aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
82s
max time network
86s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1792-66-0x00000000064B0000-0x0000000006850000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1976	voiceadequovl.exe
1792	voiceadequovl.exe
900	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1976	voiceadequovl.exe
1976	voiceadequovl.exe
1976	voiceadequovl.exe
1976	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1792 set thread context of 900	1792	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1520	powershell.exe
1000	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	voiceadequovl.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeIncreaseQuotaPrivilege	1680	wmic.exe
Token: SeSecurityPrivilege	1680	wmic.exe
Token: SeTakeOwnershipPrivilege	1680	wmic.exe
Token: SeLoadDriverPrivilege	1680	wmic.exe
Token: SeSystemProfilePrivilege	1680	wmic.exe
Token: SeSystemtimePrivilege	1680	wmic.exe
Token: SeProfSingleProcessPrivilege	1680	wmic.exe
Token: SeIncBasePriorityPrivilege	1680	wmic.exe
Token: SeCreatePagefilePrivilege	1680	wmic.exe
Token: SeBackupPrivilege	1680	wmic.exe
Token: SeRestorePrivilege	1680	wmic.exe
Token: SeShutdownPrivilege	1680	wmic.exe
Token: SeDebugPrivilege	1680	wmic.exe
Token: SeSystemEnvironmentPrivilege	1680	wmic.exe
Token: SeRemoteShutdownPrivilege	1680	wmic.exe
Token: SeUndockPrivilege	1680	wmic.exe
Token: SeManageVolumePrivilege	1680	wmic.exe
Token: 33	1680	wmic.exe
Token: 34	1680	wmic.exe
Token: 35	1680	wmic.exe
Token: SeIncreaseQuotaPrivilege	1680	wmic.exe
Token: SeSecurityPrivilege	1680	wmic.exe
Token: SeTakeOwnershipPrivilege	1680	wmic.exe
Token: SeLoadDriverPrivilege	1680	wmic.exe
Token: SeSystemProfilePrivilege	1680	wmic.exe
Token: SeSystemtimePrivilege	1680	wmic.exe
Token: SeProfSingleProcessPrivilege	1680	wmic.exe
Token: SeIncBasePriorityPrivilege	1680	wmic.exe
Token: SeCreatePagefilePrivilege	1680	wmic.exe
Token: SeBackupPrivilege	1680	wmic.exe
Token: SeRestorePrivilege	1680	wmic.exe
Token: SeShutdownPrivilege	1680	wmic.exe
Token: SeDebugPrivilege	1680	wmic.exe
Token: SeSystemEnvironmentPrivilege	1680	wmic.exe
Token: SeRemoteShutdownPrivilege	1680	wmic.exe
Token: SeUndockPrivilege	1680	wmic.exe
Token: SeManageVolumePrivilege	1680	wmic.exe
Token: 33	1680	wmic.exe
Token: 34	1680	wmic.exe
Token: 35	1680	wmic.exe
Token: SeIncreaseQuotaPrivilege	1376	WMIC.exe
Token: SeSecurityPrivilege	1376	WMIC.exe
Token: SeTakeOwnershipPrivilege	1376	WMIC.exe
Token: SeLoadDriverPrivilege	1376	WMIC.exe
Token: SeSystemProfilePrivilege	1376	WMIC.exe
Token: SeSystemtimePrivilege	1376	WMIC.exe
Token: SeProfSingleProcessPrivilege	1376	WMIC.exe
Token: SeIncBasePriorityPrivilege	1376	WMIC.exe
Token: SeCreatePagefilePrivilege	1376	WMIC.exe
Token: SeBackupPrivilege	1376	WMIC.exe
Token: SeRestorePrivilege	1376	WMIC.exe
Token: SeShutdownPrivilege	1376	WMIC.exe
