aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
75s
max time network
79s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/844-66-0x00000000064C0000-0x0000000006860000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1116	voiceadequovl.exe
844	voiceadequovl.exe
556	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1116	voiceadequovl.exe
1116	voiceadequovl.exe
1116	voiceadequovl.exe
1116	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 844 set thread context of 556	844	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1928	powershell.exe
1696	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	voiceadequovl.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeIncreaseQuotaPrivilege	1628	wmic.exe
Token: SeSecurityPrivilege	1628	wmic.exe
Token: SeTakeOwnershipPrivilege	1628	wmic.exe
Token: SeLoadDriverPrivilege	1628	wmic.exe
Token: SeSystemProfilePrivilege	1628	wmic.exe
Token: SeSystemtimePrivilege	1628	wmic.exe
Token: SeProfSingleProcessPrivilege	1628	wmic.exe
Token: SeIncBasePriorityPrivilege	1628	wmic.exe
Token: SeCreatePagefilePrivilege	1628	wmic.exe
Token: SeBackupPrivilege	1628	wmic.exe
Token: SeRestorePrivilege	1628	wmic.exe
Token: SeShutdownPrivilege	1628	wmic.exe
Token: SeDebugPrivilege	1628	wmic.exe
Token: SeSystemEnvironmentPrivilege	1628	wmic.exe
Token: SeRemoteShutdownPrivilege	1628	wmic.exe
Token: SeUndockPrivilege	1628	wmic.exe
Token: SeManageVolumePrivilege	1628	wmic.exe
Token: 33	1628	wmic.exe
Token: 34	1628	wmic.exe
Token: 35	1628	wmic.exe
Token: SeIncreaseQuotaPrivilege	1628	wmic.exe
Token: SeSecurityPrivilege	1628	wmic.exe
Token: SeTakeOwnershipPrivilege	1628	wmic.exe
Token: SeLoadDriverPrivilege	1628	wmic.exe
Token: SeSystemProfilePrivilege	1628	wmic.exe
Token: SeSystemtimePrivilege	1628	wmic.exe
Token: SeProfSingleProcessPrivilege	1628	wmic.exe
Token: SeIncBasePriorityPrivilege	1628	wmic.exe
Token: SeCreatePagefilePrivilege	1628	wmic.exe
Token: SeBackupPrivilege	1628	wmic.exe
Token: SeRestorePrivilege	1628	wmic.exe
Token: SeShutdownPrivilege	1628	wmic.exe
Token: SeDebugPrivilege	1628	wmic.exe
Token: SeSystemEnvironmentPrivilege	1628	wmic.exe
Token: SeRemoteShutdownPrivilege	1628	wmic.exe
Token: SeUndockPrivilege	1628	wmic.exe
Token: SeManageVolumePrivilege	1628	wmic.exe
Token: 33	1628	wmic.exe
Token: 34	1628	wmic.exe
Token: 35	1628	wmic.exe
Token: SeIncreaseQuotaPrivilege	1668	WMIC.exe
Token: SeSecurityPrivilege	1668	WMIC.exe
Token: SeTakeOwnershipPrivilege	1668	WMIC.exe
Token: SeLoadDriverPrivilege	1668	WMIC.exe
Token: SeSystemProfilePrivilege	1668	WMIC.exe
Token: SeSystemtimePrivilege	1668	WMIC.exe
Token: SeProfSingleProcessPrivilege	1668	WMIC.exe
Token: SeIncBasePriorityPrivilege	1668	WMIC.exe
Token: SeCreatePagefilePrivilege	1668	WMIC.exe
Token: SeBackupPrivilege	1668	WMIC.exe
Token: SeRestorePrivilege	1668	WMIC.exe
Token: SeShutdownPrivilege	1668	WMIC.exe
Token: SeDebugPrivilege	1668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1668	WMIC.exe
Token: SeRemoteShutdownPrivilege	1668	WMIC.exe
Token: SeUndockPrivilege	1668	WMIC.exe
Token: SeManageVolumePrivilege	1668	WMIC.exe
Token: 33	1668	WMIC.exe
Token: 34	1668	WMIC.exe
Token: 35	1668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1668	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1116	1476	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1476 wrote to memory of 1116	1476	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1476 wrote to memory of 1116	1476	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1476 wrote to memory of 1116	1476	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1116 wrote to memory of 844	1116	voiceadequovl.exe	28
PID 1116 wrote to memory of 844	1116	voiceadequovl.exe	28
PID 1116 wrote to memory of 844	1116	voiceadequovl.exe	28
PID 1116 wrote to memory of 844	1116	voiceadequovl.exe	28
PID 844 wrote to memory of 1928	844	voiceadequovl.exe	29
PID 844 wrote to memory of 1928	844	voiceadequovl.exe	29
PID 844 wrote to memory of 1928	844	voiceadequovl.exe	29
PID 844 wrote to memory of 1928	844	voiceadequovl.exe	29
PID 844 wrote to memory of 1872	844	voiceadequovl.exe	32
PID 844 wrote to memory of 1872	844	voiceadequovl.exe	32
PID 844 wrote to memory of 1872	844	voiceadequovl.exe	32
PID 844 wrote to memory of 1872	844	voiceadequovl.exe	32
PID 1872 wrote to memory of 1696	1872	cmd.exe	33
PID 1872 wrote to memory of 1696	1872	cmd.exe	33
PID 1872 wrote to memory of 1696	1872	cmd.exe	33
PID 1872 wrote to memory of 1696	1872	cmd.exe	33
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 844 wrote to memory of 556	844	voiceadequovl.exe	34
PID 556 wrote to memory of 1628	556	voiceadequovl.exe	35
PID 556 wrote to memory of 1628	556	voiceadequovl.exe	35
PID 556 wrote to memory of 1628	556	voiceadequovl.exe	35
PID 556 wrote to memory of 1628	556	voiceadequovl.exe	35
PID 556 wrote to memory of 1752	556	voiceadequovl.exe	39
PID 556 wrote to memory of 1752	556	voiceadequovl.exe	39
PID 556 wrote to memory of 1752	556	voiceadequovl.exe	39
PID 556 wrote to memory of 1752	556	voiceadequovl.exe	39
PID 1752 wrote to memory of 1668	1752	cmd.exe	40
PID 1752 wrote to memory of 1668	1752	cmd.exe	40
PID 1752 wrote to memory of 1668	1752	cmd.exe	40
PID 1752 wrote to memory of 1668	1752	cmd.exe	40
PID 556 wrote to memory of 1768	556	voiceadequovl.exe	42
PID 556 wrote to memory of 1768	556	voiceadequovl.exe	42
PID 556 wrote to memory of 1768	556	voiceadequovl.exe	42
PID 556 wrote to memory of 1768	556	voiceadequovl.exe	42
PID 1768 wrote to memory of 916	1768	cmd.exe	43
PID 1768 wrote to memory of 916	1768	cmd.exe	43
PID 1768 wrote to memory of 916	1768	cmd.exe	43
PID 1768 wrote to memory of 916	1768	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
189.8MB

