aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
69s
max time network
74s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 00:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1476-66-0x0000000006490000-0x0000000006830000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1632	voiceadequovl.exe
1476	voiceadequovl.exe
1920	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1632	voiceadequovl.exe
1632	voiceadequovl.exe
1632	voiceadequovl.exe
1632	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1476 set thread context of 1920	1476	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1012	powershell.exe
1196	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	voiceadequovl.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeIncreaseQuotaPrivilege	1904	wmic.exe
Token: SeSecurityPrivilege	1904	wmic.exe
Token: SeTakeOwnershipPrivilege	1904	wmic.exe
Token: SeLoadDriverPrivilege	1904	wmic.exe
Token: SeSystemProfilePrivilege	1904	wmic.exe
Token: SeSystemtimePrivilege	1904	wmic.exe
Token: SeProfSingleProcessPrivilege	1904	wmic.exe
Token: SeIncBasePriorityPrivilege	1904	wmic.exe
Token: SeCreatePagefilePrivilege	1904	wmic.exe
Token: SeBackupPrivilege	1904	wmic.exe
Token: SeRestorePrivilege	1904	wmic.exe
Token: SeShutdownPrivilege	1904	wmic.exe
Token: SeDebugPrivilege	1904	wmic.exe
Token: SeSystemEnvironmentPrivilege	1904	wmic.exe
Token: SeRemoteShutdownPrivilege	1904	wmic.exe
Token: SeUndockPrivilege	1904	wmic.exe
Token: SeManageVolumePrivilege	1904	wmic.exe
Token: 33	1904	wmic.exe
Token: 34	1904	wmic.exe
Token: 35	1904	wmic.exe
Token: SeIncreaseQuotaPrivilege	1904	wmic.exe
Token: SeSecurityPrivilege	1904	wmic.exe
Token: SeTakeOwnershipPrivilege	1904	wmic.exe
Token: SeLoadDriverPrivilege	1904	wmic.exe
Token: SeSystemProfilePrivilege	1904	wmic.exe
Token: SeSystemtimePrivilege	1904	wmic.exe
Token: SeProfSingleProcessPrivilege	1904	wmic.exe
Token: SeIncBasePriorityPrivilege	1904	wmic.exe
Token: SeCreatePagefilePrivilege	1904	wmic.exe
Token: SeBackupPrivilege	1904	wmic.exe
Token: SeRestorePrivilege	1904	wmic.exe
Token: SeShutdownPrivilege	1904	wmic.exe
Token: SeDebugPrivilege	1904	wmic.exe
Token: SeSystemEnvironmentPrivilege	1904	wmic.exe
Token: SeRemoteShutdownPrivilege	1904	wmic.exe
Token: SeUndockPrivilege	1904	wmic.exe
Token: SeManageVolumePrivilege	1904	wmic.exe
Token: 33	1904	wmic.exe
Token: 34	1904	wmic.exe
Token: 35	1904	wmic.exe
Token: SeIncreaseQuotaPrivilege	1492	WMIC.exe
Token: SeSecurityPrivilege	1492	WMIC.exe
Token: SeTakeOwnershipPrivilege	1492	WMIC.exe
Token: SeLoadDriverPrivilege	1492	WMIC.exe
Token: SeSystemProfilePrivilege	1492	WMIC.exe
Token: SeSystemtimePrivilege	1492	WMIC.exe
Token: SeProfSingleProcessPrivilege	1492	WMIC.exe
Token: SeIncBasePriorityPrivilege	1492	WMIC.exe
Token: SeCreatePagefilePrivilege	1492	WMIC.exe
Token: SeBackupPrivilege	1492	WMIC.exe
Token: SeRestorePrivilege	1492	WMIC.exe
Token: SeShutdownPrivilege	1492	WMIC.exe
Token: SeDebugPrivilege	1492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1492	WMIC.exe
Token: SeRemoteShutdownPrivilege	1492	WMIC.exe
Token: SeUndockPrivilege	1492	WMIC.exe
Token: SeManageVolumePrivilege	1492	WMIC.exe
Token: 33	1492	WMIC.exe
Token: 34	1492	WMIC.exe
Token: 35	1492	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1492	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1632	1108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1108 wrote to memory of 1632	1108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1108 wrote to memory of 1632	1108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1108 wrote to memory of 1632	1108	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1632 wrote to memory of 1476	1632	voiceadequovl.exe	28
PID 1632 wrote to memory of 1476	1632	voiceadequovl.exe	28
PID 1632 wrote to memory of 1476	1632	voiceadequovl.exe	28
PID 1632 wrote to memory of 1476	1632	voiceadequovl.exe	28
PID 1476 wrote to memory of 1012	1476	voiceadequovl.exe	29
PID 1476 wrote to memory of 1012	1476	voiceadequovl.exe	29
PID 1476 wrote to memory of 1012	1476	voiceadequovl.exe	29
PID 1476 wrote to memory of 1012	1476	voiceadequovl.exe	29
PID 1476 wrote to memory of 392	1476	voiceadequovl.exe	31
PID 1476 wrote to memory of 392	1476	voiceadequovl.exe	31
PID 1476 wrote to memory of 392	1476	voiceadequovl.exe	31
PID 1476 wrote to memory of 392	1476	voiceadequovl.exe	31
PID 392 wrote to memory of 1196	392	cmd.exe	33
PID 392 wrote to memory of 1196	392	cmd.exe	33
PID 392 wrote to memory of 1196	392	cmd.exe	33
PID 392 wrote to memory of 1196	392	cmd.exe	33
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1476 wrote to memory of 1920	1476	voiceadequovl.exe	34
PID 1920 wrote to memory of 1904	1920	voiceadequovl.exe	35
PID 1920 wrote to memory of 1904	1920	voiceadequovl.exe	35
PID 1920 wrote to memory of 1904	1920	voiceadequovl.exe	35
PID 1920 wrote to memory of 1904	1920	voiceadequovl.exe	35
PID 1920 wrote to memory of 1616	1920	voiceadequovl.exe	39
PID 1920 wrote to memory of 1616	1920	voiceadequovl.exe	39
PID 1920 wrote to memory of 1616	1920	voiceadequovl.exe	39
PID 1920 wrote to memory of 1616	1920	voiceadequovl.exe	39
PID 1616 wrote to memory of 1492	1616	cmd.exe	40
PID 1616 wrote to memory of 1492	1616	cmd.exe	40
PID 1616 wrote to memory of 1492	1616	cmd.exe	40
PID 1616 wrote to memory of 1492	1616	cmd.exe	40
PID 1920 wrote to memory of 1464	1920	voiceadequovl.exe	42
PID 1920 wrote to memory of 1464	1920	voiceadequovl.exe	42
PID 1920 wrote to memory of 1464	1920	voiceadequovl.exe	42
PID 1920 wrote to memory of 1464	1920	voiceadequovl.exe	42
PID 1464 wrote to memory of 1512	1464	cmd.exe	43
PID 1464 wrote to memory of 1512	1464	cmd.exe	43
PID 1464 wrote to memory of 1512	1464	cmd.exe	43
PID 1464 wrote to memory of 1512	1464	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1012
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:392
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
264.9MB

