aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
135s
max time network
141s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1676-66-0x00000000064E0000-0x0000000006880000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1736	voiceadequovl.exe
1676	voiceadequovl.exe
1556	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1736	voiceadequovl.exe
1736	voiceadequovl.exe
1736	voiceadequovl.exe
1736	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 1556	1676	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1084	powershell.exe
812	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	voiceadequovl.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeIncreaseQuotaPrivilege	1928	wmic.exe
Token: SeSecurityPrivilege	1928	wmic.exe
Token: SeTakeOwnershipPrivilege	1928	wmic.exe
Token: SeLoadDriverPrivilege	1928	wmic.exe
Token: SeSystemProfilePrivilege	1928	wmic.exe
Token: SeSystemtimePrivilege	1928	wmic.exe
Token: SeProfSingleProcessPrivilege	1928	wmic.exe
Token: SeIncBasePriorityPrivilege	1928	wmic.exe
Token: SeCreatePagefilePrivilege	1928	wmic.exe
Token: SeBackupPrivilege	1928	wmic.exe
Token: SeRestorePrivilege	1928	wmic.exe
Token: SeShutdownPrivilege	1928	wmic.exe
Token: SeDebugPrivilege	1928	wmic.exe
Token: SeSystemEnvironmentPrivilege	1928	wmic.exe
Token: SeRemoteShutdownPrivilege	1928	wmic.exe
Token: SeUndockPrivilege	1928	wmic.exe
Token: SeManageVolumePrivilege	1928	wmic.exe
Token: 33	1928	wmic.exe
Token: 34	1928	wmic.exe
Token: 35	1928	wmic.exe
Token: SeIncreaseQuotaPrivilege	1928	wmic.exe
Token: SeSecurityPrivilege	1928	wmic.exe
Token: SeTakeOwnershipPrivilege	1928	wmic.exe
Token: SeLoadDriverPrivilege	1928	wmic.exe
Token: SeSystemProfilePrivilege	1928	wmic.exe
Token: SeSystemtimePrivilege	1928	wmic.exe
Token: SeProfSingleProcessPrivilege	1928	wmic.exe
Token: SeIncBasePriorityPrivilege	1928	wmic.exe
Token: SeCreatePagefilePrivilege	1928	wmic.exe
Token: SeBackupPrivilege	1928	wmic.exe
Token: SeRestorePrivilege	1928	wmic.exe
Token: SeShutdownPrivilege	1928	wmic.exe
Token: SeDebugPrivilege	1928	wmic.exe
Token: SeSystemEnvironmentPrivilege	1928	wmic.exe
Token: SeRemoteShutdownPrivilege	1928	wmic.exe
Token: SeUndockPrivilege	1928	wmic.exe
Token: SeManageVolumePrivilege	1928	wmic.exe
Token: 33	1928	wmic.exe
Token: 34	1928	wmic.exe
Token: 35	1928	wmic.exe
Token: SeIncreaseQuotaPrivilege	976	WMIC.exe
Token: SeSecurityPrivilege	976	WMIC.exe
Token: SeTakeOwnershipPrivilege	976	WMIC.exe
Token: SeLoadDriverPrivilege	976	WMIC.exe
Token: SeSystemProfilePrivilege	976	WMIC.exe
Token: SeSystemtimePrivilege	976	WMIC.exe
Token: SeProfSingleProcessPrivilege	976	WMIC.exe
Token: SeIncBasePriorityPrivilege	976	WMIC.exe
Token: SeCreatePagefilePrivilege	976	WMIC.exe
Token: SeBackupPrivilege	976	WMIC.exe
Token: SeRestorePrivilege	976	WMIC.exe
Token: SeShutdownPrivilege	976	WMIC.exe
