aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
124s
max time network
148s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1968-66-0x0000000006450000-0x00000000067F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1224 voiceadequovl.exe
1968 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1224 voiceadequovl.exe
1224 voiceadequovl.exe
1224 voiceadequovl.exe
1224 voiceadequovl.exe

pid	process
1224	voiceadequovl.exe
1968	voiceadequovl.exe

pid	process
1224	voiceadequovl.exe
1224	voiceadequovl.exe
1224	voiceadequovl.exe
1224	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

268 powershell.exe
976 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1968 voiceadequovl.exe
Token: SeDebugPrivilege 268 powershell.exe
Token: SeDebugPrivilege 976 powershell.exe

pid	process
268	powershell.exe
976	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1968	voiceadequovl.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 620 wrote to memory of 1224	620	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 620 wrote to memory of 1224	620	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 620 wrote to memory of 1224	620	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 620 wrote to memory of 1224	620	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1224 wrote to memory of 1968	1224	voiceadequovl.exe	voiceadequovl.exe
PID 1224 wrote to memory of 1968	1224	voiceadequovl.exe	voiceadequovl.exe
PID 1224 wrote to memory of 1968	1224	voiceadequovl.exe	voiceadequovl.exe
PID 1224 wrote to memory of 1968	1224	voiceadequovl.exe	voiceadequovl.exe
PID 1968 wrote to memory of 268	1968	voiceadequovl.exe	powershell.exe
PID 1968 wrote to memory of 268	1968	voiceadequovl.exe	powershell.exe
PID 1968 wrote to memory of 268	1968	voiceadequovl.exe	powershell.exe
PID 1968 wrote to memory of 268	1968	voiceadequovl.exe	powershell.exe
PID 1968 wrote to memory of 800	1968	voiceadequovl.exe	cmd.exe
PID 1968 wrote to memory of 800	1968	voiceadequovl.exe	cmd.exe
PID 1968 wrote to memory of 800	1968	voiceadequovl.exe	cmd.exe
PID 1968 wrote to memory of 800	1968	voiceadequovl.exe	cmd.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe
PID 800 wrote to memory of 976	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 976	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 976	800	cmd.exe	powershell.exe
PID 800 wrote to memory of 976	800	cmd.exe	powershell.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe
PID 1968 wrote to memory of 968	1968	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:968

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1616

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1652

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
PID:1276

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:2040

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
6⤵
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
8e13ec8c620aaa77c10c82875f6f1b08

SHA1
2d76e951ffb586b468754573d27cd57bc2cc4a87

SHA256
99ab1b08443261146f314ba75ec533e4e46fbf216416b612000294c65dfb8510

SHA512
132befa3221d0b2944b754073f95fefc0d47fcb96b1ba117685e33c3ae73184b8aa9dfea1541e8caf77812ce9c671f22a64afc2edacdfd7cef4ebe55b04526f4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
240.6MB

MD5
a5d043a598c812c99c4e53a5e646946f

SHA1
7263db24f4900f937049be57bb3a070b6c5ba1be

SHA256
31448c1bcc6f5ffb2d826d89b7e66c295fd8ec026e9918599005693e8b65b3ba

SHA512
ca0e5597f327fe9da3e94056bb674574b61755bdc7b050a1d0303639eb1dadc1f24d0c2a7ec760b2c1b6da93e01b76c8e1cd2c813f8ba1cfce870c3cff17b8da

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
241.6MB

MD5
9c786e18a9b7700116f27e0469260511

SHA1
f1fe41a3737a740ff1e0a7b3f4e99b2e12d39e27

SHA256
ec34dc17874ae76642364c40be3401e9e93aeadfd95342e4a542401d5b0d7d1f

SHA512
83983af108f42c7e99ea1b58ba8391086f1b097fc732e9b7ab15388869e0f30006ad68364b134e61ce02d2e37eb5ff5369f124c2ead5f78bc953302152640d66

