aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
103s
max time network
143s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/624-66-0x00000000064F0000-0x0000000006890000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1736 voiceadequovl.exe
624 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1736 voiceadequovl.exe
1736 voiceadequovl.exe
1736 voiceadequovl.exe
1736 voiceadequovl.exe

pid	process
1736	voiceadequovl.exe
624	voiceadequovl.exe

pid	process
1736	voiceadequovl.exe
1736	voiceadequovl.exe
1736	voiceadequovl.exe
1736	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1676 powershell.exe
840 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

voiceadequovl.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 624 voiceadequovl.exe
Token: SeDebugPrivilege 1676 powershell.exe
Token: SeDebugPrivilege 840 powershell.exe

pid	process
1676	powershell.exe
840	powershell.exe

description	pid	process
Token: SeDebugPrivilege	624	voiceadequovl.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 1736	1996	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1996 wrote to memory of 1736	1996	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1996 wrote to memory of 1736	1996	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1996 wrote to memory of 1736	1996	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1736 wrote to memory of 624	1736	voiceadequovl.exe	voiceadequovl.exe
PID 1736 wrote to memory of 624	1736	voiceadequovl.exe	voiceadequovl.exe
PID 1736 wrote to memory of 624	1736	voiceadequovl.exe	voiceadequovl.exe
PID 1736 wrote to memory of 624	1736	voiceadequovl.exe	voiceadequovl.exe
PID 624 wrote to memory of 1676	624	voiceadequovl.exe	powershell.exe
PID 624 wrote to memory of 1676	624	voiceadequovl.exe	powershell.exe
PID 624 wrote to memory of 1676	624	voiceadequovl.exe	powershell.exe
PID 624 wrote to memory of 1676	624	voiceadequovl.exe	powershell.exe
PID 624 wrote to memory of 1496	624	voiceadequovl.exe	cmd.exe
PID 624 wrote to memory of 1496	624	voiceadequovl.exe	cmd.exe
PID 624 wrote to memory of 1496	624	voiceadequovl.exe	cmd.exe
PID 624 wrote to memory of 1496	624	voiceadequovl.exe	cmd.exe
PID 1496 wrote to memory of 840	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 840	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 840	1496	cmd.exe	powershell.exe
PID 1496 wrote to memory of 840	1496	cmd.exe	powershell.exe
PID 624 wrote to memory of 1068	624	voiceadequovl.exe	voiceadequovl.exe
PID 624 wrote to memory of 1068	624	voiceadequovl.exe	voiceadequovl.exe
PID 624 wrote to memory of 1068	624	voiceadequovl.exe	voiceadequovl.exe
PID 624 wrote to memory of 1068	624	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1068

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:928

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
185.6MB

MD5
e416b553ccbd7ba263578f234c3902ed

SHA1
b8b28c73d2cbe69944af118b2212709c8112c078

SHA256
15f6358302609a3eec155b38527ff36d08c874da4f0dfe3b75e21cd80bbe3c10

SHA512
3c4abb585d161150aceb0d136d3acae94c2776bd6378544c8d6adbf9c3d98c2298c34444fa97428e7680bca4688e01e61c5de069d6317eb642191fd1ed0dc048

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
299.7MB

MD5
1656d074c5c8c2c9b1a10d4e018f8058

SHA1
cb193bd319b5e1b01cf5272437f4fc654ca93304

SHA256
8a341b9f8a83adc9c2483bbd255008ec4082052ff478a44b583a0f51f7d7d4fd

SHA512
e0005d0bff64cc0e463bd13abf6f7ea63a416eac0df75b77120835de3117a86e6b4877c3e9da65875b2a3b5178543b86ee98b9441389f33fc3ed1bae5b3de535

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
3a9903e3eb074060779c848f83af86e2

SHA1
5c191230200cbc3d00878de5177b20866bed9e0d

SHA256
f58fa956f608f3db3485ac7ba72ff8e501666a6754c34242418ca3adf54f1d2e

SHA512
e0eb55af57c6b023e0de7cc4dc4c4ee926fa8526189e9fa9d0627933d2a933da724061540751213cc01c0e7018abe98e0b863f8fbbfd571e5b0f51366ab9dc48

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
249.2MB

MD5
02d32bacc7c7954c725accff01ef2059

SHA1
8a75a11b6ae6d8188298b4dffbc9e23cdbe0f2c8

SHA256
35e79c551977fdda23bef3317a532c90c5fff7e663e0180a1ed0a9d6a375b9df

SHA512
5c0226cb1dee344f9bd892546daf4d4fa806de983e6e245d43c481c6f44c4b9616c0058ef171c2d9825ec6ecdd899f8df8bc71e21343ccd36ef98e1732f48d65

