aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
80s
max time network
84s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1168-66-0x0000000006600000-0x00000000069A0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1368	voiceadequovl.exe
1168	voiceadequovl.exe
1336	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1368	voiceadequovl.exe
1368	voiceadequovl.exe
1368	voiceadequovl.exe
1368	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1168 set thread context of 1336	1168	voiceadequovl.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1232	powershell.exe
1400	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	voiceadequovl.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeIncreaseQuotaPrivilege	704	wmic.exe
Token: SeSecurityPrivilege	704	wmic.exe
Token: SeTakeOwnershipPrivilege	704	wmic.exe
Token: SeLoadDriverPrivilege	704	wmic.exe
Token: SeSystemProfilePrivilege	704	wmic.exe
Token: SeSystemtimePrivilege	704	wmic.exe
Token: SeProfSingleProcessPrivilege	704	wmic.exe
Token: SeIncBasePriorityPrivilege	704	wmic.exe
Token: SeCreatePagefilePrivilege	704	wmic.exe
Token: SeBackupPrivilege	704	wmic.exe
Token: SeRestorePrivilege	704	wmic.exe
Token: SeShutdownPrivilege	704	wmic.exe
Token: SeDebugPrivilege	704	wmic.exe
Token: SeSystemEnvironmentPrivilege	704	wmic.exe
Token: SeRemoteShutdownPrivilege	704	wmic.exe
Token: SeUndockPrivilege	704	wmic.exe
Token: SeManageVolumePrivilege	704	wmic.exe
Token: 33	704	wmic.exe
Token: 34	704	wmic.exe
Token: 35	704	wmic.exe
Token: SeIncreaseQuotaPrivilege	704	wmic.exe
Token: SeSecurityPrivilege	704	wmic.exe
Token: SeTakeOwnershipPrivilege	704	wmic.exe
Token: SeLoadDriverPrivilege	704	wmic.exe
Token: SeSystemProfilePrivilege	704	wmic.exe
Token: SeSystemtimePrivilege	704	wmic.exe
Token: SeProfSingleProcessPrivilege	704	wmic.exe
Token: SeIncBasePriorityPrivilege	704	wmic.exe
Token: SeCreatePagefilePrivilege	704	wmic.exe
Token: SeBackupPrivilege	704	wmic.exe
Token: SeRestorePrivilege	704	wmic.exe
Token: SeShutdownPrivilege	704	wmic.exe
Token: SeDebugPrivilege	704	wmic.exe
Token: SeSystemEnvironmentPrivilege	704	wmic.exe
Token: SeRemoteShutdownPrivilege	704	wmic.exe
Token: SeUndockPrivilege	704	wmic.exe
Token: SeManageVolumePrivilege	704	wmic.exe
Token: 33	704	wmic.exe
Token: 34	704	wmic.exe
Token: 35	704	wmic.exe
Token: SeIncreaseQuotaPrivilege	1408	WMIC.exe
Token: SeSecurityPrivilege	1408	WMIC.exe
Token: SeTakeOwnershipPrivilege	1408	WMIC.exe
Token: SeLoadDriverPrivilege	1408	WMIC.exe
Token: SeSystemProfilePrivilege	1408	WMIC.exe
Token: SeSystemtimePrivilege	1408	WMIC.exe
Token: SeProfSingleProcessPrivilege	1408	WMIC.exe
Token: SeIncBasePriorityPrivilege	1408	WMIC.exe
Token: SeCreatePagefilePrivilege	1408	WMIC.exe
Token: SeBackupPrivilege	1408	WMIC.exe
Token: SeRestorePrivilege	1408	WMIC.exe
Token: SeShutdownPrivilege	1408	WMIC.exe
Token: SeDebugPrivilege	1408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1408	WMIC.exe
Token: SeRemoteShutdownPrivilege	1408	WMIC.exe
Token: SeUndockPrivilege	1408	WMIC.exe
Token: SeManageVolumePrivilege	1408	WMIC.exe
Token: 33	1408	WMIC.exe
Token: 34	1408	WMIC.exe
Token: 35	1408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1408	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1368	1492	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1492 wrote to memory of 1368	1492	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1492 wrote to memory of 1368	1492	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1492 wrote to memory of 1368	1492	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1368 wrote to memory of 1168	1368	voiceadequovl.exe	27
PID 1368 wrote to memory of 1168	1368	voiceadequovl.exe	27
PID 1368 wrote to memory of 1168	1368	voiceadequovl.exe	27
PID 1368 wrote to memory of 1168	1368	voiceadequovl.exe	27
PID 1168 wrote to memory of 1232	1168	voiceadequovl.exe	28
PID 1168 wrote to memory of 1232	1168	voiceadequovl.exe	28
PID 1168 wrote to memory of 1232	1168	voiceadequovl.exe	28
PID 1168 wrote to memory of 1232	1168	voiceadequovl.exe	28
PID 1168 wrote to memory of 972	1168	voiceadequovl.exe	30
PID 1168 wrote to memory of 972	1168	voiceadequovl.exe	30
PID 1168 wrote to memory of 972	1168	voiceadequovl.exe	30
PID 1168 wrote to memory of 972	1168	voiceadequovl.exe	30
PID 972 wrote to memory of 1400	972	cmd.exe	32
PID 972 wrote to memory of 1400	972	cmd.exe	32
PID 972 wrote to memory of 1400	972	cmd.exe	32
PID 972 wrote to memory of 1400	972	cmd.exe	32
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1168 wrote to memory of 1336	1168	voiceadequovl.exe	33
PID 1336 wrote to memory of 704	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 704	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 704	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 704	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1404	1336	voiceadequovl.exe	37
PID 1336 wrote to memory of 1404	1336	voiceadequovl.exe	37
PID 1336 wrote to memory of 1404	1336	voiceadequovl.exe	37
PID 1336 wrote to memory of 1404	1336	voiceadequovl.exe	37
PID 1404 wrote to memory of 1408	1404	cmd.exe	39
PID 1404 wrote to memory of 1408	1404	cmd.exe	39
PID 1404 wrote to memory of 1408	1404	cmd.exe	39
PID 1404 wrote to memory of 1408	1404	cmd.exe	39
PID 1336 wrote to memory of 1604	1336	voiceadequovl.exe	40
PID 1336 wrote to memory of 1604	1336	voiceadequovl.exe	40
PID 1336 wrote to memory of 1604	1336	voiceadequovl.exe	40
PID 1336 wrote to memory of 1604	1336	voiceadequovl.exe	40
PID 1604 wrote to memory of 1944	1604	cmd.exe	42
PID 1604 wrote to memory of 1944	1604	cmd.exe	42
PID 1604 wrote to memory of 1944	1604	cmd.exe	42
PID 1604 wrote to memory of 1944	1604	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1232
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:972
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1604
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
177.7MB

