aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
136s
max time network
143s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/832-66-0x0000000006490000-0x0000000006830000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1628 voiceadequovl.exe
832 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1628 voiceadequovl.exe
1628 voiceadequovl.exe
1628 voiceadequovl.exe
1628 voiceadequovl.exe

pid	process
1628	voiceadequovl.exe
832	voiceadequovl.exe

pid	process
1628	voiceadequovl.exe
1628	voiceadequovl.exe
1628	voiceadequovl.exe
1628	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1348 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 832 voiceadequovl.exe
Token: SeDebugPrivilege 1348 powershell.exe

pid	process
1348	powershell.exe

description	pid	process
Token: SeDebugPrivilege	832	voiceadequovl.exe
Token: SeDebugPrivilege	1348	powershell.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1588 wrote to memory of 1628	1588	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1588 wrote to memory of 1628	1588	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1588 wrote to memory of 1628	1588	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1588 wrote to memory of 1628	1588	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1628 wrote to memory of 832	1628	voiceadequovl.exe	voiceadequovl.exe
PID 1628 wrote to memory of 832	1628	voiceadequovl.exe	voiceadequovl.exe
PID 1628 wrote to memory of 832	1628	voiceadequovl.exe	voiceadequovl.exe
PID 1628 wrote to memory of 832	1628	voiceadequovl.exe	voiceadequovl.exe
PID 832 wrote to memory of 1348	832	voiceadequovl.exe	powershell.exe
PID 832 wrote to memory of 1348	832	voiceadequovl.exe	powershell.exe
PID 832 wrote to memory of 1348	832	voiceadequovl.exe	powershell.exe
PID 832 wrote to memory of 1348	832	voiceadequovl.exe	powershell.exe
PID 832 wrote to memory of 808	832	voiceadequovl.exe	cmd.exe
PID 832 wrote to memory of 808	832	voiceadequovl.exe	cmd.exe
PID 832 wrote to memory of 808	832	voiceadequovl.exe	cmd.exe
PID 832 wrote to memory of 808	832	voiceadequovl.exe	cmd.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe
PID 808 wrote to memory of 1496	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 1496	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 1496	808	cmd.exe	powershell.exe
PID 808 wrote to memory of 1496	808	cmd.exe	powershell.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe
PID 832 wrote to memory of 1960	832	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1496

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1960

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1168

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
5⤵
PID:816

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
272.3MB

MD5
a88a066df6b71dffac30abac7d9e8111

SHA1
2929af98bd21b317e1df79184a3a86f29ed7a833

SHA256
1ec3cd569d55ac66eef6e86fac292b12360d61c6dc6823cf8f49989b628db95f

SHA512
6abe9da8af4be35a31e8a0244c3958c52e83529eca4d3fc666c196b8a809b9e7ad3592bdc509d12f6b4b1a6f2da9762fb975faf1ec97f4667672402e8edab7d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cb5f11028b71466ec7a8c859c98cc768

SHA1
81f6d9406e6755420d09ad2dc3512fc139bcd7c0

SHA256
2eb661ad31255ca7a68344921a1ff667eb274a44f9097ad59a09135f305f571e

SHA512
a584eaa00dadfe8a254e061b68f065fec08f8e2851e6d943b40c9c7e644012aea0ab79c5595d58fb3c9ac8c66d6c4c70b0272c142bb7da2f2504ac9a9aa2212d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
245.3MB

MD5
6df8a7c398280fae83ffc78316e1e2a9

SHA1
56b8830df9276c7f668aea0e95332b37d8e626bd

SHA256
f420dfff87bf1fdc0574c608ca86cfdcc79f4bbeb885258ce2dd405ef681c819

SHA512
64017d6351e48bf142442a07e3cfbed3edbbfa2830a5e5be0b80f767daa18aab8576e00d7c053b6b81e246bc5872e5219852dc517bad532aaa741031acd98a04

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
253.3MB

MD5
311a0d49d40192a44e4026cfcc02a1e7

SHA1
a5ab5aa08a0492d53da33943d41a037e6af649d1

SHA256
4380fc5b62c8dd253fad69652d90178baa1327ab5cc5fdfb21ad4e1ebb588a0e

SHA512
11054d8c5cf2e1af704d9ce536dcb7bcec0f4281b7b73cdb9f56c74433ce600e3b0e00a54aa749ad63965e1753396bbbccd4092429086bd38bcc6b2d597fe6c0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
22.3MB

