aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
67s
max time network
71s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/936-66-0x00000000063F0000-0x0000000006790000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1104	voiceadequovl.exe
936	voiceadequovl.exe
1936	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1104	voiceadequovl.exe
1104	voiceadequovl.exe
1104	voiceadequovl.exe
1104	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 1936	936	voiceadequovl.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1716	powershell.exe
1992	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	voiceadequovl.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeIncreaseQuotaPrivilege	2036	wmic.exe
Token: SeSecurityPrivilege	2036	wmic.exe
Token: SeTakeOwnershipPrivilege	2036	wmic.exe
Token: SeLoadDriverPrivilege	2036	wmic.exe
Token: SeSystemProfilePrivilege	2036	wmic.exe
Token: SeSystemtimePrivilege	2036	wmic.exe
Token: SeProfSingleProcessPrivilege	2036	wmic.exe
Token: SeIncBasePriorityPrivilege	2036	wmic.exe
Token: SeCreatePagefilePrivilege	2036	wmic.exe
Token: SeBackupPrivilege	2036	wmic.exe
Token: SeRestorePrivilege	2036	wmic.exe
Token: SeShutdownPrivilege	2036	wmic.exe
Token: SeDebugPrivilege	2036	wmic.exe
Token: SeSystemEnvironmentPrivilege	2036	wmic.exe
Token: SeRemoteShutdownPrivilege	2036	wmic.exe
Token: SeUndockPrivilege	2036	wmic.exe
Token: SeManageVolumePrivilege	2036	wmic.exe
Token: 33	2036	wmic.exe
Token: 34	2036	wmic.exe
Token: 35	2036	wmic.exe
Token: SeIncreaseQuotaPrivilege	2036	wmic.exe
Token: SeSecurityPrivilege	2036	wmic.exe
Token: SeTakeOwnershipPrivilege	2036	wmic.exe
Token: SeLoadDriverPrivilege	2036	wmic.exe
Token: SeSystemProfilePrivilege	2036	wmic.exe
Token: SeSystemtimePrivilege	2036	wmic.exe
Token: SeProfSingleProcessPrivilege	2036	wmic.exe
Token: SeIncBasePriorityPrivilege	2036	wmic.exe
Token: SeCreatePagefilePrivilege	2036	wmic.exe
Token: SeBackupPrivilege	2036	wmic.exe
Token: SeRestorePrivilege	2036	wmic.exe
Token: SeShutdownPrivilege	2036	wmic.exe
Token: SeDebugPrivilege	2036	wmic.exe
Token: SeSystemEnvironmentPrivilege	2036	wmic.exe
Token: SeRemoteShutdownPrivilege	2036	wmic.exe
Token: SeUndockPrivilege	2036	wmic.exe
Token: SeManageVolumePrivilege	2036	wmic.exe
Token: 33	2036	wmic.exe
Token: 34	2036	wmic.exe
Token: 35	2036	wmic.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe
Token: SeSecurityPrivilege	1592	WMIC.exe
Token: SeTakeOwnershipPrivilege	1592	WMIC.exe
Token: SeLoadDriverPrivilege	1592	WMIC.exe
Token: SeSystemProfilePrivilege	1592	WMIC.exe
Token: SeSystemtimePrivilege	1592	WMIC.exe
Token: SeProfSingleProcessPrivilege	1592	WMIC.exe
Token: SeIncBasePriorityPrivilege	1592	WMIC.exe
Token: SeCreatePagefilePrivilege	1592	WMIC.exe
Token: SeBackupPrivilege	1592	WMIC.exe
Token: SeRestorePrivilege	1592	WMIC.exe
Token: SeShutdownPrivilege	1592	WMIC.exe
Token: SeDebugPrivilege	1592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WMIC.exe
Token: SeRemoteShutdownPrivilege	1592	WMIC.exe
Token: SeUndockPrivilege	1592	WMIC.exe
Token: SeManageVolumePrivilege	1592	WMIC.exe
Token: 33	1592	WMIC.exe
Token: 34	1592	WMIC.exe
Token: 35	1592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1104 wrote to memory of 936	1104	voiceadequovl.exe	27
PID 1104 wrote to memory of 936	1104	voiceadequovl.exe	27
PID 1104 wrote to memory of 936	1104	voiceadequovl.exe	27
PID 1104 wrote to memory of 936	1104	voiceadequovl.exe	27
PID 936 wrote to memory of 1716	936	voiceadequovl.exe	28
PID 936 wrote to memory of 1716	936	voiceadequovl.exe	28
PID 936 wrote to memory of 1716	936	voiceadequovl.exe	28
PID 936 wrote to memory of 1716	936	voiceadequovl.exe	28
PID 936 wrote to memory of 1788	936	voiceadequovl.exe	31
PID 936 wrote to memory of 1788	936	voiceadequovl.exe	31
PID 936 wrote to memory of 1788	936	voiceadequovl.exe	31
PID 936 wrote to memory of 1788	936	voiceadequovl.exe	31
PID 1788 wrote to memory of 1992	1788	cmd.exe	32
PID 1788 wrote to memory of 1992	1788	cmd.exe	32
PID 1788 wrote to memory of 1992	1788	cmd.exe	32
PID 1788 wrote to memory of 1992	1788	cmd.exe	32
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 936 wrote to memory of 1936	936	voiceadequovl.exe	33
PID 1936 wrote to memory of 2036	1936	voiceadequovl.exe	34
PID 1936 wrote to memory of 2036	1936	voiceadequovl.exe	34
PID 1936 wrote to memory of 2036	1936	voiceadequovl.exe	34
PID 1936 wrote to memory of 2036	1936	voiceadequovl.exe	34
PID 1936 wrote to memory of 1656	1936	voiceadequovl.exe	37
PID 1936 wrote to memory of 1656	1936	voiceadequovl.exe	37
PID 1936 wrote to memory of 1656	1936	voiceadequovl.exe	37
PID 1936 wrote to memory of 1656	1936	voiceadequovl.exe	37
PID 1656 wrote to memory of 1592	1656	cmd.exe	39
PID 1656 wrote to memory of 1592	1656	cmd.exe	39
PID 1656 wrote to memory of 1592	1656	cmd.exe	39
PID 1656 wrote to memory of 1592	1656	cmd.exe	39
PID 1936 wrote to memory of 1880	1936	voiceadequovl.exe	41
PID 1936 wrote to memory of 1880	1936	voiceadequovl.exe	41
PID 1936 wrote to memory of 1880	1936	voiceadequovl.exe	41
PID 1936 wrote to memory of 1880	1936	voiceadequovl.exe	41
PID 1880 wrote to memory of 2028	1880	cmd.exe	42
PID 1880 wrote to memory of 2028	1880	cmd.exe	42
PID 1880 wrote to memory of 2028	1880	cmd.exe	42
PID 1880 wrote to memory of 2028	1880	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1880
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
131.9MB