Token: SeDebugPrivilege	1376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1376	WMIC.exe
Token: SeRemoteShutdownPrivilege	1376	WMIC.exe
Token: SeUndockPrivilege	1376	WMIC.exe
Token: SeManageVolumePrivilege	1376	WMIC.exe
Token: 33	1376	WMIC.exe
Token: 34	1376	WMIC.exe
Token: 35	1376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1376	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1976	1980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1980 wrote to memory of 1976	1980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1980 wrote to memory of 1976	1980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1980 wrote to memory of 1976	1980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1976 wrote to memory of 1792	1976	voiceadequovl.exe	29
PID 1976 wrote to memory of 1792	1976	voiceadequovl.exe	29
PID 1976 wrote to memory of 1792	1976	voiceadequovl.exe	29
PID 1976 wrote to memory of 1792	1976	voiceadequovl.exe	29
PID 1792 wrote to memory of 1520	1792	voiceadequovl.exe	30
PID 1792 wrote to memory of 1520	1792	voiceadequovl.exe	30
PID 1792 wrote to memory of 1520	1792	voiceadequovl.exe	30
PID 1792 wrote to memory of 1520	1792	voiceadequovl.exe	30
PID 1792 wrote to memory of 1164	1792	voiceadequovl.exe	32
PID 1792 wrote to memory of 1164	1792	voiceadequovl.exe	32
PID 1792 wrote to memory of 1164	1792	voiceadequovl.exe	32
PID 1792 wrote to memory of 1164	1792	voiceadequovl.exe	32
PID 1164 wrote to memory of 1000	1164	cmd.exe	34
PID 1164 wrote to memory of 1000	1164	cmd.exe	34
PID 1164 wrote to memory of 1000	1164	cmd.exe	34
PID 1164 wrote to memory of 1000	1164	cmd.exe	34
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 1792 wrote to memory of 900	1792	voiceadequovl.exe	35
PID 900 wrote to memory of 1680	900	voiceadequovl.exe	36
PID 900 wrote to memory of 1680	900	voiceadequovl.exe	36
PID 900 wrote to memory of 1680	900	voiceadequovl.exe	36
PID 900 wrote to memory of 1680	900	voiceadequovl.exe	36
PID 900 wrote to memory of 1620	900	voiceadequovl.exe	39
PID 900 wrote to memory of 1620	900	voiceadequovl.exe	39
PID 900 wrote to memory of 1620	900	voiceadequovl.exe	39
PID 900 wrote to memory of 1620	900	voiceadequovl.exe	39
PID 1620 wrote to memory of 1376	1620	cmd.exe	40
PID 1620 wrote to memory of 1376	1620	cmd.exe	40
PID 1620 wrote to memory of 1376	1620	cmd.exe	40
PID 1620 wrote to memory of 1376	1620	cmd.exe	40
PID 900 wrote to memory of 856	900	voiceadequovl.exe	42
PID 900 wrote to memory of 856	900	voiceadequovl.exe	42
PID 900 wrote to memory of 856	900	voiceadequovl.exe	42
PID 900 wrote to memory of 856	900	voiceadequovl.exe	42
PID 856 wrote to memory of 696	856	cmd.exe	44
PID 856 wrote to memory of 696	856	cmd.exe	44
PID 856 wrote to memory of 696	856	cmd.exe	44
PID 856 wrote to memory of 696	856	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1520
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
216ef5f57d386ff9350214e68c7cd6c5