MD5
d152e1ec8832b541597daa6b88c9218a

SHA1
40c257d3c7fe1f126ad404162c827499b7a66b01

SHA256
09efd07c90e04db394619f36c542aa504e19677cd31e082b220fece5a577a4c0

SHA512
8ea83428aef5c8a2a9fc84202d04de2a88d4f690ddabc89c55a2f656c1935070db343773388c15f2fbde52863a4e735847b17beaefbe73b19083c48ce4006846

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.6MB

MD5
f3c09b41dc200fb7b9eb1e28e70120fc

SHA1
aa1bae5f3dd36737a97338eeda9e53a7fa6f26f3

SHA256
6ff79ebc8ceb85f3f7f9d8b5c119dc78604e07b6e295f7fb7fd6a3658d48c355

SHA512
18e7efc6468c14d9cf5cf26972c29c1b4c0842c09a2682d2b993f432b92b4b989e88f353f44d95ab0d7f5c69c8ee5f9ff361c67f74c0728c55c1707292d1b675

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.3MB

MD5
d16f80af545d4b26037d1fb5063aa5d9

SHA1
44219023fb5da315fc79b7bca6ae6dda40c88d73

SHA256
3e3437a7f2401ced7c1ed2365e6bb34f94450e05477e1a1a03bfc2cce91ff41f

SHA512
d176cdba63df6f35cffa1e9df82b55ff4e81fd3b197f4ea03baca9fcbb11b0685671fd00ffea506d6be832a7804663962e0cbafcd3061bf955bb51fa9d072223

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.1MB

MD5
8686322b4ecf8ed7c7192bf4d2a98946

SHA1
d1bc832f7e0d0efc8813a27aa6b710c6147fc51d

SHA256
59e14a35ba4767d6f1f363ce5192b427215b44618e1be9e2a34018e5507d7cfb

SHA512
c53e2ac301dae570544db66f613c141e058e3bee07cd2e1cffe958d3a76fff9bc040266d4a0064d9badae860f0543d72d904ea37f9215c2b5940f4fff27bf3d0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.1MB

MD5
8686322b4ecf8ed7c7192bf4d2a98946

SHA1
d1bc832f7e0d0efc8813a27aa6b710c6147fc51d

SHA256
59e14a35ba4767d6f1f363ce5192b427215b44618e1be9e2a34018e5507d7cfb

SHA512
c53e2ac301dae570544db66f613c141e058e3bee07cd2e1cffe958d3a76fff9bc040266d4a0064d9badae860f0543d72d904ea37f9215c2b5940f4fff27bf3d0

Download Submit
memory/808-72-0x0000000000000000-mapping.dmp

Download
memory/832-73-0x0000000005330000-0x00000000054A2000-memory.dmp

Filesize
1.4MB

Download
memory/832-66-0x0000000006490000-0x0000000006830000-memory.dmp

Filesize
3.6MB

Download
memory/832-62-0x0000000000000000-mapping.dmp

Download
memory/832-65-0x0000000000E40000-0x00000000015B4000-memory.dmp

Filesize
7.5MB

Download
memory/1168-94-0x0000000000000000-mapping.dmp

Download
memory/1184-97-0x0000000000000000-mapping.dmp

Download
memory/1188-96-0x0000000000000000-mapping.dmp

Download
memory/1348-70-0x000000006FB70000-0x000000007011B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-71-0x000000006FB70000-0x000000007011B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-69-0x000000006FB70000-0x000000007011B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-67-0x0000000000000000-mapping.dmp

Download
memory/1496-93-0x000000006F8D0000-0x000000006FE7B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-78-0x0000000000000000-mapping.dmp

Download
memory/1628-54-0x0000000000000000-mapping.dmp

Download
memory/1628-56-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

Filesize
8KB

Download
memory/1960-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1960-89-0x0000000000464C20-mapping.dmp

Download
memory/1960-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1960-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1960-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1960-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1960-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1960-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1960-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1960-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1960-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download