MD5
5fe0749eb5921a8d6c8a35f789f9bf3b

SHA1
b46499aba55fe1245f934805b9036ed83608ee3a

SHA256
a7cf41a50f153754e7ace79179edf0d4afa1391990ac237f148879c9a801230c

SHA512
888a03581958a8ad742ce6dc7c2ac55d593b8f2e7d4bdea3e0c9f5c779e9e043b0dad13114dfdc6d77ea1fa791227b253c048680315e59d21b86b38553092220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
262.4MB

MD5
0c2ddcabff3805d2d19c5346c519ce6b

SHA1
652cffa9367a8b89253c3b31ff5f96aebf698183

SHA256
87bae0bdc2dbd70e5fd8687b950289eb225805abef8f85e41e5efd8585a20dcc

SHA512
6e6280256beab0cd53123dab92c1fe632eef6f9c1c43562506137cc56717425c681607b22d9d9813ebdae906d777064cd2ec313c1877bdf5bd0afcc878a46f50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
03485186d7c64c26385a00dfa85a6549

SHA1
34f513475d0baab61bff4a04e1f9663f80014f8f

SHA256
55136298b0127f8bfe1ecaa7a420192175124ef52049da962d8ba8df6eaeb097

SHA512
3e8e4687af71acf01d447be17f9b82624b5da7c79e7b519987dca770be0037e26d30d756dc9eaeaf7e1dfecf12f956490956b972e4eaf04d2fe333a1ff963cde

