aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
80s
max time network
85s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/936-66-0x0000000006580000-0x0000000006920000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1652	voiceadequovl.exe
936	voiceadequovl.exe
1540	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1652	voiceadequovl.exe
1652	voiceadequovl.exe
1652	voiceadequovl.exe
1652	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 1540	936	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1924	powershell.exe
1472	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	voiceadequovl.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeIncreaseQuotaPrivilege	1532	wmic.exe
Token: SeSecurityPrivilege	1532	wmic.exe
Token: SeTakeOwnershipPrivilege	1532	wmic.exe
Token: SeLoadDriverPrivilege	1532	wmic.exe
Token: SeSystemProfilePrivilege	1532	wmic.exe
Token: SeSystemtimePrivilege	1532	wmic.exe
Token: SeProfSingleProcessPrivilege	1532	wmic.exe
Token: SeIncBasePriorityPrivilege	1532	wmic.exe
Token: SeCreatePagefilePrivilege	1532	wmic.exe
Token: SeBackupPrivilege	1532	wmic.exe
Token: SeRestorePrivilege	1532	wmic.exe
Token: SeShutdownPrivilege	1532	wmic.exe
Token: SeDebugPrivilege	1532	wmic.exe
Token: SeSystemEnvironmentPrivilege	1532	wmic.exe
Token: SeRemoteShutdownPrivilege	1532	wmic.exe
Token: SeUndockPrivilege	1532	wmic.exe
Token: SeManageVolumePrivilege	1532	wmic.exe
Token: 33	1532	wmic.exe
Token: 34	1532	wmic.exe
Token: 35	1532	wmic.exe
Token: SeIncreaseQuotaPrivilege	1532	wmic.exe
Token: SeSecurityPrivilege	1532	wmic.exe
Token: SeTakeOwnershipPrivilege	1532	wmic.exe
Token: SeLoadDriverPrivilege	1532	wmic.exe
Token: SeSystemProfilePrivilege	1532	wmic.exe
Token: SeSystemtimePrivilege	1532	wmic.exe
Token: SeProfSingleProcessPrivilege	1532	wmic.exe
Token: SeIncBasePriorityPrivilege	1532	wmic.exe
Token: SeCreatePagefilePrivilege	1532	wmic.exe
Token: SeBackupPrivilege	1532	wmic.exe
Token: SeRestorePrivilege	1532	wmic.exe
Token: SeShutdownPrivilege	1532	wmic.exe
Token: SeDebugPrivilege	1532	wmic.exe
Token: SeSystemEnvironmentPrivilege	1532	wmic.exe
Token: SeRemoteShutdownPrivilege	1532	wmic.exe
Token: SeUndockPrivilege	1532	wmic.exe
Token: SeManageVolumePrivilege	1532	wmic.exe
Token: 33	1532	wmic.exe
Token: 34	1532	wmic.exe
Token: 35	1532	wmic.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe
Token: SeSecurityPrivilege	1704	WMIC.exe
Token: SeTakeOwnershipPrivilege	1704	WMIC.exe
Token: SeLoadDriverPrivilege	1704	WMIC.exe
Token: SeSystemProfilePrivilege	1704	WMIC.exe
Token: SeSystemtimePrivilege	1704	WMIC.exe
Token: SeProfSingleProcessPrivilege	1704	WMIC.exe
Token: SeIncBasePriorityPrivilege	1704	WMIC.exe
Token: SeCreatePagefilePrivilege	1704	WMIC.exe
Token: SeBackupPrivilege	1704	WMIC.exe
Token: SeRestorePrivilege	1704	WMIC.exe
Token: SeShutdownPrivilege	1704	WMIC.exe
Token: SeDebugPrivilege	1704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1704	WMIC.exe
Token: SeRemoteShutdownPrivilege	1704	WMIC.exe
Token: SeUndockPrivilege	1704	WMIC.exe
Token: SeManageVolumePrivilege	1704	WMIC.exe
Token: 33	1704	WMIC.exe
Token: 34	1704	WMIC.exe
Token: 35	1704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1652 wrote to memory of 936	1652	voiceadequovl.exe	28
PID 1652 wrote to memory of 936	1652	voiceadequovl.exe	28
PID 1652 wrote to memory of 936	1652	voiceadequovl.exe	28
PID 1652 wrote to memory of 936	1652	voiceadequovl.exe	28
PID 936 wrote to memory of 1924	936	voiceadequovl.exe	29
PID 936 wrote to memory of 1924	936	voiceadequovl.exe	29
PID 936 wrote to memory of 1924	936	voiceadequovl.exe	29
PID 936 wrote to memory of 1924	936	voiceadequovl.exe	29
PID 936 wrote to memory of 280	936	voiceadequovl.exe	31
PID 936 wrote to memory of 280	936	voiceadequovl.exe	31
PID 936 wrote to memory of 280	936	voiceadequovl.exe	31
PID 936 wrote to memory of 280	936	voiceadequovl.exe	31
PID 280 wrote to memory of 1472	280	cmd.exe	33
PID 280 wrote to memory of 1472	280	cmd.exe	33
PID 280 wrote to memory of 1472	280	cmd.exe	33
PID 280 wrote to memory of 1472	280	cmd.exe	33
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 936 wrote to memory of 1540	936	voiceadequovl.exe	34
PID 1540 wrote to memory of 1532	1540	voiceadequovl.exe	36
PID 1540 wrote to memory of 1532	1540	voiceadequovl.exe	36
PID 1540 wrote to memory of 1532	1540	voiceadequovl.exe	36
PID 1540 wrote to memory of 1532	1540	voiceadequovl.exe	36
PID 1540 wrote to memory of 916	1540	voiceadequovl.exe	38
PID 1540 wrote to memory of 916	1540	voiceadequovl.exe	38
PID 1540 wrote to memory of 916	1540	voiceadequovl.exe	38
PID 1540 wrote to memory of 916	1540	voiceadequovl.exe	38
PID 916 wrote to memory of 1704	916	cmd.exe	40
PID 916 wrote to memory of 1704	916	cmd.exe	40
PID 916 wrote to memory of 1704	916	cmd.exe	40
PID 916 wrote to memory of 1704	916	cmd.exe	40
PID 1540 wrote to memory of 1876	1540	voiceadequovl.exe	41
PID 1540 wrote to memory of 1876	1540	voiceadequovl.exe	41
PID 1540 wrote to memory of 1876	1540	voiceadequovl.exe	41
PID 1540 wrote to memory of 1876	1540	voiceadequovl.exe	41
PID 1876 wrote to memory of 896	1876	cmd.exe	43
PID 1876 wrote to memory of 896	1876	cmd.exe	43
PID 1876 wrote to memory of 896	1876	cmd.exe	43
PID 1876 wrote to memory of 896	1876	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:280
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:916
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1876
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9140edac2ac05d2815ee09f60712abfe

