aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
130s
max time network
136s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/948-66-0x00000000064F0000-0x0000000006890000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
2016	voiceadequovl.exe
948	voiceadequovl.exe
1924	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2016	voiceadequovl.exe
2016	voiceadequovl.exe
2016	voiceadequovl.exe
2016	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 948 set thread context of 1924	948	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1572	powershell.exe
1832	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	voiceadequovl.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeIncreaseQuotaPrivilege	824	wmic.exe
Token: SeSecurityPrivilege	824	wmic.exe
Token: SeTakeOwnershipPrivilege	824	wmic.exe
Token: SeLoadDriverPrivilege	824	wmic.exe
Token: SeSystemProfilePrivilege	824	wmic.exe
Token: SeSystemtimePrivilege	824	wmic.exe
Token: SeProfSingleProcessPrivilege	824	wmic.exe
Token: SeIncBasePriorityPrivilege	824	wmic.exe
Token: SeCreatePagefilePrivilege	824	wmic.exe
Token: SeBackupPrivilege	824	wmic.exe
Token: SeRestorePrivilege	824	wmic.exe
Token: SeShutdownPrivilege	824	wmic.exe
Token: SeDebugPrivilege	824	wmic.exe
Token: SeSystemEnvironmentPrivilege	824	wmic.exe
Token: SeRemoteShutdownPrivilege	824	wmic.exe
Token: SeUndockPrivilege	824	wmic.exe
Token: SeManageVolumePrivilege	824	wmic.exe
Token: 33	824	wmic.exe
Token: 34	824	wmic.exe
Token: 35	824	wmic.exe
Token: SeIncreaseQuotaPrivilege	824	wmic.exe
Token: SeSecurityPrivilege	824	wmic.exe
Token: SeTakeOwnershipPrivilege	824	wmic.exe
Token: SeLoadDriverPrivilege	824	wmic.exe
Token: SeSystemProfilePrivilege	824	wmic.exe
Token: SeSystemtimePrivilege	824	wmic.exe
Token: SeProfSingleProcessPrivilege	824	wmic.exe
Token: SeIncBasePriorityPrivilege	824	wmic.exe
Token: SeCreatePagefilePrivilege	824	wmic.exe
Token: SeBackupPrivilege	824	wmic.exe
Token: SeRestorePrivilege	824	wmic.exe
Token: SeShutdownPrivilege	824	wmic.exe
Token: SeDebugPrivilege	824	wmic.exe
Token: SeSystemEnvironmentPrivilege	824	wmic.exe
Token: SeRemoteShutdownPrivilege	824	wmic.exe
Token: SeUndockPrivilege	824	wmic.exe
Token: SeManageVolumePrivilege	824	wmic.exe
Token: 33	824	wmic.exe
Token: 34	824	wmic.exe
Token: 35	824	wmic.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2016	1356	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1356 wrote to memory of 2016	1356	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1356 wrote to memory of 2016	1356	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1356 wrote to memory of 2016	1356	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2016 wrote to memory of 948	2016	voiceadequovl.exe	29
PID 2016 wrote to memory of 948	2016	voiceadequovl.exe	29
PID 2016 wrote to memory of 948	2016	voiceadequovl.exe	29
PID 2016 wrote to memory of 948	2016	voiceadequovl.exe	29
PID 948 wrote to memory of 1572	948	voiceadequovl.exe	30
PID 948 wrote to memory of 1572	948	voiceadequovl.exe	30
PID 948 wrote to memory of 1572	948	voiceadequovl.exe	30
PID 948 wrote to memory of 1572	948	voiceadequovl.exe	30
PID 948 wrote to memory of 636	948	voiceadequovl.exe	32
PID 948 wrote to memory of 636	948	voiceadequovl.exe	32
PID 948 wrote to memory of 636	948	voiceadequovl.exe	32
PID 948 wrote to memory of 636	948	voiceadequovl.exe	32
PID 636 wrote to memory of 1832	636	cmd.exe	34
PID 636 wrote to memory of 1832	636	cmd.exe	34
PID 636 wrote to memory of 1832	636	cmd.exe	34
PID 636 wrote to memory of 1832	636	cmd.exe	34
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 948 wrote to memory of 1924	948	voiceadequovl.exe	35
PID 1924 wrote to memory of 824	1924	voiceadequovl.exe	36
PID 1924 wrote to memory of 824	1924	voiceadequovl.exe	36
PID 1924 wrote to memory of 824	1924	voiceadequovl.exe	36
PID 1924 wrote to memory of 824	1924	voiceadequovl.exe	36
PID 1924 wrote to memory of 1788	1924	voiceadequovl.exe	39
PID 1924 wrote to memory of 1788	1924	voiceadequovl.exe	39
PID 1924 wrote to memory of 1788	1924	voiceadequovl.exe	39
PID 1924 wrote to memory of 1788	1924	voiceadequovl.exe	39
PID 1788 wrote to memory of 1940	1788	cmd.exe	41
PID 1788 wrote to memory of 1940	1788	cmd.exe	41
PID 1788 wrote to memory of 1940	1788	cmd.exe	41
PID 1788 wrote to memory of 1940	1788	cmd.exe	41
PID 1924 wrote to memory of 1224	1924	voiceadequovl.exe	43
PID 1924 wrote to memory of 1224	1924	voiceadequovl.exe	43
PID 1924 wrote to memory of 1224	1924	voiceadequovl.exe	43
PID 1924 wrote to memory of 1224	1924	voiceadequovl.exe	43
PID 1224 wrote to memory of 1128	1224	cmd.exe	44
PID 1224 wrote to memory of 1128	1224	cmd.exe	44
PID 1224 wrote to memory of 1128	1224	cmd.exe	44
PID 1224 wrote to memory of 1128	1224	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1224
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a599e19560616604350483f33a4dbe3c

