aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
68s
max time network
73s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/940-66-0x00000000064E0000-0x0000000006880000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1104	voiceadequovl.exe
940	voiceadequovl.exe
1148	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1104	voiceadequovl.exe
1104	voiceadequovl.exe
1104	voiceadequovl.exe
1104	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 1148	940	voiceadequovl.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1696	powershell.exe
1160	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	940	voiceadequovl.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeIncreaseQuotaPrivilege	824	wmic.exe
Token: SeSecurityPrivilege	824	wmic.exe
Token: SeTakeOwnershipPrivilege	824	wmic.exe
Token: SeLoadDriverPrivilege	824	wmic.exe
Token: SeSystemProfilePrivilege	824	wmic.exe
Token: SeSystemtimePrivilege	824	wmic.exe
Token: SeProfSingleProcessPrivilege	824	wmic.exe
Token: SeIncBasePriorityPrivilege	824	wmic.exe
Token: SeCreatePagefilePrivilege	824	wmic.exe
Token: SeBackupPrivilege	824	wmic.exe
Token: SeRestorePrivilege	824	wmic.exe
Token: SeShutdownPrivilege	824	wmic.exe
Token: SeDebugPrivilege	824	wmic.exe
Token: SeSystemEnvironmentPrivilege	824	wmic.exe
Token: SeRemoteShutdownPrivilege	824	wmic.exe
Token: SeUndockPrivilege	824	wmic.exe
Token: SeManageVolumePrivilege	824	wmic.exe
Token: 33	824	wmic.exe
Token: 34	824	wmic.exe
Token: 35	824	wmic.exe
Token: SeIncreaseQuotaPrivilege	824	wmic.exe
Token: SeSecurityPrivilege	824	wmic.exe
Token: SeTakeOwnershipPrivilege	824	wmic.exe
Token: SeLoadDriverPrivilege	824	wmic.exe
Token: SeSystemProfilePrivilege	824	wmic.exe
Token: SeSystemtimePrivilege	824	wmic.exe
Token: SeProfSingleProcessPrivilege	824	wmic.exe
Token: SeIncBasePriorityPrivilege	824	wmic.exe
Token: SeCreatePagefilePrivilege	824	wmic.exe
Token: SeBackupPrivilege	824	wmic.exe
Token: SeRestorePrivilege	824	wmic.exe
Token: SeShutdownPrivilege	824	wmic.exe
Token: SeDebugPrivilege	824	wmic.exe
Token: SeSystemEnvironmentPrivilege	824	wmic.exe
Token: SeRemoteShutdownPrivilege	824	wmic.exe
Token: SeUndockPrivilege	824	wmic.exe
Token: SeManageVolumePrivilege	824	wmic.exe
Token: 33	824	wmic.exe
Token: 34	824	wmic.exe
Token: 35	824	wmic.exe
Token: SeIncreaseQuotaPrivilege	336	WMIC.exe
Token: SeSecurityPrivilege	336	WMIC.exe
Token: SeTakeOwnershipPrivilege	336	WMIC.exe
Token: SeLoadDriverPrivilege	336	WMIC.exe
Token: SeSystemProfilePrivilege	336	WMIC.exe
Token: SeSystemtimePrivilege	336	WMIC.exe
Token: SeProfSingleProcessPrivilege	336	WMIC.exe
Token: SeIncBasePriorityPrivilege	336	WMIC.exe
Token: SeCreatePagefilePrivilege	336	WMIC.exe
Token: SeBackupPrivilege	336	WMIC.exe
Token: SeRestorePrivilege	336	WMIC.exe
Token: SeShutdownPrivilege	336	WMIC.exe
Token: SeDebugPrivilege	336	WMIC.exe
Token: SeSystemEnvironmentPrivilege	336	WMIC.exe
Token: SeRemoteShutdownPrivilege	336	WMIC.exe
Token: SeUndockPrivilege	336	WMIC.exe
Token: SeManageVolumePrivilege	336	WMIC.exe
Token: 33	336	WMIC.exe
Token: 34	336	WMIC.exe
Token: 35	336	WMIC.exe
Token: SeIncreaseQuotaPrivilege	336	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2032 wrote to memory of 1104	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1104 wrote to memory of 940	1104	voiceadequovl.exe	27
PID 1104 wrote to memory of 940	1104	voiceadequovl.exe	27
PID 1104 wrote to memory of 940	1104	voiceadequovl.exe	27
PID 1104 wrote to memory of 940	1104	voiceadequovl.exe	27
PID 940 wrote to memory of 1696	940	voiceadequovl.exe	28
PID 940 wrote to memory of 1696	940	voiceadequovl.exe	28
PID 940 wrote to memory of 1696	940	voiceadequovl.exe	28
PID 940 wrote to memory of 1696	940	voiceadequovl.exe	28
PID 940 wrote to memory of 1488	940	voiceadequovl.exe	30
PID 940 wrote to memory of 1488	940	voiceadequovl.exe	30
PID 940 wrote to memory of 1488	940	voiceadequovl.exe	30
PID 940 wrote to memory of 1488	940	voiceadequovl.exe	30
PID 1488 wrote to memory of 1160	1488	cmd.exe	32
PID 1488 wrote to memory of 1160	1488	cmd.exe	32
PID 1488 wrote to memory of 1160	1488	cmd.exe	32
PID 1488 wrote to memory of 1160	1488	cmd.exe	32
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 940 wrote to memory of 1148	940	voiceadequovl.exe	33
PID 1148 wrote to memory of 824	1148	voiceadequovl.exe	35
PID 1148 wrote to memory of 824	1148	voiceadequovl.exe	35
PID 1148 wrote to memory of 824	1148	voiceadequovl.exe	35
PID 1148 wrote to memory of 824	1148	voiceadequovl.exe	35
PID 1148 wrote to memory of 1132	1148	voiceadequovl.exe	37
PID 1148 wrote to memory of 1132	1148	voiceadequovl.exe	37
PID 1148 wrote to memory of 1132	1148	voiceadequovl.exe	37
PID 1148 wrote to memory of 1132	1148	voiceadequovl.exe	37
PID 1132 wrote to memory of 336	1132	cmd.exe	39
PID 1132 wrote to memory of 336	1132	cmd.exe	39
PID 1132 wrote to memory of 336	1132	cmd.exe	39
PID 1132 wrote to memory of 336	1132	cmd.exe	39
PID 1148 wrote to memory of 1564	1148	voiceadequovl.exe	40
PID 1148 wrote to memory of 1564	1148	voiceadequovl.exe	40
PID 1148 wrote to memory of 1564	1148	voiceadequovl.exe	40
PID 1148 wrote to memory of 1564	1148	voiceadequovl.exe	40
PID 1564 wrote to memory of 1900	1564	cmd.exe	42
PID 1564 wrote to memory of 1900	1564	cmd.exe	42
PID 1564 wrote to memory of 1900	1564	cmd.exe	42
PID 1564 wrote to memory of 1900	1564	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1132
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
257.7MB