MD5
8d60aeba7d85e40b6cd0063b970dbf46

SHA1
ffa31dbce4fc578da357cfd3f0fa718d16bba7c9

SHA256
0d3222ba1e98402c96cf3465963c7d708f1733d71642a9a3f27e0322577c9ceb

SHA512
67e4f0709ac29070f4c2b8e1f0cccecf702b2babb6950acdab403050410c0b23b2a00765a79d22da19e2b242d494cfa678d6876ddee187fbe3f9595edd52bfeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
186.2MB

MD5
c8b014590f031559228878b6ae74902e

SHA1
017e3835b57f2a280b22aae645718001b4ec6f22

SHA256
4e27f0930d2068c8e50e8383a9b88eab21ff77f56e49ca88f244952fc69d4e43

SHA512
03e5df486b058dc450d50c74558c3c100d4c8b4d51afa7b521dae2023b6f83ca2723601acf1dcfd1193bb2699a0e4f117a1725a39e61690c79cc57218f03854f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ebe44356be4d4f7e1a038968e4bdbdb0

SHA1
367ff11479d32ce995195f8c0df707e59b648c86

SHA256
95fc81a36d1f71ae85e5bf8fd65091956a1e0db6de95ef1bfbcb55d4e40f29ef

SHA512
d5e1bb937cbe934ed54f6b2ac66fe034d61fe975f3bb4fe1e5f96e950023bcf19487ed8c5f2bb8c9562d2f1d2d3754738f2126a8db7500aca57ce8fc4428e35e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
173.1MB