MD5
cca5232ed44a0617773f2c2277d1cb9e

SHA1
65375a315fdeea82a802ab9ac2215a8242cb2d97

SHA256
ad20c392258b81ddcc7f5ca50b00ff1cf9177e8a051d5b563e5f0d410cce61ea

SHA512
3fba1b741b233faa9e115681cdf0c941e526c8f074b6923f91b6337d688351b73f548fdb3b14b2ac5eb7216d7cf007d5edd1ef17bbb9265c6ea00d483817be31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
136.8MB

MD5
e0fce0016b1fe2278340f0a3d9380b18

SHA1
651d9f0e4917ad97889891bfd56211656a3d66b6

SHA256
f17f1c3f1578c75005563c60594caded5c215a65e22f17144918b981a1f4f00f

SHA512
cc68f6d069316e38c53607d2f02560bbca57fabb67e8f7ded9c3fb6e8894dd43aec0f9353e01643c8f15fa98129e58975ada8e4c45bb87ae044ef44f5f2bc41e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a829c6a5089e8f6c67bff2aaf0b56e9a

SHA1
6e062b8083aae85c7a5cdc5c9be70d1078848c0a

SHA256
c20389ee96f19c33476f5766809653246d74afdb5f1ebcf432f5b55abebe5186

SHA512
0a25dfec5280e689c4358495d884f1f9f6b164910726563baecf6093749ae73c30534c3ac379f6e717f8a94f60cae037f85071a71c1db7d9a080dbb59b8b1c3e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
125.2MB