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
218.0MB

MD5
a22a5751f3aa2eae28d5dab239056219

SHA1
bbc115343ebdd66292144ba528b42c8a521af354

SHA256
6b76cd6e00b58c0bd7fd117e3c86caaa78e69e93067108d37ba10b70ce736402

SHA512
fa9d57e9856dc3e48edc8bf2f0bdc79b6cc6ee2d770405d4f29063875633b1e99fa925fe5b9aca235eccefa3c163da2febcece7bc0610ede6f4d351f2cb6b557

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
240.8MB

MD5
e525366a013d242a4385261c8d9f7931

SHA1
9a582cff321a38905b294745f7bf7e17616b6aa3

SHA256
0511aec1ff152d92a615b8c1a8efb5e559e352a51160817a57a8970973668415

SHA512
00ffda7692373bfa6cd25f9162ac155cd71e8cbe330eb4d02d2e41defc48627318837022b6e30ee8ea56fda53659766a7e2886b93f65ac88811ed694ce12dc8d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
160.2MB

MD5
3e8210becc24242464eb35bc66c667f5

SHA1
0188cbbacd3413a40592c724abcdc172a6849d0d

SHA256
ac11b62e44280e0906814aead19173dbfc611377ed07adbe876e5a8b1c295c46

SHA512
55ae647a1f3544ee5b49978dcd860501a30c76050c2ebb51e8f4fed714f5335252fe3e00c3aad9ffd2c4078cc89b6a09e8e4d75caa46b35852b9afa98aa2720f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
225.2MB

MD5
8214e2d883782bcbfd5f940592c4b83b

SHA1
d769ebabf6c769d35a84aa0c19414da89c58ccfe

SHA256
98e05ff8e56802ca2c1c1310ae5e72287ef2e8f5fcb76cc0505d9af7463a0763

SHA512
cb0f5825d9679aaee3be870e88478b9f0427b4a67bbb4dc7ec0ddf28d6539855730495b78eb998476616ca496430d49e277b09f5fd0e3caac2a277e5d22a1e07

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
242.5MB

MD5
454f73a9fddce7b81e347488d4bb1dba

SHA1
9f9c5ed8114d1868ade4d095eb2148da9963a5c4

SHA256
316f5946fb4732bd271ae7572dc068d6ae9c9d79dbf122fc85cd038fa9b03193

SHA512
7bf43f755f74cc20b886bac25eb24290eae369897714f7bd0c45da2694fd83a7fb56e86f5a5cd23b20317d086e4d6a548b82e5f399f2b0850f40a5f2eb2bbe2e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
249.3MB

MD5
9cb1e5a3ce76827420aa247753b1192b

SHA1
bd41547602051805e8cab0f390af6bdbc752a251

SHA256
5b4a79b2bdcfc86c17db44fff6300c013d96a22aec31ed983d0dad033ffae092

SHA512
78bc4caedd9e3811291d99d01c102c7213dde3ae75daeea1b2ef54fc8b20b8603891029c66467694c9e823557310223d3be4fbbe8352447275e80a56e3ec8b2e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
238.2MB

MD5
c3a9381b2e9a7b513367287f030de889

SHA1
e59b0d95c1e806d1f4c66934f94b6fb7e4408406

SHA256
953bc2a907bed5a18ff98dc626489a5cf262d1a246239d28bc7bb08d7594ea6a

SHA512
a83e3f1e79e97dc5a2745ef79f7e71aebe4d31acd94ddd7c50d606001bf9603970a271ac1103adbe384a71d4c9905dac1a4f10d141b536e66a55bf557aba1656

Download Submit
memory/1012-69-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1012-70-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1012-71-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1196-89-0x000000006FAE0000-0x000000007008B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-94-0x000000006FAE0000-0x000000007008B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-65-0x0000000000B90000-0x0000000001304000-memory.dmp

Filesize
7.5MB

Download
memory/1476-74-0x0000000005360000-0x00000000054D2000-memory.dmp

Filesize
1.4MB

Download
memory/1476-66-0x0000000006490000-0x0000000006830000-memory.dmp

Filesize
3.6MB

Download
memory/1632-56-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1920-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download