Token: SeDebugPrivilege	976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	976	WMIC.exe
Token: SeRemoteShutdownPrivilege	976	WMIC.exe
Token: SeUndockPrivilege	976	WMIC.exe
Token: SeManageVolumePrivilege	976	WMIC.exe
Token: 33	976	WMIC.exe
Token: 34	976	WMIC.exe
Token: 35	976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	976	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1736	1340	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1340 wrote to memory of 1736	1340	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1340 wrote to memory of 1736	1340	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1340 wrote to memory of 1736	1340	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1736 wrote to memory of 1676	1736	voiceadequovl.exe	29
PID 1736 wrote to memory of 1676	1736	voiceadequovl.exe	29
PID 1736 wrote to memory of 1676	1736	voiceadequovl.exe	29
PID 1736 wrote to memory of 1676	1736	voiceadequovl.exe	29
PID 1676 wrote to memory of 1084	1676	voiceadequovl.exe	30
PID 1676 wrote to memory of 1084	1676	voiceadequovl.exe	30
PID 1676 wrote to memory of 1084	1676	voiceadequovl.exe	30
PID 1676 wrote to memory of 1084	1676	voiceadequovl.exe	30
PID 1676 wrote to memory of 1916	1676	voiceadequovl.exe	32
PID 1676 wrote to memory of 1916	1676	voiceadequovl.exe	32
PID 1676 wrote to memory of 1916	1676	voiceadequovl.exe	32
PID 1676 wrote to memory of 1916	1676	voiceadequovl.exe	32
PID 1916 wrote to memory of 812	1916	cmd.exe	34
PID 1916 wrote to memory of 812	1916	cmd.exe	34
PID 1916 wrote to memory of 812	1916	cmd.exe	34
PID 1916 wrote to memory of 812	1916	cmd.exe	34
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1676 wrote to memory of 1556	1676	voiceadequovl.exe	35
PID 1556 wrote to memory of 1928	1556	voiceadequovl.exe	36
PID 1556 wrote to memory of 1928	1556	voiceadequovl.exe	36
PID 1556 wrote to memory of 1928	1556	voiceadequovl.exe	36
PID 1556 wrote to memory of 1928	1556	voiceadequovl.exe	36
PID 1556 wrote to memory of 1772	1556	voiceadequovl.exe	39
PID 1556 wrote to memory of 1772	1556	voiceadequovl.exe	39
PID 1556 wrote to memory of 1772	1556	voiceadequovl.exe	39
PID 1556 wrote to memory of 1772	1556	voiceadequovl.exe	39
PID 1772 wrote to memory of 976	1772	cmd.exe	41
PID 1772 wrote to memory of 976	1772	cmd.exe	41
PID 1772 wrote to memory of 976	1772	cmd.exe	41
PID 1772 wrote to memory of 976	1772	cmd.exe	41
PID 1556 wrote to memory of 1824	1556	voiceadequovl.exe	42
PID 1556 wrote to memory of 1824	1556	voiceadequovl.exe	42
PID 1556 wrote to memory of 1824	1556	voiceadequovl.exe	42
PID 1556 wrote to memory of 1824	1556	voiceadequovl.exe	42
PID 1824 wrote to memory of 1516	1824	cmd.exe	44
PID 1824 wrote to memory of 1516	1824	cmd.exe	44
PID 1824 wrote to memory of 1516	1824	cmd.exe	44
PID 1824 wrote to memory of 1516	1824	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8456b359cbd1a755a4f901e0caa8be1c

