aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
89s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1600-66-0x00000000065D0000-0x0000000006970000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
272	voiceadequovl.exe
1600	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
272	voiceadequovl.exe
272	voiceadequovl.exe
272	voiceadequovl.exe
272	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1376	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1600	voiceadequovl.exe
Token: SeDebugPrivilege	1376	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 272	856	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 856 wrote to memory of 272	856	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 856 wrote to memory of 272	856	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 856 wrote to memory of 272	856	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 272 wrote to memory of 1600	272	voiceadequovl.exe	29
PID 272 wrote to memory of 1600	272	voiceadequovl.exe	29
PID 272 wrote to memory of 1600	272	voiceadequovl.exe	29
PID 272 wrote to memory of 1600	272	voiceadequovl.exe	29
PID 1600 wrote to memory of 1376	1600	voiceadequovl.exe	30
PID 1600 wrote to memory of 1376	1600	voiceadequovl.exe	30
PID 1600 wrote to memory of 1376	1600	voiceadequovl.exe	30
PID 1600 wrote to memory of 1376	1600	voiceadequovl.exe	30
PID 1600 wrote to memory of 1960	1600	voiceadequovl.exe	32
PID 1600 wrote to memory of 1960	1600	voiceadequovl.exe	32
PID 1600 wrote to memory of 1960	1600	voiceadequovl.exe	32
PID 1600 wrote to memory of 1960	1600	voiceadequovl.exe	32
PID 1960 wrote to memory of 1356	1960	cmd.exe	34
PID 1960 wrote to memory of 1356	1960	cmd.exe	34
PID 1960 wrote to memory of 1356	1960	cmd.exe	34
PID 1960 wrote to memory of 1356	1960	cmd.exe	34
PID 1600 wrote to memory of 864	1600	voiceadequovl.exe	35
PID 1600 wrote to memory of 864	1600	voiceadequovl.exe	35
PID 1600 wrote to memory of 864	1600	voiceadequovl.exe	35
PID 1600 wrote to memory of 864	1600	voiceadequovl.exe	35
PID 1600 wrote to memory of 864	1600	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:272
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1356
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:864
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        
        PID:1352
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        
        PID:2036
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        
        PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
326.4MB

MD5
40238de35e8a08e0c1b1bb0bf7f684ae

SHA1
cfb028f101376840cc55e274df473d99440c0dc5

SHA256
cb0c69665a6f7d9ed1ddd8c3074be923c3600b157a33143a91b3e0583a5e5554

SHA512
bcf90cd9a4403c292ba971d8dd1a16df11cd12505c896a194aea21042c2dc934aeee36ec161d378db5753dee382fa76605806f0115376fe0a83e8e06db62f74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
284.6MB

MD5
68776cc74e9dc66f69cfead3884e54ce

SHA1
fd1fb20a2fcc8fe7ea095952e0757848ebdea3b8

SHA256
25961cb03dfb9565a4cc392f3260c92bcb2f37f345e620e290b52809c7cbe3b6

SHA512
83e36eb4d107bd1700e01a28b41267201800339444b7d5b0e4adb590441a060ce810de995a150578765da92476718a4f316eac605c6dbb60ee8ea9ac4841f160

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b41296d60dc75bbefcc6e4f732cec4f9

SHA1
20bc5ef7f7ebe699e08bcba83018199e4e423ff3

SHA256
d22f5f01323f4f7d35106c4718da499cf99c1b740acfd1c1c0209bf6728741f1

SHA512
533951e7c1cee81c7d08a13617c3638e3d05fc83e09bd62a00e97ee4fb702af1ed02dce05c04c981a1c0a539d640e2179516359b0cdf5cf22d16bf991326f899

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
210.4MB

MD5
478e9229d4b05dae97efdc8fe3cb324a

SHA1
39b4341ca28d2d963787eeb0805debb51b8c80c5

SHA256
0155bc7474ac750812324a6cdf413ffc330b963c9a6fde1c7b6eb751e2aebbb8

SHA512
3d7b4b5846cb415b66af7b9fa197817a97e93a6c414dc5bd05a51b7a4713f2799d45f499f723e2200f4101ca9498c4d5e1475b50ed024fdf8ccaef7011218d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.1MB

