aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
90s
max time network
94s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 06:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/944-66-0x00000000063F0000-0x0000000006790000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1776	voiceadequovl.exe
944	voiceadequovl.exe
1404	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1776	voiceadequovl.exe
1776	voiceadequovl.exe
1776	voiceadequovl.exe
1776	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 944 set thread context of 1404	944	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	powershell.exe
1576	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	voiceadequovl.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeIncreaseQuotaPrivilege	1108	wmic.exe
Token: SeSecurityPrivilege	1108	wmic.exe
Token: SeTakeOwnershipPrivilege	1108	wmic.exe
Token: SeLoadDriverPrivilege	1108	wmic.exe
Token: SeSystemProfilePrivilege	1108	wmic.exe
Token: SeSystemtimePrivilege	1108	wmic.exe
Token: SeProfSingleProcessPrivilege	1108	wmic.exe
Token: SeIncBasePriorityPrivilege	1108	wmic.exe
Token: SeCreatePagefilePrivilege	1108	wmic.exe
Token: SeBackupPrivilege	1108	wmic.exe
Token: SeRestorePrivilege	1108	wmic.exe
Token: SeShutdownPrivilege	1108	wmic.exe
Token: SeDebugPrivilege	1108	wmic.exe
Token: SeSystemEnvironmentPrivilege	1108	wmic.exe
Token: SeRemoteShutdownPrivilege	1108	wmic.exe
Token: SeUndockPrivilege	1108	wmic.exe
Token: SeManageVolumePrivilege	1108	wmic.exe
Token: 33	1108	wmic.exe
Token: 34	1108	wmic.exe
Token: 35	1108	wmic.exe
Token: SeIncreaseQuotaPrivilege	1108	wmic.exe
Token: SeSecurityPrivilege	1108	wmic.exe
Token: SeTakeOwnershipPrivilege	1108	wmic.exe
Token: SeLoadDriverPrivilege	1108	wmic.exe
Token: SeSystemProfilePrivilege	1108	wmic.exe
Token: SeSystemtimePrivilege	1108	wmic.exe
Token: SeProfSingleProcessPrivilege	1108	wmic.exe
Token: SeIncBasePriorityPrivilege	1108	wmic.exe
Token: SeCreatePagefilePrivilege	1108	wmic.exe
Token: SeBackupPrivilege	1108	wmic.exe
Token: SeRestorePrivilege	1108	wmic.exe
Token: SeShutdownPrivilege	1108	wmic.exe
Token: SeDebugPrivilege	1108	wmic.exe
Token: SeSystemEnvironmentPrivilege	1108	wmic.exe
Token: SeRemoteShutdownPrivilege	1108	wmic.exe
Token: SeUndockPrivilege	1108	wmic.exe
Token: SeManageVolumePrivilege	1108	wmic.exe
Token: 33	1108	wmic.exe
Token: 34	1108	wmic.exe
Token: 35	1108	wmic.exe
Token: SeIncreaseQuotaPrivilege	544	WMIC.exe
Token: SeSecurityPrivilege	544	WMIC.exe
Token: SeTakeOwnershipPrivilege	544	WMIC.exe
Token: SeLoadDriverPrivilege	544	WMIC.exe
Token: SeSystemProfilePrivilege	544	WMIC.exe
Token: SeSystemtimePrivilege	544	WMIC.exe
Token: SeProfSingleProcessPrivilege	544	WMIC.exe
Token: SeIncBasePriorityPrivilege	544	WMIC.exe
Token: SeCreatePagefilePrivilege	544	WMIC.exe
Token: SeBackupPrivilege	544	WMIC.exe
Token: SeRestorePrivilege	544	WMIC.exe
Token: SeShutdownPrivilege	544	WMIC.exe
Token: SeDebugPrivilege	544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	544	WMIC.exe
Token: SeRemoteShutdownPrivilege	544	WMIC.exe
Token: SeUndockPrivilege	544	WMIC.exe
Token: SeManageVolumePrivilege	544	WMIC.exe