MD5
d80567ec40d87a9b12545da9625de9af

SHA1
a6bf16b8441e84c8f368a3a932da0562e46b9e60

SHA256
1aedb2c872e4b261de322f4f3c7891afe5fdfa1638520e28f634c259f46ad4da

SHA512
59cfe25687bba558e94456ce2da906f3e8a0e72534749c7bc321927cef7ef89f703c851648532c06dfd284e18f023cb6fce658a07643d41630d4db3d92e25e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
176.0MB

MD5
739b607d7eaa78d0e4e424ef48b447c4

SHA1
8917ca8a0c06337608e3ca4c4311218c65da4432

SHA256
e4cc4cca2af5fb6f5df2215792edc67efc9199f09edf892e9b7a32eb6069d2dd

SHA512
590694d885bb0767b67121ed8ef54dc5196c7f03cf3be3e4cf61e6162ca467b7767a0a4aca8b7577d705356735976abd3f489180903602e1239264e620933cce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f57e3846822abe103ea7c7d059a81414

SHA1
6c503970349204c98753e4e5556482b3c1bffaae

SHA256
8994dee29a58b3035962a286c7f699a0818808554abf1203fdd304a2d8a6e942

SHA512
0cc2cdf93d8c1363194bddb1e64d96627f8e86c8178093f337523f22efde834e57f33bcb6742752d0273a2acbd58b9e4e29a628352c2824bb5dbd16e2e071d13

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
166.6MB

MD5
718bae930a8417f5a27d64ee0e476d7c

SHA1
a58fa700c9049f86c91bf64f5206404d1e31b2b8

SHA256
f4848827a09381d0bd4ba6a44893c7f2476cfff6dd3d39c72b9ce64c372b354c

SHA512
38ee7c3ca2136700a82d26413db62aea16d1bfbe19eb284fd43189b4a7798a37fe749ab1e38aed9cb4894534c37cd3f168c472b9015ef1dac7a13555baa80158