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
246.2MB

MD5
b21e77a5ac8143714802fba76a7230ee

SHA1
89dfdbca76dd7386320a7ee770f80a79d650e5db

SHA256
ac66b1bf4b4a32a0c14bb8413c13d10707690d194aeffcf7053b9b2ac6aef69e

SHA512
6da5ba85684b2c3dd143b30202e051013aaf2f7cd61c7fc7379e2b12dbfa64d1b915ff623b93e18f9c0cebb81b25d797c1d1bb327ff15a011bd1598bad33affd

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
67.8MB

MD5
37429e658270788ee4bccba20ba262a0

SHA1
5e432ac72027f0f207a40b87610b27a84f580920

SHA256
bee64ad5386fac0294e564f0efd35891ce8e703a6761cd828e362eb8c9303760

SHA512
60101c0114a4d92bc03cdae4a1a2b0eab0e15270daa28a9ab963910f8edac5a37be0b73a6e13f7eb546d8c72376e1ff828ff0ed545941045265ca19c4f2a59f0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
246.6MB

MD5
9a85025c3f8c9d92198495f6c66af35c

SHA1
f54c5225bc853bf1d4b8613a541f6609a1405325

SHA256
79e4b7a9ca4c95395fe758f736143f208314b6693a932965a2a15aa0da026f95

SHA512
f0f503d84bc4f2fccc077af04bb3cf3028df3208e3276010644cd89653f6d146c19af37344f9384ca6106176ea2d0900e4fa3e4259bc49a0db76f5e589cd8596

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
243.5MB

MD5
5d6cd8ac333bea4a4ed594e36238074e

SHA1
89db5b5aa3d7e9acbf3806e333484ee831016b84

SHA256
d5685c76ec2d11e7b317fb85afc8b8055a87bb2eb5362c84fd14965418462416

SHA512
7e0b87beb0e56e625ed52666dd56f11034db84cbb0e9cf30ee007d91a58ab3d8a4a8750ebeba074e6603e54fcd7fbfb2a70008e2989e770cf2f364549aa0d04f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
245.6MB

MD5
b53840f25dddead8351a9e1de4c76cfe

SHA1
91e5a3d6c47673f6b12c1330bd9d40d3888b2ca3

SHA256
7383509103fa4c305a627a3140de5537b9ae83203ef90fd2be5a9b5b7c036b69

SHA512
d4a3263a449e89dbd28fa059ff811784e4d2a218488be1ea7d0469244d48ba4d19eb39eebf199919e892f1a7cb0c4e658567a8b8ffcee0d78da540097c6ea92e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
245.1MB

MD5
7bff1772af764fca47bac0c018bd1003

SHA1
d5caa88cc0c3583358d4f6db1385be9f7cb42160

SHA256
3cf7e34b6462032a08f8cc50d849034ac713b37caa95c36f5d949c75bf596d18

SHA512
b3f822b2b4c9504c11a4680a8fd612a99e5b540a6379839e7cff25d3c5ffb32f04f6176d51b81203825bdd2264001360d511027285ad41b78f0cb449692a501b

Download Submit
memory/624-73-0x0000000005460000-0x00000000055D2000-memory.dmp

Filesize
1.4MB

Download
memory/624-66-0x00000000064F0000-0x0000000006890000-memory.dmp

Filesize
3.6MB

Download
memory/624-65-0x0000000000F70000-0x00000000016E4000-memory.dmp

Filesize
7.5MB

Download
memory/624-62-0x0000000000000000-mapping.dmp

Download
memory/840-74-0x0000000000000000-mapping.dmp

Download
memory/840-93-0x000000006F5B0000-0x000000006FB5B000-memory.dmp

Filesize
5.7MB

Download
memory/840-78-0x000000006F5B0000-0x000000006FB5B000-memory.dmp

Filesize
5.7MB

Download
memory/928-97-0x0000000000000000-mapping.dmp

Download
memory/1068-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-96-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1068-90-0x0000000000464C20-mapping.dmp

Download
memory/1496-72-0x0000000000000000-mapping.dmp

Download
memory/1676-70-0x000000006F850000-0x000000006FDFB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-69-0x000000006F850000-0x000000006FDFB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-71-0x000000006F850000-0x000000006FDFB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-67-0x0000000000000000-mapping.dmp

Download
memory/1736-56-0x0000000075D11000-0x0000000075D13000-memory.dmp

Filesize
8KB

Download
memory/1736-54-0x0000000000000000-mapping.dmp

Download