aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
138s
max time network
172s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/604-66-0x00000000064D0000-0x0000000006870000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1648 voiceadequovl.exe
604 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1648 voiceadequovl.exe
1648 voiceadequovl.exe
1648 voiceadequovl.exe
1648 voiceadequovl.exe

pid	process
1648	voiceadequovl.exe
604	voiceadequovl.exe

pid	process
1648	voiceadequovl.exe
1648	voiceadequovl.exe
1648	voiceadequovl.exe
1648	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

268 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 604 voiceadequovl.exe
Token: SeDebugPrivilege 268 powershell.exe

pid	process
268	powershell.exe

description	pid	process
Token: SeDebugPrivilege	604	voiceadequovl.exe
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 1648	1636	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1636 wrote to memory of 1648	1636	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1636 wrote to memory of 1648	1636	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1636 wrote to memory of 1648	1636	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1648 wrote to memory of 604	1648	voiceadequovl.exe	voiceadequovl.exe
PID 1648 wrote to memory of 604	1648	voiceadequovl.exe	voiceadequovl.exe
PID 1648 wrote to memory of 604	1648	voiceadequovl.exe	voiceadequovl.exe
PID 1648 wrote to memory of 604	1648	voiceadequovl.exe	voiceadequovl.exe
PID 604 wrote to memory of 268	604	voiceadequovl.exe	powershell.exe
PID 604 wrote to memory of 268	604	voiceadequovl.exe	powershell.exe
PID 604 wrote to memory of 268	604	voiceadequovl.exe	powershell.exe
PID 604 wrote to memory of 268	604	voiceadequovl.exe	powershell.exe
PID 604 wrote to memory of 1964	604	voiceadequovl.exe	cmd.exe
PID 604 wrote to memory of 1964	604	voiceadequovl.exe	cmd.exe
PID 604 wrote to memory of 1964	604	voiceadequovl.exe	cmd.exe
PID 604 wrote to memory of 1964	604	voiceadequovl.exe	cmd.exe
PID 604 wrote to memory of 292	604	voiceadequovl.exe	voiceadequovl.exe
PID 604 wrote to memory of 292	604	voiceadequovl.exe	voiceadequovl.exe
PID 604 wrote to memory of 292	604	voiceadequovl.exe	voiceadequovl.exe
PID 604 wrote to memory of 292	604	voiceadequovl.exe	voiceadequovl.exe
PID 604 wrote to memory of 292	604	voiceadequovl.exe	voiceadequovl.exe
PID 604 wrote to memory of 292	604	voiceadequovl.exe	voiceadequovl.exe
PID 1964 wrote to memory of 856	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 856	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 856	1964	cmd.exe	powershell.exe
PID 1964 wrote to memory of 856	1964	cmd.exe	powershell.exe
PID 604 wrote to memory of 292	604	voiceadequovl.exe	voiceadequovl.exe
PID 604 wrote to memory of 292	604	voiceadequovl.exe	voiceadequovl.exe
PID 604 wrote to memory of 292	604	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:856

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:292

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:988

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:2028

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:964

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
358.8MB

MD5
f0390527a9ed51b8831c44cff822cd78

SHA1
3076fa6c46cc9b918f272940a4eb6c6375be59c9

SHA256
33a538291cf11e43c96aaf8f49c3baf53f4021af2d0c28c14a1f87267d23668e

SHA512
b38395e8b031e76f928f15b7301b62c6c8e41d9548d25e3632c8b4dd122059952427313027bc118bc520a9c52e2ae948bd1ac0081f5ef540cddf4d821473d987

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
aacb5d545ab23291d902a832663bced5

SHA1
0cb35393b862495c5e559c3dbfd1a01e8a81903d

SHA256
ae97a4ca400973e084222a371284bdb9fe424895c6fcbea0afa1574318d8f34e

SHA512
7e56983812b5108d0c5f835c2c55720d75b40fe9f9287a1513a3d83221ecc167688390264db141541dd5df48c4e0c42326beb43a01d1aa6d4bb44d260ef0c003

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
234.9MB

MD5
f8cef10f4cc14e615b11824f5de52d1a

SHA1
e1cdc22d6db4b902c5cd4a1b34218098fdec77d0

SHA256
38ffeb0cac3c616e826dbea90fc1036b4d409b31aade2bf7a2e5ef45e563d581

SHA512
82b08a0e39bd80f8f653ba74b7af879b212c6cec48ebb56c92bd9d94adf224ba64f68ed468c651e1ac8e3629206eb26d117626a223b551220bd02b21fed5f2c1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
237.2MB

