aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
124s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/752-66-0x0000000006430000-0x00000000067D0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1364 voiceadequovl.exe
752 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1364 voiceadequovl.exe
1364 voiceadequovl.exe
1364 voiceadequovl.exe
1364 voiceadequovl.exe

pid	process
1364	voiceadequovl.exe
752	voiceadequovl.exe

pid	process
1364	voiceadequovl.exe
1364	voiceadequovl.exe
1364	voiceadequovl.exe
1364	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

552 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 752 voiceadequovl.exe
Token: SeDebugPrivilege 552 powershell.exe

pid	process
552	powershell.exe

description	pid	process
Token: SeDebugPrivilege	752	voiceadequovl.exe
Token: SeDebugPrivilege	552	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1536 wrote to memory of 1364	1536	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1364	1536	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1364	1536	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1536 wrote to memory of 1364	1536	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1364 wrote to memory of 752	1364	voiceadequovl.exe	voiceadequovl.exe
PID 1364 wrote to memory of 752	1364	voiceadequovl.exe	voiceadequovl.exe
PID 1364 wrote to memory of 752	1364	voiceadequovl.exe	voiceadequovl.exe
PID 1364 wrote to memory of 752	1364	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 552	752	voiceadequovl.exe	powershell.exe
PID 752 wrote to memory of 552	752	voiceadequovl.exe	powershell.exe
PID 752 wrote to memory of 552	752	voiceadequovl.exe	powershell.exe
PID 752 wrote to memory of 552	752	voiceadequovl.exe	powershell.exe
PID 752 wrote to memory of 824	752	voiceadequovl.exe	cmd.exe
PID 752 wrote to memory of 824	752	voiceadequovl.exe	cmd.exe
PID 752 wrote to memory of 824	752	voiceadequovl.exe	cmd.exe
PID 752 wrote to memory of 824	752	voiceadequovl.exe	cmd.exe
PID 824 wrote to memory of 1512	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 1512	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 1512	824	cmd.exe	powershell.exe
PID 824 wrote to memory of 1512	824	cmd.exe	powershell.exe
PID 752 wrote to memory of 1708	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1708	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1708	752	voiceadequovl.exe	voiceadequovl.exe
PID 752 wrote to memory of 1708	752	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1512

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1708

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
5⤵
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
219.3MB

MD5
316661fef51418ca29eaf49c3f44107d

SHA1
120c4fce94338b40a6658a0159ca5bc57b6b59df

SHA256
8060e8429e6d38e988b10fe0fd5e851bad66b4a22b098e96d35268b2ab569998

SHA512
764329f3263e0c9852e99a0f79bc3e862f7bb17d781eb4c5715a4603d125d3462272a721e32c897987d3ef85bdaba84a6f04d4c3b3c67c4c11f76bd5d018f700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
342.8MB

MD5
74cca91834ad419e4d906f0161cbbe71

SHA1
d0bd26117779d90bf18c88635a08338ec900d104

SHA256
5bf558e9071ad5c8f8a2ffbdc6c9ca436507fe0f6ac637cf9206d9d710e736dc

SHA512
304abdb11ba65edc2c95e36dfd9bd9d411984b22d84de977e9de0f80a13938dcf472bd9b3938c9c2d85382348489a65c775d09487ba21f623ad3a3c59766d2a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f282ba01eb5252d7b5a957753e75f467

SHA1
fb32f42c77d605f80a1a529183be34b64de0809e

SHA256
225cd282b3459be8b89e77a5ff6158e231159fa89c6bf399d57d65b8abd602cf

SHA512
f371eddd1d1c9039b24051460e80c208fe0354025f7271b8d81087014279dd3dcf302a7eb0303f0c615941aba9cb173a76b9ffa9a5079a009e7d236d71fd446d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.7MB

MD5
b1d07b34927ba49a6214bd826a02cad3

SHA1
cd940b799d16a9661ef0020eb8ff9d6e413fc7f8

SHA256
02a4a49299edecb83c66adfa300ef2355b2f766d7132c74987ae3da9ed928a3d

SHA512
31c8eb50cea4f2d05204faa41879bf3233efa3c15c08afb5cc4cef8b2db0fe0e22613fe98e3004193f6556cd3ab8e6ab7df4e83213747d1d223ccf728707f877