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
178.0MB

MD5
b925191125108830338f46da06ea2964

SHA1
e54ac53dd3e3baa3404d7f614b87905ec6e24cc7

SHA256
ffdfdbccd50345abb218934019bf590df2ad38a1d26ff4f0e6478d2fe0a56165

SHA512
4b3dfe51d5cfa11cfa8ccfb5356f7b228778a2590675793cbd37b7363062d87e284c482c8138fe1c6b2114cee735f2df429043679104104b4ef4fbec32141bed

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
125.6MB

MD5
081e43392c195a9b25f1402fb82b89c5

SHA1
22d70aab99eb8d95d54201eaa0d064ef36044385

SHA256
41346c7b40028c173fc51ce22ea99c39d394f3dc94a91b03208bb7607a933988

SHA512
1d478416948bd0fa66744d38f68e4d98eb55133c421a8675524fb547ab2b53e29815a06c75cc671e5bb22b23634815a36cc549cbe4695b5b81314a00ddba0e63

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
176.8MB

MD5
ac18a8832c45a6400fa7960887a7efb6

SHA1
6a912f8a86c41076b4af1c2e59c2fe6057ba812a

SHA256
7d6ee9d2bcddf5a6dc356fa00bf73d04a680cea86102c4bc185d54b9d43b0f91

SHA512
3eabf899c2320cde85d0a9246e0981e419aa4fbbb4db7ff5c340956ad17598ea348d8cfa4a367f49d01c559057285e804f0a34604e2c7a6c8556c7b9996b1cd0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
175.9MB

MD5
7ddbecf7990491367409396d9adef62c

SHA1
b966270f8833c41f3c2c278127ac273ff5c3a481

SHA256
22475c16d5b1ed24ab0226ee60889175fa5681985256e32aed76847ad6e8a1b4

SHA512
4b79fbaeeba881bc57cec6857ad692a213421d4ee2bd02d1f140a269d56fb0708507142ada2c01bbe24c177a9480316496345ec5f1178da9d40866e25b7ab36c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
172.9MB

MD5
d83e4d0522f23995a371cd3ffe03bc68

SHA1
a337312bb33a6f6b4084a7469d1eae89cc343c97

SHA256
8aa641c9e80e65d38916b9d78e4a5849e82f1e3a6f2b99792a670b26219c3cd5

SHA512
1fb016c75ffe5ba83341dd097245438558fd5f30b8547ed86ab6c6305d7b80aec2d23107c066b783a47b9ebd1fbbe44c94c8a18be206fc3a7a4aeaa0a9ebb2b7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
175.6MB

MD5
fe4ca810c70512cfcdf44a9f22bcdf58

SHA1
092fdcf11926dc78f55038cfd5d9eacbabe8843a

SHA256
4cf74fb83665cb86ccd461f561e13504c82ef12125547e2bce566c35076e128a

SHA512
767e348e6ff3fdb210c8cefb173f7792ad6feda563f5aaf0fd9599a4234aa656ddfe81ef8089ead642dc0534e333ba6c0f866aa7c7a123954f3b35d4a86cb2fd

Download Submit
memory/1168-65-0x0000000001380000-0x0000000001AF4000-memory.dmp

Filesize
7.5MB

Download
memory/1168-66-0x0000000006600000-0x00000000069A0000-memory.dmp

Filesize
3.6MB

Download
memory/1168-74-0x0000000005570000-0x00000000056E2000-memory.dmp

Filesize
1.4MB

Download
memory/1232-69-0x000000006FA10000-0x000000006FFBB000-memory.dmp

Filesize
5.7MB

Download
memory/1232-70-0x000000006FA10000-0x000000006FFBB000-memory.dmp

Filesize
5.7MB

Download
memory/1232-71-0x000000006FA10000-0x000000006FFBB000-memory.dmp

Filesize
5.7MB

Download
memory/1336-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1336-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1368-56-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1400-94-0x000000006F740000-0x000000006FCEB000-memory.dmp

Filesize
5.7MB

Download
memory/1400-90-0x000000006F740000-0x000000006FCEB000-memory.dmp

Filesize
5.7MB

Download