MD5
c38c7037ecbdc20aa1f00ffbd992ed83

SHA1
ff4411d266e3ca37c84ff3adb477d260eb87d40f

SHA256
15ab6d8f3b1a729e8e7a17dcbd3557feeec3a757ef93fcbf49a86f5fb9d142c9

SHA512
de4121c0b43e4bd0d6af14281f5a3c1fc4cd088106f7cb41caea00b33a353fc93a6ee67003b42cb5d89adc3d542ea930cab28971bcca7858e1ea45263eaab776

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
173.2MB

MD5
f544e70384bbf644f83d39174df1191d

SHA1
fc9d421564a9d5c902f67bc81fccd572e146f677

SHA256
8795bd99d9c438390e662869bbae251ef4d8af07e84d7902b9925145edd9a400

SHA512
acff08e388df86a6a4436c6723184344e58d8e8a46f2feb2d9d122ffcbc8073c47fe1f379e1dfc6caf2b003e52102f12e0743422e9a58a2457a372ea4c17b0f7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
134.8MB

MD5
af2f4cb9341ebfee336605edf70f782a

SHA1
48f05fb786613a4be459622991117f5f61b07bb9

SHA256
df1a7cbfa494a44e4ba168924501f286300b1acc792059040702e9c57fb244c0

SHA512
9b27e53d9f3922921e87ca0899a05493bafad4205a9f79592bf452d8ddf79d81c199bdb302d4e2cf01362cbca36da8dcd65e7f4992e17985d5e7b12c3abf11bc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
167.2MB

MD5
79ce362f2e170486e133d7f706c47ea3

SHA1
478664d7161a635acaafbdbc918bf6f05cb5904d

SHA256
b9f7164077a4f18902b74f1b2dc520f47d00359c3ee8eb90fbc02d24b7b2bab9

SHA512
1a2a37116c8150e9e99e031468d1d2cd8faf0db5ce62810ca44857bf8d7b743dd951b5b0c57355ff1aec546e586386308b87f8b19b52082831f86a75339f19d1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
170.6MB

MD5
c2b5b374b801ab1a89248168fa543207

SHA1
e4ac919ce4c90177a8e046b046b34f87bf26e5b8

SHA256
e86022da8a9cf14a82c94340d15b2b92be54ef4a7659835c00ce7a647ee10788

SHA512
4f119711e55294ad80400914b2123755230f4d73b5fc04f1255c567fb9c0a412ac6759875f347995cb5b3042324ab30473a4a2426f93ed78764ad40d3a1f15cf

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
172.1MB

MD5
8f6fb7a5ebb958e2224c74b8d77e3e62

SHA1
0c6fc3b6b512389c5a400c09d82d78af74f2ed42

SHA256
cdd0c086761dc9ca90c3e1dbe4be05f11938c933e2844fc248deda6fbae4acd5

SHA512
fb968fc15927f1b9147a5211c29b0f34988acf9771a68a5101dac87bab704fd006eaadea08daf66e042cfc1fca4f0a3b5c2d0423ca7ef6efc95fba4164185c37

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
173.6MB

MD5
0e6c21e1be9f4d0324f14b929d4a9797

SHA1
1942602c44b91e8ed452722ee0b3ee458f08f92b

SHA256
8488fcac3e5416dfd1c763969b40f9f8e4be1d0559210450899bf92a5394a94e

SHA512
470e9a4b44ed3495632d547ae32dd38891b8e6ac6ab807220ac1bec427cabe9260de639999c51371b4a48d8aa809879ccc85f11e75c246601d5c0cf6014d09d5

Download Submit
memory/556-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/556-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/844-65-0x0000000000C40000-0x00000000013B4000-memory.dmp

Filesize
7.5MB

Download
memory/844-73-0x0000000005470000-0x00000000055E2000-memory.dmp

Filesize
1.4MB

Download
memory/844-66-0x00000000064C0000-0x0000000006860000-memory.dmp

Filesize
3.6MB

Download
memory/1116-56-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/1696-95-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-93-0x000000006F110000-0x000000006F6BB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-69-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-70-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-71-0x000000006F3C0000-0x000000006F96B000-memory.dmp

Filesize
5.7MB

Download