aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
86s
max time network
90s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1844-66-0x0000000006590000-0x0000000006930000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
2020	voiceadequovl.exe
1844	voiceadequovl.exe
1544	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2020	voiceadequovl.exe
2020	voiceadequovl.exe
2020	voiceadequovl.exe
2020	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 1544	1844	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1108	powershell.exe
800	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	voiceadequovl.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeIncreaseQuotaPrivilege	1760	wmic.exe
Token: SeSecurityPrivilege	1760	wmic.exe
Token: SeTakeOwnershipPrivilege	1760	wmic.exe
Token: SeLoadDriverPrivilege	1760	wmic.exe
Token: SeSystemProfilePrivilege	1760	wmic.exe
Token: SeSystemtimePrivilege	1760	wmic.exe
Token: SeProfSingleProcessPrivilege	1760	wmic.exe
Token: SeIncBasePriorityPrivilege	1760	wmic.exe
Token: SeCreatePagefilePrivilege	1760	wmic.exe
Token: SeBackupPrivilege	1760	wmic.exe
Token: SeRestorePrivilege	1760	wmic.exe
Token: SeShutdownPrivilege	1760	wmic.exe
Token: SeDebugPrivilege	1760	wmic.exe
Token: SeSystemEnvironmentPrivilege	1760	wmic.exe
Token: SeRemoteShutdownPrivilege	1760	wmic.exe
Token: SeUndockPrivilege	1760	wmic.exe
Token: SeManageVolumePrivilege	1760	wmic.exe
Token: 33	1760	wmic.exe
Token: 34	1760	wmic.exe
Token: 35	1760	wmic.exe
Token: SeIncreaseQuotaPrivilege	1760	wmic.exe
Token: SeSecurityPrivilege	1760	wmic.exe
Token: SeTakeOwnershipPrivilege	1760	wmic.exe
Token: SeLoadDriverPrivilege	1760	wmic.exe
Token: SeSystemProfilePrivilege	1760	wmic.exe
Token: SeSystemtimePrivilege	1760	wmic.exe
Token: SeProfSingleProcessPrivilege	1760	wmic.exe
Token: SeIncBasePriorityPrivilege	1760	wmic.exe
Token: SeCreatePagefilePrivilege	1760	wmic.exe
Token: SeBackupPrivilege	1760	wmic.exe
Token: SeRestorePrivilege	1760	wmic.exe
Token: SeShutdownPrivilege	1760	wmic.exe
Token: SeDebugPrivilege	1760	wmic.exe
Token: SeSystemEnvironmentPrivilege	1760	wmic.exe
Token: SeRemoteShutdownPrivilege	1760	wmic.exe
Token: SeUndockPrivilege	1760	wmic.exe
Token: SeManageVolumePrivilege	1760	wmic.exe
Token: 33	1760	wmic.exe
Token: 34	1760	wmic.exe
Token: 35	1760	wmic.exe
Token: SeIncreaseQuotaPrivilege	1812	WMIC.exe
Token: SeSecurityPrivilege	1812	WMIC.exe
Token: SeTakeOwnershipPrivilege	1812	WMIC.exe
Token: SeLoadDriverPrivilege	1812	WMIC.exe
Token: SeSystemProfilePrivilege	1812	WMIC.exe
Token: SeSystemtimePrivilege	1812	WMIC.exe
Token: SeProfSingleProcessPrivilege	1812	WMIC.exe
Token: SeIncBasePriorityPrivilege	1812	WMIC.exe
Token: SeCreatePagefilePrivilege	1812	WMIC.exe
Token: SeBackupPrivilege	1812	WMIC.exe
Token: SeRestorePrivilege	1812	WMIC.exe
Token: SeShutdownPrivilege	1812	WMIC.exe
Token: SeDebugPrivilege	1812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1812	WMIC.exe
Token: SeRemoteShutdownPrivilege	1812	WMIC.exe
Token: SeUndockPrivilege	1812	WMIC.exe
Token: SeManageVolumePrivilege	1812	WMIC.exe
Token: 33	1812	WMIC.exe
Token: 34	1812	WMIC.exe
Token: 35	1812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1812	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2020	1516	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1516 wrote to memory of 2020	1516	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1516 wrote to memory of 2020	1516	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1516 wrote to memory of 2020	1516	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 2020 wrote to memory of 1844	2020	voiceadequovl.exe	28
PID 2020 wrote to memory of 1844	2020	voiceadequovl.exe	28
PID 2020 wrote to memory of 1844	2020	voiceadequovl.exe	28
PID 2020 wrote to memory of 1844	2020	voiceadequovl.exe	28
PID 1844 wrote to memory of 1108	1844	voiceadequovl.exe	30
PID 1844 wrote to memory of 1108	1844	voiceadequovl.exe	30
PID 1844 wrote to memory of 1108	1844	voiceadequovl.exe	30
PID 1844 wrote to memory of 1108	1844	voiceadequovl.exe	30
PID 1844 wrote to memory of 1448	1844	voiceadequovl.exe	32
PID 1844 wrote to memory of 1448	1844	voiceadequovl.exe	32
PID 1844 wrote to memory of 1448	1844	voiceadequovl.exe	32
PID 1844 wrote to memory of 1448	1844	voiceadequovl.exe	32
PID 1448 wrote to memory of 800	1448	cmd.exe	33
PID 1448 wrote to memory of 800	1448	cmd.exe	33
PID 1448 wrote to memory of 800	1448	cmd.exe	33
PID 1448 wrote to memory of 800	1448	cmd.exe	33
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1844 wrote to memory of 1544	1844	voiceadequovl.exe	34
PID 1544 wrote to memory of 1760	1544	voiceadequovl.exe	35
PID 1544 wrote to memory of 1760	1544	voiceadequovl.exe	35
PID 1544 wrote to memory of 1760	1544	voiceadequovl.exe	35
PID 1544 wrote to memory of 1760	1544	voiceadequovl.exe	35
PID 1544 wrote to memory of 1392	1544	voiceadequovl.exe	40
PID 1544 wrote to memory of 1392	1544	voiceadequovl.exe	40
PID 1544 wrote to memory of 1392	1544	voiceadequovl.exe	40
PID 1544 wrote to memory of 1392	1544	voiceadequovl.exe	40
PID 1392 wrote to memory of 1812	1392	cmd.exe	39
PID 1392 wrote to memory of 1812	1392	cmd.exe	39
PID 1392 wrote to memory of 1812	1392	cmd.exe	39
PID 1392 wrote to memory of 1812	1392	cmd.exe	39
PID 1544 wrote to memory of 1604	1544	voiceadequovl.exe	42
PID 1544 wrote to memory of 1604	1544	voiceadequovl.exe	42
PID 1544 wrote to memory of 1604	1544	voiceadequovl.exe	42
PID 1544 wrote to memory of 1604	1544	voiceadequovl.exe	42
PID 1604 wrote to memory of 1272	1604	cmd.exe	43
PID 1604 wrote to memory of 1272	1604	cmd.exe	43
PID 1604 wrote to memory of 1272	1604	cmd.exe	43
PID 1604 wrote to memory of 1272	1604	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1272