SHA1
432f6b70c2db039efd7dc2af578719bf4125dc6f

SHA256
b05bfbbc8f2373870d340ee86b842fa2e25cc940aafb984b8d37b64107b9bb8e

SHA512
2a92e334a55a287b886b6ecc212a37ce9d4f636c5023263e8db6bd8cf1f482624b42dfb344fde8e54db7c82d1e58d96bb7ad0624c14796312f215c5e5e6e28d4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
237.2MB

MD5
0dbf4888c96f66592c66167664eaf1da

SHA1
3b45908246c1c0d34c397d0be1fe6c1819c648ab

SHA256
cfe5a88c14bd4a3e8a5f5ad1c8ab755f9ddd5db1cc91180c34d65cb75cbdeb1a

SHA512
103ecb46fa9b7cfe1d74730fc50b61f1c75f904372da30c6e4075cc5f7805edb3c4cd4b1b1dec557c783fa74b66b0d0aa8d9e9826c9e217225421aeb9b66780d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
235.6MB

MD5
bba0b1c147dcc52e5b8cccdfc142ea11

SHA1
896169b294cf051d435a4bd6b641e8fb1a3214a1

SHA256
0a3ea0ae172c238de4cdcd8868f7ac6dc231c733eb302710f973fb7892a6e5ac

SHA512
640d752a123697b7cbd64dc91ca2cea8985244906e60e7ad69168c286773387624a89171934bfd75b18ecf83052fbd5d31febedf0791a8eb5c0eb78ab98982d3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
52.2MB

MD5
b8efa88445c5639d5f8981127d32ac35

SHA1
e5601e9c33d72848e2c2bd2fc435523f59382e5f

SHA256
cdf30cb98cc4e8135e91021557db16752dafa060eb5b450d2d23f9b95c817e2c

SHA512
7453e338f3ae55d97c7e3b9734f8f9efc0ac948586cc739d495387778d03fa48174651ca47d6eb18e1b1d43aa2eb8cbacc1047a1def7a41f7a28e198e170aca8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
245.6MB

MD5
b53840f25dddead8351a9e1de4c76cfe

SHA1
91e5a3d6c47673f6b12c1330bd9d40d3888b2ca3

SHA256
7383509103fa4c305a627a3140de5537b9ae83203ef90fd2be5a9b5b7c036b69

SHA512
d4a3263a449e89dbd28fa059ff811784e4d2a218488be1ea7d0469244d48ba4d19eb39eebf199919e892f1a7cb0c4e658567a8b8ffcee0d78da540097c6ea92e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
241.0MB

MD5
84d0671aae02da1d5bf0b760be94b845

SHA1
a0495e77cbc5bf6f55b30ee408fa9ff4804d8f15

SHA256
f6421fbffd6f80b317ce59dde03613fe0f5626e72418ead7b221294f6a9c8c7e

SHA512
a37e8015c2a02fb97983aaa7988471ff209113af4bf8163c15778ce25472496c3735d5fe570cc29110f476e84bc774077b9512d29060631a68f688ef3c364e95

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.2MB

MD5
1223c4e6306fcd7df084f8e3adbaab9a

SHA1
ab711bf4772c3a59dc0311f7fae0352f0611aaf5

SHA256
5bc00ef1965ae12c5b2cbc198193af2a83d7b160c8518e914125a56d951c1f84

SHA512
bbd09337deaa98f0c52539d0624fc4bd2d125deaebd893ef615e3d8497e7eee0cb5d050eb99c8af834f288ebbbc7ff35a47901f55f1aea6bf2dc2da1575086ad

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
242.0MB

MD5
8a208d09aa7f0ae9706cad0ee0f37dc6

SHA1
d885af376075ee5bc3a674a1f6b320e47faf457e

SHA256
93afa5ef9e20bbc18fac7dbcca97c09750b085b25aafca5fc8d81f93717d734c

SHA512
5e6289d2c1e51c9bab510ad3ecbabc0dae61b50fcf27618c9ee3c82699c905ba89e25def79ec3b42e70b1ab202cbad76afa1c8c0031fa66e7d161ced0df88de2

Download Submit
memory/812-96-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/812-93-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-69-0x000000006FC80000-0x000000007022B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-70-0x000000006FC80000-0x000000007022B000-memory.dmp

Filesize
5.7MB

Download
memory/1084-71-0x000000006FC80000-0x000000007022B000-memory.dmp

Filesize
5.7MB

Download
memory/1556-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1556-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-66-0x00000000064E0000-0x0000000006880000-memory.dmp

Filesize
3.6MB

Download
memory/1676-65-0x0000000001330000-0x0000000001AA4000-memory.dmp

Filesize
7.5MB

Download
memory/1676-73-0x00000000053B0000-0x0000000005522000-memory.dmp

Filesize
1.4MB

Download
memory/1736-56-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download