aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
144s
max time network
156s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1188-66-0x0000000006490000-0x0000000006830000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1300 voiceadequovl.exe
1188 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1300 voiceadequovl.exe
1300 voiceadequovl.exe
1300 voiceadequovl.exe
1300 voiceadequovl.exe

pid	process
1300	voiceadequovl.exe
1188	voiceadequovl.exe

pid	process
1300	voiceadequovl.exe
1300	voiceadequovl.exe
1300	voiceadequovl.exe
1300	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1140 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1188 voiceadequovl.exe
Token: SeDebugPrivilege 1140 powershell.exe

pid	process
1140	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1188	voiceadequovl.exe
Token: SeDebugPrivilege	1140	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1540 wrote to memory of 1300	1540	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1540 wrote to memory of 1300	1540	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1540 wrote to memory of 1300	1540	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1540 wrote to memory of 1300	1540	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1300 wrote to memory of 1188	1300	voiceadequovl.exe	voiceadequovl.exe
PID 1300 wrote to memory of 1188	1300	voiceadequovl.exe	voiceadequovl.exe
PID 1300 wrote to memory of 1188	1300	voiceadequovl.exe	voiceadequovl.exe
PID 1300 wrote to memory of 1188	1300	voiceadequovl.exe	voiceadequovl.exe
PID 1188 wrote to memory of 1140	1188	voiceadequovl.exe	powershell.exe
PID 1188 wrote to memory of 1140	1188	voiceadequovl.exe	powershell.exe
PID 1188 wrote to memory of 1140	1188	voiceadequovl.exe	powershell.exe
PID 1188 wrote to memory of 1140	1188	voiceadequovl.exe	powershell.exe
PID 1188 wrote to memory of 1632	1188	voiceadequovl.exe	cmd.exe
PID 1188 wrote to memory of 1632	1188	voiceadequovl.exe	cmd.exe
PID 1188 wrote to memory of 1632	1188	voiceadequovl.exe	cmd.exe
PID 1188 wrote to memory of 1632	1188	voiceadequovl.exe	cmd.exe
PID 1632 wrote to memory of 1664	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 1664	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 1664	1632	cmd.exe	powershell.exe
PID 1632 wrote to memory of 1664	1632	cmd.exe	powershell.exe
PID 1188 wrote to memory of 112	1188	voiceadequovl.exe	voiceadequovl.exe
PID 1188 wrote to memory of 112	1188	voiceadequovl.exe	voiceadequovl.exe
PID 1188 wrote to memory of 112	1188	voiceadequovl.exe	voiceadequovl.exe
PID 1188 wrote to memory of 112	1188	voiceadequovl.exe	voiceadequovl.exe
PID 1188 wrote to memory of 112	1188	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1664

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:112

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
5⤵
PID:668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
341c6f360834aeb2e78bb653654c7b97

SHA1
b7dd21a19e7389dff00620283b78f609cc664cc8

SHA256
ea83722a9073378c34c087e4010c8e25413860334a78202809a989a972c3d9fc

SHA512
04bb495aabf267630d397770cca0a28b186b3dffcf88fcd8077b339732b4c33ee99ae4ad7b9f1a5e73f466a722e723ca2e3c00ae54d3bd60257cc9f284b9ae47

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
250.8MB

MD5
a2d46e222e7fd4c425386feb6e48150b

SHA1
40ba8494df5db79492cfd53290f2c4c1fc91e1f5

SHA256
09dba61f312603bc77f7e741ef103fd436389db0c1096402563c31b892669b97

SHA512
93378a6e0a834748320b4681b7b4273ec772df40b8199a0ec7cc11678b1e8a39a9bc9e0091345a6af5984bd9e2b6f1efc98aa6aebf911c44345733e06db0c0dc