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
237.9MB

MD5
2f73bf2c98f9b3a63fd8c3ee039caf11

SHA1
2872a1ec04ae5013f3359a755b41a60aa3bec611

SHA256
9fcb9d01c06d9a1040a6f7e275eb36622942143429dec2117ba93d149675cb58

SHA512
d44e4bfacd3d5070d2550e399e1fa42445b9a76fe55ed009f691201f9ff479d9986d083a5c7c8e5e8aa5657175a9b3785a0a32fffafe964b5e54b2b5a6b6d73b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
224.9MB

MD5
75a80041bb40d8ffc8a7ecf22a9e8fb9

SHA1
0c714fb2e9b2833bb705c2ccc1ee19deeee9ef76

SHA256
24ecf55a8dabc957bc05bcebef9ee8e6fefc33e6da43e354eaece706031d10d7

SHA512
23e48e2e72ccdf77ca3daeb9e12663f734ef2fd6da4bbe7d5067d0b0520e8d1a99682156c009376d9f0811aa828952ffcdb500744861cafe5cc8f347d9e087b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3e6447b8f072e41996f4a36ea7093014

SHA1
d46ad73d27d91cbe6d395b8677244dff773593ac

SHA256
3ff63be3ce024e8709365d2ecbf6fbe33c6480d9b620e8421efe95d12796e19d

SHA512
94d9f70cb9c95d331221dbb564f2df6d83e5dada8df70f2719ab1c3661dcacdd0e605af595d00e2a9abfbecac3901138a571eb2a79e62272254c01511f4599c5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
207.8MB