SHA1
fb7df6fe4042cb94a4d80007582195babf1a64d8

SHA256
8798b0cc560b1fea35851f38cd898884aaf897c5b7c86e7c9c5ec863d5b2d4a3

SHA512
1ae06d75f98d8d5812665b5b18c2b5ce40f41cb258ca705c1e0a4d14c2e7a3d2066880de7a2be3ea84c16fb59456a3397be65e6321198c04c7d51d4921955254

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
264.1MB

MD5
141f10e59991c3e4858fa3b0ba4c097e

SHA1
2a0344e5e3be78933858457d01f143c822a251dc

SHA256
dc9e7a3cb0c24039bf812dcb3c37171d9df5b91e07095756dd33ed4f12d221e1

SHA512
59c9a58bba2d41c34b393b3654141c0eff3a1995e22a7373e323b30cb1429bfff043118a612e5fa5f06b5a480a22f11fde63900b376bc5988b47f149ec5ef3c9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
265.1MB

MD5
3c9528223831d9339be497b27011e269

SHA1
ca1c90f777bac271a41c5da099088593c32ef638

SHA256
fde6b7289c4c3713e80fc3858f8ccb6495b656fd9316f0bb959fa0f301dbf54d

SHA512
ab8a3c46a96f1c970bfc28a580cd2dbfe8ef927804c63c0853e2ee40068bfde136afbe4d656e1a49499a2a854c9f6b90038bd157d32092229f4fa1c8e1b0b438

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
77.3MB

MD5
e2869c66db6c68113eec6bc9c7a2e7dc

SHA1
a598fd7dcb11cafdd3d893088d3c9a4d5c8843fe

SHA256
0e0aad9f7fd9d86624665cb93882f8ed5cf0b56e403c9d6e860a9a1c8e910e88

SHA512
3601ae5b6dea239eaccf730571a55c2e17b426af7196a7b5794e02ad8a8743185e43944e698ddcc39ff15ad3c9a04dc8ea1d809ced22d42fb89bdc9b01fe33f1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
267.7MB

MD5
647cccd399cb439cf64c665af9693e10

SHA1
7c9927541f093044e160d59a14b7e78a5a7d6987

SHA256
cd034cf8091bc2f995aad5f28e3f64b14c3c746884ae618fcb291c9e0b91e5a3

SHA512
b4be9174442b1d79ffbdf75cf289657c6144e1876fbd46b4cb6f2f473c0268c890a5fc5170b425567517dbae62d0af43904899eafa2c82a4e49ab6848ac11b89

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
267.1MB

MD5
9b3c1d25f5e1301638b22f65c891fd62

SHA1
b5def70c2c8badadc4df92a88749122a5e8eddd8

SHA256
0b594defac4eea96c402a9a9cf68d50b849807df092fba9ae34f967b6646ee4d

SHA512
f5a382ca02a15b60ee1d52fe44bfbc956133a20a0c6e27d579100709d837691b73a29de7713b9f3e3d759ffcabf09b9bfa724dda290fe8a658c599d914ab07a8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
267.1MB

MD5
9b3c1d25f5e1301638b22f65c891fd62

SHA1
b5def70c2c8badadc4df92a88749122a5e8eddd8

SHA256
0b594defac4eea96c402a9a9cf68d50b849807df092fba9ae34f967b6646ee4d

SHA512
f5a382ca02a15b60ee1d52fe44bfbc956133a20a0c6e27d579100709d837691b73a29de7713b9f3e3d759ffcabf09b9bfa724dda290fe8a658c599d914ab07a8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.4MB

MD5
82918a2e594ffff4fd930f1ef2544973

SHA1
fff7feda6d8c16f194efdc652a391ca5600f7ad1

SHA256
4a93eee583ffbdb69ed090602398d08233e1fd96ab74b4e9f6721a740d108f14

SHA512
0f7b5aba27622742ac93628aba6064347619995095eba1d67a0c2fdf4a78f7aa70a3d45a358e579f8d9e5c49e14f168791cea366df9903bafe6404d4c3982a45

Download Submit
memory/948-66-0x00000000064F0000-0x0000000006890000-memory.dmp

Filesize
3.6MB

Download
memory/948-65-0x0000000000C30000-0x00000000013A4000-memory.dmp

Filesize
7.5MB

Download
memory/948-75-0x0000000005370000-0x00000000054E2000-memory.dmp

Filesize
1.4MB

Download
memory/1572-69-0x0000000070210000-0x00000000707BB000-memory.dmp

Filesize
5.7MB

Download
memory/1572-70-0x0000000070210000-0x00000000707BB000-memory.dmp

Filesize
5.7MB

Download
memory/1572-71-0x0000000070210000-0x00000000707BB000-memory.dmp

Filesize
5.7MB

Download
memory/1832-95-0x000000006FF60000-0x000000007050B000-memory.dmp

Filesize
5.7MB

Download
memory/1832-93-0x000000006FF60000-0x000000007050B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1924-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2016-56-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download