MD5
0dbf4888c96f66592c66167664eaf1da

SHA1
3b45908246c1c0d34c397d0be1fe6c1819c648ab

SHA256
cfe5a88c14bd4a3e8a5f5ad1c8ab755f9ddd5db1cc91180c34d65cb75cbdeb1a

SHA512
103ecb46fa9b7cfe1d74730fc50b61f1c75f904372da30c6e4075cc5f7805edb3c4cd4b1b1dec557c783fa74b66b0d0aa8d9e9826c9e217225421aeb9b66780d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
34.5MB

MD5
588b03dc03c6d6a6b97f3eede814defc

SHA1
be80f2ac8eb683bea473fbb0a2befbfe72bd8bbd

SHA256
f087369ee10b902f9c0b530a5d08396ade507fd8211fcc5ff88f1f91c405c89a

SHA512
4dca64662ab11a2ada5345f54d370f5eaa0a56455fcdf5c1ba7f56d3db2348dc9764fbf853b1c61a58e5403d6aab1b38b198fe16b201390eae4c2c9a3d474525

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
239.3MB

MD5
883dd57a2d0f53cbde9299cac770e83d

SHA1
250dd82a45484d5e9c57bdf1c3803ad501173a11

SHA256
b6e8e44fbfebf0b3db0e759d9919197efb4d651acedb50fc25b8eed7a97f546c

SHA512
80e87d39065964ac7015c2c91bdca1c45973d4d052abf62e3f1f3ca3587e022b301433093526e3000a626bd71c474bc5a0990e8bb4c26c10273a2b50872c9ba9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
237.9MB

MD5
e4489a0cf61d4d4c5b4d0d8201151482

SHA1
608bba78f1835f4df5270ff48a9224c865c6dd4e

SHA256
62f3190d4d8c21ac1f9861a0350d7d4c0737571bd502af61cf27c0ff2fe18ca2

SHA512
12f71a3831fc13f5c21759defdf5dcfdff7b8de0a1527726415b6ab31289dc29ff0180cf27a4540323a60c66d0617e1cbd6bb61857b36038660b3e575fb95955

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
238.1MB

MD5
9a9e6b95e4cb08ef82c91f6862934ae1

SHA1
8c09238b1075c88ac832f7e3491a187c3e1619fd

SHA256
4a562e39479feac9f324a69d4f2377c35cf6c23c21d1cc0a340856f9f34a71c2

SHA512
c04c10053f39224620ac35e54c763c7739753df6cefdc20e2f80f59b43d7e262a7850e2f8d7d52d9b11a1f33a21cdb36e0f191c27b459ef6e0c0f506e68254e5

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
236.3MB

MD5
fa9c46ee58a567430ca285afd15ff859

SHA1
638e161ed137cfbc4570e7acbf02db123a5e9983

SHA256
62258f5392e904dd171ac89475a18b773e0e355039a4ad5e706b702a1a469b8d

SHA512
560233f2dc5767273d3820722c4f9c0ebfb84bc44bf15ea4b7df73ab946d20979a9a308c984e9697df874ffc0af886f844d2b1a848bb5044368be045432a971f

Download Submit
memory/268-71-0x000000006F680000-0x000000006FC2B000-memory.dmp

Filesize
5.7MB

Download
memory/268-69-0x000000006F680000-0x000000006FC2B000-memory.dmp

Filesize
5.7MB

Download
memory/268-70-0x000000006F680000-0x000000006FC2B000-memory.dmp

Filesize
5.7MB

Download
memory/268-67-0x0000000000000000-mapping.dmp

Download
memory/292-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/292-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/292-89-0x0000000000464C20-mapping.dmp

Download
memory/292-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/292-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/292-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/292-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/292-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/292-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/292-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/292-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/604-62-0x0000000000000000-mapping.dmp

Download
memory/604-73-0x0000000005410000-0x0000000005582000-memory.dmp

Filesize
1.4MB

Download
memory/604-66-0x00000000064D0000-0x0000000006870000-memory.dmp

Filesize
3.6MB

Download
memory/604-65-0x00000000010A0000-0x0000000001814000-memory.dmp

Filesize
7.5MB

Download
memory/764-98-0x0000000000000000-mapping.dmp

Download
memory/856-79-0x0000000000000000-mapping.dmp

Download
memory/856-95-0x000000006F3E0000-0x000000006F98B000-memory.dmp

Filesize
5.7MB

Download
memory/964-97-0x0000000000000000-mapping.dmp

Download
memory/988-93-0x0000000000000000-mapping.dmp

Download
memory/1648-54-0x0000000000000000-mapping.dmp

Download
memory/1648-56-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download
memory/1964-72-0x0000000000000000-mapping.dmp

Download
memory/2028-96-0x0000000000000000-mapping.dmp

Download