aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
68s
max time network
72s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/940-66-0x00000000062F0000-0x0000000006690000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1104	voiceadequovl.exe
940	voiceadequovl.exe
1512	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1104	voiceadequovl.exe
1104	voiceadequovl.exe
1104	voiceadequovl.exe
1104	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 1512	940	voiceadequovl.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1716	powershell.exe
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	voiceadequovl.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeIncreaseQuotaPrivilege	824	wmic.exe
Token: SeSecurityPrivilege	824	wmic.exe
Token: SeTakeOwnershipPrivilege	824	wmic.exe
Token: SeLoadDriverPrivilege	824	wmic.exe
Token: SeSystemProfilePrivilege	824	wmic.exe
Token: SeSystemtimePrivilege	824	wmic.exe
Token: SeProfSingleProcessPrivilege	824	wmic.exe
Token: SeIncBasePriorityPrivilege	824	wmic.exe
Token: SeCreatePagefilePrivilege	824	wmic.exe
Token: SeBackupPrivilege	824	wmic.exe
Token: SeRestorePrivilege	824	wmic.exe
Token: SeShutdownPrivilege	824	wmic.exe
Token: SeDebugPrivilege	824	wmic.exe
Token: SeSystemEnvironmentPrivilege	824	wmic.exe
Token: SeRemoteShutdownPrivilege	824	wmic.exe
Token: SeUndockPrivilege	824	wmic.exe
Token: SeManageVolumePrivilege	824	wmic.exe
Token: 33	824	wmic.exe
Token: 34	824	wmic.exe
Token: 35	824	wmic.exe
Token: SeIncreaseQuotaPrivilege	824	wmic.exe
Token: SeSecurityPrivilege	824	wmic.exe
Token: SeTakeOwnershipPrivilege	824	wmic.exe
Token: SeLoadDriverPrivilege	824	wmic.exe
Token: SeSystemProfilePrivilege	824	wmic.exe
Token: SeSystemtimePrivilege	824	wmic.exe
Token: SeProfSingleProcessPrivilege	824	wmic.exe
Token: SeIncBasePriorityPrivilege	824	wmic.exe
Token: SeCreatePagefilePrivilege	824	wmic.exe
Token: SeBackupPrivilege	824	wmic.exe
Token: SeRestorePrivilege	824	wmic.exe
Token: SeShutdownPrivilege	824	wmic.exe
Token: SeDebugPrivilege	824	wmic.exe
Token: SeSystemEnvironmentPrivilege	824	wmic.exe
Token: SeRemoteShutdownPrivilege	824	wmic.exe
Token: SeUndockPrivilege	824	wmic.exe
Token: SeManageVolumePrivilege	824	wmic.exe
Token: 33	824	wmic.exe
Token: 34	824	wmic.exe
Token: 35	824	wmic.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1104 wrote to memory of 940	1104	voiceadequovl.exe	27
PID 1104 wrote to memory of 940	1104	voiceadequovl.exe	27
PID 1104 wrote to memory of 940	1104	voiceadequovl.exe	27
PID 1104 wrote to memory of 940	1104	voiceadequovl.exe	27
PID 940 wrote to memory of 1716	940	voiceadequovl.exe	29
PID 940 wrote to memory of 1716	940	voiceadequovl.exe	29
PID 940 wrote to memory of 1716	940	voiceadequovl.exe	29
PID 940 wrote to memory of 1716	940	voiceadequovl.exe	29
PID 940 wrote to memory of 612	940	voiceadequovl.exe	30
PID 940 wrote to memory of 612	940	voiceadequovl.exe	30
PID 940 wrote to memory of 612	940	voiceadequovl.exe	30
PID 940 wrote to memory of 612	940	voiceadequovl.exe	30
PID 612 wrote to memory of 1516	612	cmd.exe	32
PID 612 wrote to memory of 1516	612	cmd.exe	32
PID 612 wrote to memory of 1516	612	cmd.exe	32
PID 612 wrote to memory of 1516	612	cmd.exe	32
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1512	940	voiceadequovl.exe	33
PID 1512 wrote to memory of 824	1512	voiceadequovl.exe	35
PID 1512 wrote to memory of 824	1512	voiceadequovl.exe	35
PID 1512 wrote to memory of 824	1512	voiceadequovl.exe	35
PID 1512 wrote to memory of 824	1512	voiceadequovl.exe	35
PID 1512 wrote to memory of 1460	1512	voiceadequovl.exe	37
PID 1512 wrote to memory of 1460	1512	voiceadequovl.exe	37
PID 1512 wrote to memory of 1460	1512	voiceadequovl.exe	37
PID 1512 wrote to memory of 1460	1512	voiceadequovl.exe	37
PID 1460 wrote to memory of 1940	1460	cmd.exe	39
PID 1460 wrote to memory of 1940	1460	cmd.exe	39
PID 1460 wrote to memory of 1940	1460	cmd.exe	39
PID 1460 wrote to memory of 1940	1460	cmd.exe	39
PID 1512 wrote to memory of 1596	1512	voiceadequovl.exe	40
PID 1512 wrote to memory of 1596	1512	voiceadequovl.exe	40
PID 1512 wrote to memory of 1596	1512	voiceadequovl.exe	40
PID 1512 wrote to memory of 1596	1512	voiceadequovl.exe	40
PID 1596 wrote to memory of 1152	1596	cmd.exe	42
PID 1596 wrote to memory of 1152	1596	cmd.exe	42
PID 1596 wrote to memory of 1152	1596	cmd.exe	42
PID 1596 wrote to memory of 1152	1596	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:612
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
170.9MB