MD5
d6f8486c53cb8b79e2f40d690f6b90ee

SHA1
57a08b35be3efaba576527ac928257591e20ac37

SHA256
3ac37cf638c5ec77e099c3d352aa4edfa5d947fa8150327e30698463d7a4f691

SHA512
9847fec3688a268b845e6db7b570725cf91418bcc091ecc60f2f9c4f98b46633c731d6e8a8089cd7ecf6cffd5d130d9dab2a9527782928452625df8b4d2f9f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
240.4MB

MD5
1d7a380571864509a03f21464de931bc

SHA1
c778209a07cf44f0baff9d4789951a9433bb542a

SHA256
d7eaabcf34d7d2d3b6d3d667acb3743bf48faa61fc1331fc679aaf51cd6d345f

SHA512
8a84c28c7a340f14f1ea529700832f0690ffb43b8588e0b4b46ce92b12a51c0b99a3ed70a22d938041549bb237262db2041efacf657847fbdca64e38f5fd194f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
7ff6c8fbece5657daeaebac355b6fd4a

SHA1
ab95de1336dbeab47745396595dd172e5cce67b8

SHA256
76ccc5cfd2714d09c592ed1e15edba2c5dd3b56a81260806b6b4dbf337e1ee66

SHA512
e3b064b1331a62ff6bf9bf6d02f6fcfe03b0a697dcd6e63b63d0276d87db85961e57bee96d2402afa225c2c67710d75683b75f04c8f6fa326193ae1feca102fb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
226.6MB