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
256.7MB

MD5
71fa9caf52e001c875eeacfea3dc5fd9

SHA1
2a61b5248eb52427ac053db2b949b728d150d3ee

SHA256
d9765a09ceb82b5684b2b28b9e0a249de0d29578d041c01125ddd622fb5cd3a0

SHA512
013c1229f25ec82ce116c3d26d08aa601bde554016e210ae8400b31ac28aae1ff1b75a7a8a0f98bffdd249b4b795077bab8dec1e75d0316e2018455f47978877

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
9.8MB

MD5
4afe5c3dc87e97a93d3e1fd6219c7903

SHA1
9dd8ff1e7a866be3e53a442f8e37d3eb225a42d6

SHA256
0d149c6078a1a0c40bd9906561a41e254edc2805eeaafbe7296f39a58d4c7ba1

SHA512
d7b6d86988c2e8c56f5c9bcf7d173e2f0306a028e328f86f06675d3832a7d8158779e822575427b696267e631c536e3e3c6d747ee298abb45f1daf0925b5dfe4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
192.9MB

MD5
4d7eca6fb47c5c8841dfcba0647776ab

SHA1
d502949611b4bc31a9b30655c40644ab30eff6b9

SHA256
9b34b09550860805a1bde855808d9474943a7a83458ae54c79ebd9f3bce74dfc

SHA512
dca33dbcbadf13fa3c0d808fe4bab466830c2aaa37a87d015b309310c28acaab456d59219de4078ab2399764bb44b5a485f3a462c14b275ced3b14fc67bee334

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
258.5MB

MD5
e380800fab17ddf75a1a89b4abf1e28c

SHA1
9f99a768cee6639efd5eb9c007c39c25710d94bc

SHA256
b8d998c04cede779c08f1e1b394fc40b4d1268b242787c84e3664aadd01bfe15

SHA512
616169c1ca53e16da071dac4ef01bafdf56da94c1a3b6046e23e7c4261ed54e38e59ad70e55cf5487bb37dcdf223c75d3eabb461bf32993af51acad1899fb58b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
257.0MB

MD5
6b8d779a2014f60918ad661c1ab7f238

SHA1
e84139c854e501b61504afc28018525ca9c5f0a9

SHA256
2a3fa1df8b67a7226cc1100a532c164ec157e98880d477a0cda4e3f46222af8c

SHA512
3e6f4aebe8230d76f21a054a26de5baf1a42181c1097f50548bbf11461724d18207ba9172ec5beb02a5f95d64567abd51a10ada81b29852604dcd03a26f8acc8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
240.6MB

MD5
cd9ef61bb6ee9e661ae5c5970d29ffac

SHA1
17debe4b1c231bcc2b379077886764012f1a5588

SHA256
61938afa0a148bec26e0138249c00a3630e77618ba18d757a9fc6a1229939976

SHA512
f046551b99bce87b4771d9bd1ab9419c086616850ed1dc76b0215196718776b5c3aef9f890af45eb0b5702189a599812defdf21155ae611da04743a2950b9df8

Download Submit
memory/112-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/112-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/112-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/112-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/112-90-0x0000000000464C20-mapping.dmp

Download
memory/112-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/112-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/112-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/112-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/112-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/112-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/668-96-0x0000000000000000-mapping.dmp

Download
memory/1140-67-0x0000000000000000-mapping.dmp

Download
memory/1140-71-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1140-70-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1140-69-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1188-65-0x0000000000CE0000-0x0000000001454000-memory.dmp

Filesize
7.5MB

Download
memory/1188-62-0x0000000000000000-mapping.dmp

Download
memory/1188-73-0x0000000005260000-0x00000000053D2000-memory.dmp

Filesize
1.4MB

Download
memory/1188-66-0x0000000006490000-0x0000000006830000-memory.dmp

Filesize
3.6MB

Download
memory/1300-54-0x0000000000000000-mapping.dmp

Download
memory/1300-56-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1632-72-0x0000000000000000-mapping.dmp

Download
memory/1664-74-0x0000000000000000-mapping.dmp

Download
memory/1664-87-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download