MD5
6f6bf4f8fa6943c1c76fab78d3c3253e

SHA1
b02ec58ff65084495f41f728982550a64f198808

SHA256
1083dd83760c847f3184c02f85e9b92a89724fca34e9ab9cdd9fbcd423ee2417

SHA512
bc97e37fec8a3b320253573b5c7b6a6e7643fa50aa3b347c9114b89a92fac4b11a011bb7f239c3cd80740df29a2b397868e485896d5bc665aebc51bf9ce11287

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
122.2MB

MD5
9a2aa5148ce4afa6b3e7d8e8799284a5

SHA1
f6f22d819a8d33e83a6fe37bee6123a7f284345c

SHA256
cd7ceb0abef9bb6726b6c91e2ea45adb762182d5f90398f9ada2e634539c142f

SHA512
68ff909012bba366d83da7caa845983293ffaed9bbd90d64ec0b881680e9c5398b5c97ae304cf4587a686be4492ae2f066ca6d70709627d13d00758030346349

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
61.3MB

MD5
1ff52764647ac0c954683e336bbcdf66

SHA1
239426ea86fe4ff951913cf0f77e2cf5869ea158

SHA256
378d485d037ec9f2d816da09fa48063c815db87621361710e42864d05e22eb1b

SHA512
0957db9c655d790922d3273e675e2441771b3b0d2064ef9b36c1836b7559a842ab89ef266f1b08179306cc04c7c61c67bf57d213d1815cc0b2248aa3106e17a6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
123.8MB

MD5
580731ff034e277d56b421ba4c15ea48

SHA1
e68d09553c49c4e9b5704592b8c6eae274416c7c

SHA256
bbec475243e96d82e8bbd07278ad8ea74a25c017afbc8df9537ac47e69f9668b

SHA512
3287c20f6695458b8047e7070a84e04e3699881a7b6caa22f76a8c917831f4afaef1335ac60a389462e8706375b62ffc914e26cb467a246a5e44497830ae590c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
122.8MB

MD5
04cd305422d41393f394276e2e0c4bc2

SHA1
5318db0705b1d2f456a831227a01b52b690ae23c

SHA256
91ce577762759eb40bcafead79da08bb6c9e3f367618504f302c2d4ec4665a59

SHA512
7f3d07c21f7ab6d5c8fb64aa66bd0d99f2fc483b8b5ad99e0bbc0b8f9e072b533776f9f48294c0cf522b05102da5871bc11b47e72acc2eba43fa847d5ca28e04

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
124.7MB

MD5
e4463e48bbe5c9fbd580973809932d7b

SHA1
12cc01d93441d348ef5167935ace0c987141ae68

SHA256
d398c28e782acefd9270c13d0bfdb071e60d839355f10497a06d2d1dd85fd9c0

SHA512
619f9c1cfa1c4cd47607e575ab9b7338bc57984f633c07e4da54dcba524781372d197f996724623bbb241e31ac08d18b3f163e72db9a26c2d4eb806ff39efae9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
120.9MB

MD5
be79f05e76aed0dbff41bd9648979a3b

SHA1
18630c910f22c9f5a43d98d1ad3377f73476827c

SHA256
66d807d14906648a7dedfab30481b443359c35b257f50665063677393b163570

SHA512
333315bcb7942c9e96e8abde3cb3e3444dd6d4ec814f6ae376ddf2354aeb085219f2ef8eb84331bd35f1c8159b4359b6f9214048be606c7936087519e4837c06

Download Submit
memory/936-75-0x00000000053F0000-0x0000000005562000-memory.dmp

Filesize
1.4MB

Download
memory/936-65-0x0000000000C40000-0x00000000013B4000-memory.dmp

Filesize
7.5MB

Download
memory/936-66-0x00000000063F0000-0x0000000006790000-memory.dmp

Filesize
3.6MB

Download
memory/1104-56-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1716-69-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-71-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-70-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1936-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1936-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1992-79-0x000000006FE70000-0x000000007041B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-94-0x000000006FE70000-0x000000007041B000-memory.dmp

Filesize
5.7MB

Download