MD5
3ec3a45b07514360b27b160fef9b87f0

SHA1
90e9c6d7c360044cceb5015bcb99f2b1b8857991

SHA256
60308027dfc8211c3276a45b23c3e190a5f0500784dd75f4b765b7051e9ef859

SHA512
2143e67819a79723e8549f24344e1d73d1ef5fb01085867d6baf1bc63de1ea7bb0ba8abba7654074385a5fb81971616900e0b76c8cf40dcc7baa8fc32d34700c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
226.4MB

MD5
88d651cc682b3cf6fd3888fcf4515bd4

SHA1
de8a3931537fc39c2e0146d8ce95f55552ed2163

SHA256
695b05159ba269ea4c35122c224d75804269d3ecf4d03ce60527bc7c2a256cfa

SHA512
33fc57332b6ef359a993b66adaa9406559e6b4bc761952373ff56629588ae899cf9c68bce8dfe954f426db3856f632f8acdecd5742815280081f756975b4395e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
159.9MB

MD5
27b44e715bf2cd2ca32beacafdbb7939

SHA1
61d1ab31622666d00b36e09082bf40d3ff396ec2

SHA256
7e6f99df8b1cba8be732e6d1b534f8f197df7d8b8bc67f5654bab9bc3dd0c63c

SHA512
06266374a837ddb4f8d793bc5f62f894b2b1ea4e015dd303eb829100c045b439699768f58be5bb421b565c3eedc4eb4dbc0a6a9e8ba8c59611c7eeffa2ca5159

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
230.4MB

MD5
b98375249aafc2f649253f67d5304ca1

SHA1
64d26b24f6a79237fef153c9dc1ac504972d2776

SHA256
0413614b157cb87a45d12c9a63fe16806124324c6a5171ca2d2f886cd62e192e

SHA512
8558edeb13e9ab48376905c964cc3b4732e86c2a62dbf0bd43ceb0c6c52784ad5d8ebc461a0e7d174c60a40bbc235e37edef46f30b354973281f2ab2f68088a6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
232.6MB

MD5
56fcba7ee7ed15e98115a779e527a18f

SHA1
2ff4ddff6fd5542abc72a86576c17d3def064d44

SHA256
05c7aa4a4ed8370ca4eb8f5ed63d0443666706c5d12c21f7a3a14dd57c554fb3

SHA512
597a2a2faf6d266675144de13d77b4eadde2beec6716e66c66cdb2efe65ff0c039c99c494a2682292cbaf87fff7249357052a48b9e53a849f2baa0bc6059019f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
230.2MB

MD5
5622d2f885838ff0454c0fda45e1cc9e

SHA1
0e626b0f631c9fb8a2a59edf1a42d458d1aba230

SHA256
e0053fc1b1f683e196bb787c4ddc38fa885e957cb7d537eb880a211339fa8502

SHA512
9c23f8c96da33f3aa76eff68bab60a2f455a7bc310d312883f4398e49323cca60c948535431e34f764db23d78215ca35ff30b361cbb4827531043c9415d877e6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
214.9MB

MD5
7351fb8083cd8ab172786e6d183cb0c9

SHA1
d8fd97f7f3a5a4e4394f9c3289179cd25e34a47c

SHA256
298f31ed82d82799823e9ed6a7d0108b441aebd3111fb98396bf26219206cabf

SHA512
3516b6b1be14ed9ada110392af246a559088495529dc86b444af8b9c1074e1eca5aa6fa1c06afd11873c6850116f299ff54d506509e331994ec2d5611f0f2b3e

Download Submit
memory/940-66-0x00000000064E0000-0x0000000006880000-memory.dmp

Filesize
3.6MB

Download
memory/940-65-0x0000000000A30000-0x00000000011A4000-memory.dmp

Filesize
7.5MB

Download
memory/940-74-0x00000000054C0000-0x0000000005632000-memory.dmp

Filesize
1.4MB

Download
memory/1104-56-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1148-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1148-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1160-90-0x000000006FE70000-0x000000007041B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-94-0x000000006FE70000-0x000000007041B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-70-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-69-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-71-0x000000006FEB0000-0x000000007045B000-memory.dmp

Filesize
5.7MB

Download