MD5
d2a0cbeb404272b70c9735140f3dc55e

SHA1
2827b9da20aa2f41e84590f18fcbbf322797c98c

SHA256
2839fd1bddf3114164ac128f26bb42dddba5bd07b92c522c68b1a5b4ae3dc5ed

SHA512
20fe0d635a1efc6dd61177358e5faf52be2da5e7914e031ba2593c78f7116fcda7ce9df300558ee4a3eba40976d82e1d94c4f6fbfa3e50d202c7f01e4f395b6e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
212.4MB

MD5
ce7bffc115de995255dc89081eb1a6b2

SHA1
ea0e24ac7ce0270b0362e2b107302e8ca6cff6a8

SHA256
2479d2544aad30cfdfba59ae61f621286afb4cbe87394c0d6c3654b14a74b5de

SHA512
c187d81941ef617ecf20855fabbfa21e94c642f34a2c92e16867a229d6e42b8ecfa5ed40d62858093dc7d9d7cde0a77315cbb0f7c9941dd0c0229da79d284704

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
131.4MB

MD5
765c2b30eb319fe8f7d55089cce64ae1

SHA1
ff53274a5676c984bd8336512f64f7e9248cbc96

SHA256
3a1b634f66d6a6523c94f7b0a95f058c169224f0a9b7eb8fae10cf928ef7816e

SHA512
c20fddad1d6ef4a25b5fd00d5fddec2b7af289dee832102208ad694354fba2c1ee2334877e9db5c24786adb2da9de85fb686d70cb92a75ed8c15d0f721757147

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
213.3MB

MD5
a4ecd3e9d7fc2e2c4e82a5a32ad2b94e

SHA1
de92f434961d7fe9523e249780fec30b92b4f79a

SHA256
25ee1c1d1d8b308e376b07c61b7ed29ddaa934f9310873e38480393825a7a688

SHA512
6f06ab9d11650c0f9e24e4e0d8060c526e338c57198b0ce8f798af9feaf77bb91820bcaa4071b9ccb96416b84e073885d5fdc61366e6728cab57a5cf0b1892ca

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
210.6MB

MD5
bafe45188c0787b4f3ec5ee686ec924d

SHA1
06ccf249a33f68e55b0070d9a149a44afc8c6b6f

SHA256
4d85df762a96f32e332104ae637b939a71e4fc6844fb5be7d46e718df837a81f

SHA512
dba274b607568c1563ac7f508298042c8a9d0e7f1f02bd3c79cd981d75a4db4df372cca74d89a24841477fab505a93315c219e0698e2aa7f94313e3ed5cde905

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
211.9MB

MD5
d9f0baf69a059c55473ec49c935e3188

SHA1
ef339d043378da9aa1c00dab0d60134cc5da7281

SHA256
ba03cb4a867ecbb5b52ef87a63b9b34c8d7c07dc01b63fa25a2e1d733d4b7e11

SHA512
027561801fddc100c780e8818476339bd3986abebcace393778b5831e27e3874b59369b7144d8f819eea1357b9aac41767f05821a953041ac4c4f7f65370f88d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
205.2MB

MD5
d3df7065945f74528f36309f31c9b5c2

SHA1
74de0605344a4ef2edc925699c812f541b8f44f6

SHA256
3a568c14c0f9c75085cfb6a4df74503d372c966f3c56e9cafb25ae5f7db0588c

SHA512
a02923817feaca4de1cd4b9a337591234cdc713e3ee05e32961d6b0664cb771aac656ede27066f6b902811418061facaefaafaf66203dbedc2be6e5cc3d4479a

Download Submit
memory/800-94-0x000000006F790000-0x000000006FD3B000-memory.dmp

Filesize
5.7MB

Download
memory/800-84-0x000000006F790000-0x000000006FD3B000-memory.dmp

Filesize
5.7MB

Download
memory/1108-69-0x000000006FA30000-0x000000006FFDB000-memory.dmp

Filesize
5.7MB

Download
memory/1108-70-0x000000006FA30000-0x000000006FFDB000-memory.dmp

Filesize
5.7MB

Download
memory/1108-71-0x000000006FA30000-0x000000006FFDB000-memory.dmp

Filesize
5.7MB

Download
memory/1544-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1544-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1844-65-0x00000000012C0000-0x0000000001A34000-memory.dmp

Filesize
7.5MB

Download
memory/1844-66-0x0000000006590000-0x0000000006930000-memory.dmp

Filesize
3.6MB

Download
memory/1844-74-0x0000000005560000-0x00000000056D2000-memory.dmp

Filesize
1.4MB

Download
memory/2020-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download