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.9MB

MD5
23b8d53b72b6e0d7bfe7faeefede6e99

SHA1
227b48b2e6475ad4b6b88d5a172924a77ad5499c

SHA256
636b0a26f999afd32de4d833036fd31dabea314ded830b7e47733ff36ab814aa

SHA512
a65aec57e45d54154b916097921ef4d54d118b6e5e4eab200d68396fbce1caafc9d4401b2ef89bd8f3ddb66a7f077b1a1eff3b3e63864f51fa6c32a74ed09e61

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
28.8MB

MD5
8fd26745c53fd39c2c19f2ae7ad0f0c6

SHA1
e621999bd94cae26f464ee538371fb6b2201aa32

SHA256
8ecf0f963b11cea52a4ee5ebd48f5df80939ff9d75c273f0e49fef5af44dcbe0

SHA512
026285a54eb747372a97c7f3ba2d6ec96991ec69fb369b24e5457720d85fcf9c2550889b10ed7f49d35926cabe91c46e0dd6bf94b357ccb7c9edfcfb731f8201

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
211.9MB

MD5
d9f0baf69a059c55473ec49c935e3188

SHA1
ef339d043378da9aa1c00dab0d60134cc5da7281

SHA256
ba03cb4a867ecbb5b52ef87a63b9b34c8d7c07dc01b63fa25a2e1d733d4b7e11

SHA512
027561801fddc100c780e8818476339bd3986abebcace393778b5831e27e3874b59369b7144d8f819eea1357b9aac41767f05821a953041ac4c4f7f65370f88d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
252.7MB

MD5
7a460091621e197dff02b6e2438e5b80

SHA1
67b8dda845dfc0bfa02e4a2f8217d023d0979d96

SHA256
9308313f3ca6fa6587008d00b718eb8b2cfab7ea1717e1c60e54d6b34087a996

SHA512
e6ca0b2676c3dfded832f2592e033d5b023ca2e112ae7b77c6efe7fd067be36674038725b28695dffe26f9e7641cf278a74772ff24f33074f26c0d329b07627c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
249.9MB

MD5
8e4da8bc478244c4abd023c6ebf2e32a

SHA1
2d3b7ff4038f9dfdd6b90f6695dbe9b07fc43d20

SHA256
30c54887e2122d1da452def7225a07fd97fe16af8a6eedc4c7c692fda0d53b75

SHA512
8cb40908aae1d4440d1824ac18fff00079909d8c18da6cc10972a9f2b5d1b007a42d3940be07d6ba7ae5a3575c92da71f62124bec06972d835cb90164d9dc283

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
251.5MB

MD5
6086ca64da2fe10c229ac469223d9d72

SHA1
3393164d7295980cc22c2762262ed745986251b8

SHA256
dc01750dc9903c0226916b006b1a734d43460032412e07da9d4265f3c1237966

SHA512
673d4e7dd2373b6fe0b928550cd9f57e6839857531e1d07adbc6a6687a689caa26e1ed1e78fe211e43d500ec08a0dd41f7a5c5e78c1a9ea087d3293c920a4a55

Download Submit
memory/552-67-0x0000000000000000-mapping.dmp

Download
memory/552-69-0x0000000070070000-0x000000007061B000-memory.dmp

Filesize
5.7MB

Download
memory/552-70-0x0000000070070000-0x000000007061B000-memory.dmp

Filesize
5.7MB

Download
memory/552-71-0x0000000070070000-0x000000007061B000-memory.dmp

Filesize
5.7MB

Download
memory/752-62-0x0000000000000000-mapping.dmp

Download
memory/752-65-0x0000000000F10000-0x0000000001684000-memory.dmp

Filesize
7.5MB

Download
memory/752-66-0x0000000006430000-0x00000000067D0000-memory.dmp

Filesize
3.6MB

Download
memory/752-74-0x00000000053E0000-0x0000000005552000-memory.dmp

Filesize
1.4MB

Download
memory/824-72-0x0000000000000000-mapping.dmp

Download
memory/1364-54-0x0000000000000000-mapping.dmp

Download
memory/1364-56-0x0000000076581000-0x0000000076583000-memory.dmp

Filesize
8KB

Download
memory/1512-73-0x0000000000000000-mapping.dmp

Download
memory/1512-91-0x000000006FAC0000-0x000000007006B000-memory.dmp

Filesize
5.7MB

Download
memory/1512-82-0x000000006FAC0000-0x000000007006B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-97-0x0000000000000000-mapping.dmp

Download
memory/1620-96-0x0000000000000000-mapping.dmp

Download
memory/1708-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-90-0x0000000000464C20-mapping.dmp

Download
memory/1708-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download