MD5
75455594dcffbfc18f93bb40168da767

SHA1
8931e9b28a5a143548280a12849accd0a6748036

SHA256
6137baf7613cd88431a7c86f60e2040aff7a9ddfa1848760d31f630fa5d20efa

SHA512
3458065580e846b3008be8ca74d94bf699d11c751daafe73b0c0bf557386e67718718a3370755a570d8dbb3f9231ab967ab26866aaa3795b1810b0dd1839caeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
166.6MB

MD5
f0427dec3716d935f1f116afd9d308a6

SHA1
6e17ba9bc77e22a41bfdfeb852e5bd2521d17f73

SHA256
337e7ad8209e4284967415c076767a43aa7a7d7e4cde0aff883bd73c5b048639

SHA512
608b9765ccc7c4c8277fea23700663d7938594d2392dcd56ea1eb3f63cbbaef63affe188562024097240e8010ede6b0880bcdfcc3fb03e8ce5358fac9f53b1a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3ccfed14cce7abe6fa72d72f42f8f970

SHA1
d3c1d3d261b9348836670a466118a9b917b0acbd

SHA256
281d2cdf17d1507efe156eac2dca94b4e4c0f1a53bfd597c7e1a162dcdac95fe

SHA512
593645c794c504c4f09978d21c536d5c0cffe7054058b6741cb3f2aa03d25e194cc3408efb20aeb1837308148b19384de919e90b9ea5c8a72bd4cb5f36a3a959

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
153.6MB

MD5
bf57171b625fbbda4fea7792baebc5a8

SHA1
03464f884be949f2e12c89af1003c298859085fd

SHA256
3e5756120ca0610fef8636506fadaa18c7b5a3b5ac8a14f6c6e78350b5bef956

SHA512
3b87e030a697ab3acd826e341468aa0d0a5942bb046aac7213b97a0f6472dfa4675cd679267a3aa1bced530e92729ec955fa8cb0ee4299c7908ae0fd5ea34217

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
156.3MB

MD5
01d033cf1ce834ceadf144b54b19565e

SHA1
8d16ea1291128852096fe3ca2bf249d56fb68e23

SHA256
8f918466ce53f165e69e7c0f620c08c2c2371a0638023389dfe9b5cd2d8d8fb3

SHA512
a836e7a0aaa983a18e63fb3a650a0bc7287257c37cf16aaa2d108be6d903a07663495e4eb78992eaa0ec71ff7e04fb8219998f8029c6605cb9afe33dab517c42

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
107.1MB

MD5
a754523abaad1e74b2ebd98939c81d2a

SHA1
b754c35e006d36f3a233c0b78418a917b797d5fa

SHA256
409cb88243b4212e2e00e0a92a768b4a2668ab8baa5a9d3d2831fc6f26988da0

SHA512
ef026a6ee1108cbd54d9b145263bba44fc5e247c526c6b853fade857358c97606b12855dde38ae31fe6e9cdd02381081b2fa9d0525313992b07117331788fb97

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
159.0MB

MD5
57f159697abafb437a21e2afb44e9d10

SHA1
819520ad35cb67d114c6e17c6c5783885b8ba1d7

SHA256
31ffeba3036efade8f8b13fa171cdcfbb8ae2628d71192af8a85c83b22ae65e6

SHA512
88cc14bf80b598a2e750c943ef166ee24bafde835ee5cf55e1b3c4f98ef11888e0016661f3a2a466d265cbf341e5eac9a4e8f09e0bd70918447c70e288f2caf9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
156.9MB

MD5
cc826374cfc11cf03f351af573283426

SHA1
af01c831f0148755abb5f30bdbb088fb6d8ef904

SHA256
1a0804f7ea3d6ba218fabefd40719d795e4ea333ff6faa797f1e1e54647e618e

SHA512
ffa82c1d9be1b91516ad71aded8d87988c88d32ea2ebd8dcd9d85fa04f27cff57906d38d750039d0c1bb8622e8d7e31a5596e95e66eca907d5e56d7e750acd3b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
157.4MB

MD5
e5fbd0f90b0567552f639ae0bdb43e35

SHA1
1966f609ff2bb3f31ac50fc0d25edde32143fafb

SHA256
a4918e4068fd84fc0b93f407e73556ac64b8c3ea1ef94f4650cd95814c6224b8

SHA512
9e36bd3938916d8ab939866bb32626bb8e0e1a00c27b36fdeb7f08f8ace738782a26ead58e14525fda50cef2a820b1ed75236f008d0f03c260236f0aa0a182b5

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
162.0MB

MD5
2c550211b16d1659bf90a19f8df0da09

SHA1
a6df572221fc8dfe995e0933da8e33fc320a13a3

SHA256
07472913139135742cd48d814a891f93ac604d317400c791a9f8adb97bec644c

SHA512
fdbbc765285183727a7adadf629592fdb8059e0ff56e78976687f98c9504bf74c326a93a872f6043150e3cc79b6f3e99d1b37b411b2468152d1db616fd1b5236

Download Submit
memory/940-66-0x00000000062F0000-0x0000000006690000-memory.dmp

Filesize
3.6MB

Download
memory/940-65-0x00000000011E0000-0x0000000001954000-memory.dmp

Filesize
7.5MB

Download
memory/940-75-0x0000000005250000-0x00000000053C2000-memory.dmp

Filesize
1.4MB

Download
memory/1104-56-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1512-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1512-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1516-85-0x000000006FE70000-0x000000007041B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-93-0x000000006FE70000-0x000000007041B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-71-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-70-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-69-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download