SHA1
e7dd98e093f069e669524ee60ba7745608a78d6d

SHA256
869e1cbfcd0452ae745e12cc01dd307117cdc4b4c1395ab5b8df12f9f72dc9b5

SHA512
6c549477e60a37df6c97811b908f403f750a7b2b4ca44954f74d3e628b7e327d180235c2ace11845718029f22d9e669c6338714bef5d9754afa4d16591e5fe95

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
286.9MB

MD5
3e4597b1a6ecc867b756bf8c853a5bd2

SHA1
03a8ab36863d9513e4c5232be510f61daf730191

SHA256
9eea2e8da721f4ba2b70a208c12b6bb18fcb81cb7ecef582f5a8af4e4591c5df

SHA512
b868e7424ef621ffdd6784aade1bb44a925334cd2ca2e8c077c601fe2a0693fe80158a1b8befba04de944985bb64397bdb22ce245fb55cae9ece654939e64f85

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
282.1MB

MD5
5b3737daa2119ac2248cf02e65f195b3

SHA1
87888dad5c7fa2cb649f268d9bb912ee1608df08

SHA256
2923c57133cbe6534af44fcc06a03d8431741e893cdb839a7b1c24ce5676f435

SHA512
9395e35dd7f1cc627c3bdeec5a1efd3c8730e0613216be126c9098a6a4c4e2cabdd560b38ace2f5853732d78e3ec944998aea292d74d2f4f981ba89102e88388

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
160.6MB

MD5
9c825b1474604b304627744c3207cd9e

SHA1
c0f54d61ce1cc7fbeb2b12cf2dc79a62ab12ac93

SHA256
a45dcdf7f03e77448e8cfa1f133cb82c4c04a022f0eb3934a21ae090cf3c2ba3

SHA512
3c0b0dd914edbe55491bc17bf5dc774b1db3eb6df6be6a0b8ef6aa3b240591d08e5a7a9e658ebc45f558c4e6a8a4df758a6e0b8bdd82319b460fdbe42886f94d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
288.6MB

MD5
3fe18aa3d37cddd1022df1ece8793dfc

SHA1
16672ec7e15944318d74394369ac3bfcc57669ab

SHA256
cce61c41529deb6414d6bb94ca101c2cad8e1bc69e4d56a03618dbe5f26c6421

SHA512
4928b97724f4ad32827d439a886b89c3a966f9817f1010e0943efbf8510eb8bdcb0980d40adde97683e60938e666feae8f09a6b1bde1370ef3f1d91154f1dbd7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
280.4MB

MD5
35fe7311686418585c4f54dd6cf94c19

SHA1
3276af81e87d56aa0af37a23a5be0623f00b6cb6

SHA256
b077b871a963af18adfe81059999b60a910146b28f6baad70661003c0065cec1

SHA512
d2a6d31a4c2fd220a4cf70bb12fb6d728214803a067ce9191728d96715685e2a842efc585f749c2d4aaf5435237f75a8e485f9d0cf8577d1f1c72b6ac7e2017c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
286.1MB

MD5
eb232e544a0426f7ee8293c3e1851a69

SHA1
fa8fa8f8b068b535d1e0b4cab34f79bb104c4c68

SHA256
e3b6027742327ed8415d14a5207bcb22253d1dfc4a1fb4db3e63eee1abb8c508

SHA512
1c72a6f90aef6248bf4e768822444bbcce35f8aaa0e4e962efd864bf9f91fdf65dbf870776b47dbf989ed63e0d24a27ab21c50edd14136b8a8b6e42d8550e6ed

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
285.1MB

MD5
d5eec29497a4730b445f017ed265ab86

SHA1
2e39ab672e7d310cb0010d21f7c7286d04f4e96b

SHA256
67f6c1f98a052c1112459b9b09ab3ea3c04494b7838653e64629d3e2bdd6e254

SHA512
c213c66abd2b7d3fc4b1c32a3c0c175a0600fc3f22edc1b8d5d8d080bd8df86acc4bc8d6c7e997b357a6a7585131c8bc8c860cfe3eb2575423a04055c00b3155

Download Submit
memory/900-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/900-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1000-93-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/1000-95-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-71-0x000000006FFA0000-0x000000007054B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-70-0x000000006FFA0000-0x000000007054B000-memory.dmp

Filesize
5.7MB

Download
memory/1520-69-0x000000006FFA0000-0x000000007054B000-memory.dmp

Filesize
5.7MB

Download
memory/1792-66-0x00000000064B0000-0x0000000006850000-memory.dmp

Filesize
3.6MB

Download
memory/1792-74-0x0000000005420000-0x0000000005592000-memory.dmp

Filesize
1.4MB

Download
memory/1792-65-0x0000000000F50000-0x00000000016C4000-memory.dmp

Filesize
7.5MB

Download
memory/1976-56-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download