SHA1
1c534e5619f8e621a3f3a128cc395fc7902787d6

SHA256
859b9f99b9b492e1bce08a26aea08a06ea2b30ca6088956586bf15ebf865257f

SHA512
1ea5bd2bf5af0ebcc4067b96ebfa7d0bc178dd65145319f592207517960052f2142dd728b0de63cc213333edcac692a635d56255577ba196c56ad4e60ec232a8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
299.4MB

MD5
b086d2ce909526d1a66d6cdfcc65c23d

SHA1
f484e570c31bf588ac0125d152a3490cca7489f3

SHA256
4cb9d2df0f6fded54585eb17bc0bd2b97dcffede1b70572124c0ad62a5b2083b

SHA512
639f74694542964133da6f244ed396a927355e8753a7cf6a13bc72da3b37810ebef6e4d4692107c00ca65f9b0cb2de382578e586c098df07efd50ff43d0be317

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
297.3MB

MD5
139e3cd3792e12b65586ddd05b8b9d28

SHA1
4b93de0eb5be797df057eb9b91011de85838af01

SHA256
d595678331c0bdf10c46d9e4140e522a2291d6d7e31d8617b60a08ad9b561363

SHA512
573e1cd7fe0c913b3eeee94f680c7d35fe516636e9e3ea1811d3cc8fa00728ea106c36ca6f906d1992279c3d84f86f714117a74c2c09edf8b35264cefd134287

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
165.1MB

MD5
dd44650dfc21bf256b4bf708fc674baa

SHA1
a3e476ed2afeb8f530582f39458a1ecc7587aaa9

SHA256
da2b9c89fd92aa6c2d9faa6ccc237c1edbecd42c3508b4ae8781d4dd29ec7f0d

SHA512
f7c2e6e09dbc1939c813b9c74406f1e890200216e84c213104a35c0990d7e7fa54b1110fcd328db28f149fb4ecfee8581c54fa72056aef0a005b00ea8da515ff

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
304.7MB

MD5
71db4365ff35ab78efe77efd1282a6ed

SHA1
0dc44423fe7a183758cb9959fc5f35fd1582901a

SHA256
739718c4c4fafe83b933e27413342743ff2a3d500c276b040f208e9ac01a7fc5

SHA512
4b586723709e09f21018ef116ba71deec8ca413c930aea902d137434387a0711ae91d3948879766418091185f1130ed39809f82bde0b03d4e06770d386c4028a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
287.1MB

MD5
110700a9b719d2ab13474d7d9639a4f2

SHA1
768faca5e6b206d8165cd7a16f2a5d5773abd3b1

SHA256
1d5c101218e0dc6fdb0b08c27ee1c15d87625490af8c72a097b2a177ca4da786

SHA512
ab1fb81a3c18d79721aec9045528171e4a8681a65b8e6556f7b3cb0e704adc09f98ea735142c347057398bbf88c2b704186b0bec672d5f8dae3dc06055382803

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
289.4MB

MD5
4c67feb3cfff0dddac8bb0335d7d09d2

SHA1
b18a027d8b2485cc11766f58414bb42e6fc02e23

SHA256
1002f993e06a893103afd288eb9bf53dbf947739d68a0eb80fc40e5c55084ad5

SHA512
dd5d6ca28443592cd7b378baebcbfa958c02a07d489f1ddfc4a38ca3bb7700241862b60c1498a4a0a4f3932c6b7700ce3eec05abf2ee4571188da14cb1de8b73

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
293.0MB

MD5
cb35414ce629d6a4200b6d3ada5ece59

SHA1
b23aced2c5e6f059de5b35213133d84ee8fb3725

SHA256
5ba447766684a87ebfa826b342cc2c417dabcbc005d26ec3376dfd45cafc031d

SHA512
7e08bf90a24c852dc48d856b442e1ac846350b7f46ef920623dafa33ac61fb7e8cc9af1050919f669cefbc881b57d61fc045a960d784fc10949cdd327b9d796a

Download Submit
memory/936-65-0x00000000010B0000-0x0000000001824000-memory.dmp

Filesize
7.5MB

Download
memory/936-66-0x0000000006580000-0x0000000006920000-memory.dmp

Filesize
3.6MB

Download
memory/936-74-0x00000000054F0000-0x0000000005662000-memory.dmp

Filesize
1.4MB

Download
memory/1472-94-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-90-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1540-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1652-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1924-70-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-69-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1924-71-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download