MD5
6c2eb19cd69717f411fbf96a26e3821b

SHA1
f197562606ecc5b40575f44d8feb6ce259c8a312

SHA256
5bb799a91ba4fdb9749f1ceb89520230bb9d017e23544a281e76a38b962c3c6a

SHA512
536799da14fb413271ce33c39a73d26ce8da49826ab29e2c985628aac68f5688b2182f04ee1761b79bffff539ea18271b955aa14604366e91248bb6d456a7b24

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
93.1MB

MD5
43a08a132969e985347e9ef7d2649792

SHA1
1d9390e6f4a0d2654ce0b42f1e8e0ce2be154dfb

SHA256
14c9255087ab1b5e4fa4aa2f9dc2f4156075c765eb35d085e84f9d46c917cc60

SHA512
526d0fa56af0648731c1ccb3d910169e8cc2fd6911ce4811de586d30d2e1ca2d7aac92821c85f9ee4ac213220d5182206ee77412ff951c38623edb53f83fd7f8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
218.3MB

MD5
d8e6eef3ae9282d4799d6fca5642ab18

SHA1
8a30cf4107a676070fbac35b8381c8f1ffd0a07a

SHA256
c99d57ddbaaf0fc7a7e2af0115b33babd9ae9fdcb14e41c4d6a4cbb4f24d52bd

SHA512
726d8321c684c05cb5823a06e9b1e13eeb65104210d263b824d713f7c3f237bd4dc5f380411ea0c79a106d6769c1a95fa6683b14eb850f4a51c0576097063f6a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.2MB

MD5
86a121df76f2c61965d6131a91ab0a97

SHA1
44c761e7677f72554c6f768ebe67c25072bc3ce9

SHA256
9b515bc3dba0e2362f3a00c80efdac853be82a7aaa85b27dcbac8b8023554ca5

SHA512
2a8479955895aa2e469ca621adfc0857e40180a5e0fb93e50db24037e333f257b5c70546e28dba8e87124dbb01751ab4da3afd374555a96bece05b59a9b52d2a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.3MB

MD5
a068470ec16d1d8bea0289de793f55f8

SHA1
d887799fcd17374a34117e377af05e5074a50f92

SHA256
3e6406832eadc44b627828f9d734b57aad164c72e74f02124cd71244b3a3e8be

SHA512
bd4c06f36b3294e97023ed9d924e92f916dbe3c22890fa16afdd34e9826af717993143b8a95c2ffe51290a6d0a2feb83fa5726cac95fcc82edf8ebcfa6116ba7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.1MB

MD5
6c2eb19cd69717f411fbf96a26e3821b

SHA1
f197562606ecc5b40575f44d8feb6ce259c8a312

SHA256
5bb799a91ba4fdb9749f1ceb89520230bb9d017e23544a281e76a38b962c3c6a

SHA512
536799da14fb413271ce33c39a73d26ce8da49826ab29e2c985628aac68f5688b2182f04ee1761b79bffff539ea18271b955aa14604366e91248bb6d456a7b24

Download Submit
memory/272-56-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/864-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/864-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1356-97-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/1356-99-0x0000000073FD0000-0x000000007457B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-71-0x000000006FA70000-0x000000007001B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-70-0x000000006FA70000-0x000000007001B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-69-0x000000006FA70000-0x000000007001B000-memory.dmp

Filesize
5.7MB

Download
memory/1600-65-0x0000000000F30000-0x00000000016A4000-memory.dmp

Filesize
7.5MB

Download
memory/1600-66-0x00000000065D0000-0x0000000006970000-memory.dmp

Filesize
3.6MB

Download
memory/1600-74-0x00000000055D0000-0x0000000005742000-memory.dmp

Filesize
1.4MB

Download