cd17f8

SHA512
6078731d0f16881f63d119e92c14e149a28bd7800596883543132e6b76f2b24ae7cd47fbb914e357bb3b346d7f5e76cad1037f858416aad8ff6e570b79cf983e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
265.5MB

MD5
1445a9acddfea5283a8da65c2857aeb5

SHA1
15fe82df0b2e43d79bc7e4def25dfde2fe901673

SHA256
e37453da3748110b2fb9e1a4168aa8ba907370cb49971251a3cff62c88b0b869

SHA512
caeeeb6bf84f45bf42cbd1606a85d30cfc3081092b9162c80bfc4705350e80ba159d915765845fcde15b78837bc7a76bb63e6abe91d343e18fbd118fbaa2488b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
248.2MB

MD5
7a3758bfee88492b2b80c9255a1cca54

SHA1
b76f8295d1b6aa8c49583b5f839b68dbab875358

SHA256
4e8a2c284d612c3aa434b0a4ed25dd23fc9de8e897eecf347444641132d74676

SHA512
3964bd4553814c8105d9ee201e347d76ebdf106229a929e77e5a0942621cfc2a12af43fac83948df6b45f3d8ff8ff882e35e9327c3d0d4931abc439bc372e7e2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
254.2MB

MD5
8968fbd2ead02dd325159bb6b66b0196

SHA1
d64c4d4e25fc74d6ee623c9c5ad2df5fc09c8ef2

SHA256
7c67f2b2644b955dbaa72cfa51323268af25ff901e92fe6df9fcf0db75f28374

SHA512
49de72722f466d9f6fc58dd71784fa2583277fc646da3ed866d99dfb8b04ea4d97140d1ce98c465170d67a5f6686688aa4b09adb34d020eb592ea9a72aa88df3

Download Submit
memory/752-62-0x0000000000000000-mapping.dmp

Download
memory/752-65-0x0000000001130000-0x00000000018A4000-memory.dmp

Filesize
7.5MB

Download
memory/752-66-0x00000000064F0000-0x0000000006890000-memory.dmp

Filesize
3.6MB

Download
memory/752-73-0x00000000054F0000-0x0000000005662000-memory.dmp

Filesize
1.4MB

Download
memory/924-72-0x0000000000000000-mapping.dmp

Download
memory/936-99-0x0000000000000000-mapping.dmp

Download
memory/1276-71-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1276-70-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1276-69-0x000000006F650000-0x000000006FBFB000-memory.dmp

Filesize
5.7MB

Download
memory/1276-67-0x0000000000000000-mapping.dmp

Download
memory/1404-101-0x0000000000000000-mapping.dmp

Download
memory/1472-96-0x0000000000000000-mapping.dmp

Download
memory/1504-92-0x000000006F200000-0x000000006F7AB000-memory.dmp

Filesize
5.7MB

Download
memory/1504-74-0x0000000000000000-mapping.dmp

Download
memory/1504-84-0x000000006F200000-0x000000006F7AB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-102-0x0000000000000000-mapping.dmp

Download
memory/1560-91-0x0000000000464C20-mapping.dmp

Download
memory/1560-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-100-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-97-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1560-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1576-98-0x0000000000000000-mapping.dmp

Download
memory/1688-56-0x0000000074ED1000-0x0000000074ED3000-memory.dmp

Filesize
8KB

Download
memory/1688-54-0x0000000000000000-mapping.dmp

Download