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
31.8MB

MD5
222b457ce525af3f50bbabeed0357f05

SHA1
6c978c6654ae8b851ad6fc108c3721aa4a7e367b

SHA256
ecebc1c2c8205f6a4e116fda56ec5d4289f0f607e7b5b14dbaf0ef66f21492d8

SHA512
07affc7e3bb591c0f1f9ba7fdede716c96ab98025729a265495e5cd1761c1ecc712b3eea0cd7627e0aec2a95bde083fd781a8947de0945316f9b9ef59dd6993e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
223.2MB

MD5
2508302155b449f7f2cec7894046361e

SHA1
1b48aee73a59e32090a66a0f49a7460c2878ed16

SHA256
72a82396d89864e8cd9a7ac2c0264a8e9ab776655c62f1519b6d7fda06bb6869

SHA512
51641c98f4947a26fde8c2a5f9eeb3e7d287e18368ce3b223bf3eee7e9daa9c65b2fc67243a039194bea3163c51408462bdcdbcce8b045c9a4fad62c67eb8e07

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
247.3MB

MD5
8beddb89eae5adac6dc53748ce12e8ec

SHA1
ed530da0d63e1203530eb4c9b95fe2e3687a9724

SHA256
1ce9ef1a24dc38703ccbc6aae0e148400ee577f6b089949a17cc6f03951fdfa7

SHA512
6648fb834cd12a398a600b1992d35e81464d0d2be08c2fb8731f573dc9a3a92beba1efb5e547f497467834ea7eda2f432d4370a60de70965daeb85e134ca56ef

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
245.4MB

MD5
d6b8bba972e76aa372f49161d7f20cbc

SHA1
aed78956bb847f909c8b80843e788570fc36e0eb

SHA256
b3fe21c7e18008a47511311c7dbd94b196cbe1fe0ff52927f877a422536d444a

SHA512
89481545e7fef70314c041cb2a381a9406113ce7ee274ebbdc8e896639c087900605ae941d78a5882c77244f7adef3ac06ff0323ec2a2ba6ccefcc1d77dc2b1d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
229.0MB

MD5
1058e6af7a12002968fe963af446b012

SHA1
e27121c5e338d09810db67bc318ee26eb6f3bd07

SHA256
c2b2d41f8dc1e9e3be9f8fc506c86fe3bac716896434788c789d3dfb064b7f09

SHA512
d8f758ac9b5e4b0b52a79f1e8e1b76d67f3417a3341cc5511b714a5269158ce8ad049e4372a15329ba1e4a8ad10aa533b3a1fadf7574815d7a8623fdb2d3bb11

Download Submit
memory/268-70-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/268-71-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/268-67-0x0000000000000000-mapping.dmp

Download
memory/268-69-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/800-72-0x0000000000000000-mapping.dmp

Download
memory/968-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-100-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-90-0x0000000000464C20-mapping.dmp

Download
memory/968-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/968-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/976-95-0x000000006F520000-0x000000006FACB000-memory.dmp

Filesize
5.7MB

Download
memory/976-87-0x000000006F520000-0x000000006FACB000-memory.dmp

Filesize
5.7MB

Download
memory/976-75-0x0000000000000000-mapping.dmp

Download
memory/1224-56-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1224-54-0x0000000000000000-mapping.dmp

Download
memory/1616-96-0x0000000000000000-mapping.dmp

Download
memory/1632-99-0x0000000000000000-mapping.dmp

Download
memory/1652-97-0x0000000000000000-mapping.dmp

Download
memory/1968-65-0x0000000000E30000-0x00000000015A4000-memory.dmp

Filesize
7.5MB

Download
memory/1968-62-0x0000000000000000-mapping.dmp

Download
memory/1968-66-0x0000000006450000-0x00000000067F0000-memory.dmp

Filesize
3.6MB

Download
memory/1968-73-0x0000000005270000-0x00000000053E2000-memory.dmp

Filesize
1.4MB

Download
memory/2040-98-0x0000000000000000-mapping.dmp

Download