Token: 33	544	WMIC.exe
Token: 34	544	WMIC.exe
Token: 35	544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	544	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1776	1092	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1092 wrote to memory of 1776	1092	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1092 wrote to memory of 1776	1092	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1092 wrote to memory of 1776	1092	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1776 wrote to memory of 944	1776	voiceadequovl.exe	28
PID 1776 wrote to memory of 944	1776	voiceadequovl.exe	28
PID 1776 wrote to memory of 944	1776	voiceadequovl.exe	28
PID 1776 wrote to memory of 944	1776	voiceadequovl.exe	28
PID 944 wrote to memory of 2028	944	voiceadequovl.exe	29
PID 944 wrote to memory of 2028	944	voiceadequovl.exe	29
PID 944 wrote to memory of 2028	944	voiceadequovl.exe	29
PID 944 wrote to memory of 2028	944	voiceadequovl.exe	29
PID 944 wrote to memory of 852	944	voiceadequovl.exe	31
PID 944 wrote to memory of 852	944	voiceadequovl.exe	31
PID 944 wrote to memory of 852	944	voiceadequovl.exe	31
PID 944 wrote to memory of 852	944	voiceadequovl.exe	31
PID 852 wrote to memory of 1576	852	cmd.exe	33
PID 852 wrote to memory of 1576	852	cmd.exe	33
PID 852 wrote to memory of 1576	852	cmd.exe	33
PID 852 wrote to memory of 1576	852	cmd.exe	33
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 944 wrote to memory of 1404	944	voiceadequovl.exe	34
PID 1404 wrote to memory of 1108	1404	voiceadequovl.exe	35
PID 1404 wrote to memory of 1108	1404	voiceadequovl.exe	35
PID 1404 wrote to memory of 1108	1404	voiceadequovl.exe	35
PID 1404 wrote to memory of 1108	1404	voiceadequovl.exe	35
PID 1404 wrote to memory of 1580	1404	voiceadequovl.exe	38
PID 1404 wrote to memory of 1580	1404	voiceadequovl.exe	38
PID 1404 wrote to memory of 1580	1404	voiceadequovl.exe	38
PID 1404 wrote to memory of 1580	1404	voiceadequovl.exe	38
PID 1580 wrote to memory of 544	1580	cmd.exe	40
PID 1580 wrote to memory of 544	1580	cmd.exe	40
PID 1580 wrote to memory of 544	1580	cmd.exe	40
PID 1580 wrote to memory of 544	1580	cmd.exe	40
PID 1404 wrote to memory of 1620	1404	voiceadequovl.exe	41
PID 1404 wrote to memory of 1620	1404	voiceadequovl.exe	41
PID 1404 wrote to memory of 1620	1404	voiceadequovl.exe	41
PID 1404 wrote to memory of 1620	1404	voiceadequovl.exe	41
PID 1620 wrote to memory of 1496	1620	cmd.exe	43
PID 1620 wrote to memory of 1496	1620	cmd.exe	43
PID 1620 wrote to memory of 1496	1620	cmd.exe	43
PID 1620 wrote to memory of 1496	1620	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1620
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bb9ab2741a2e90d51388768f82f0284d

SHA1
0fcc07749e5f6712252c1d367aea4e90a42d60f1

SHA256
4a4409d754d099a8c36b3b0de339d18044f61bab6e15be7512fc472eaa3b2e82

SHA512
e577baa83740d6091b14a3ecfc5dd89b63d77d983e725f2ef7d855da7317c438731ec35701721862cb3f970f71de8381eba86de65b5cf324b9d9bf74d85007da

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
274.8MB

MD5
4aeb131a8a8b42c133094df5399b673a

SHA1
8ccc80d49b26b5052f5de3e7318c212d05b43e17

SHA256
006c2d5d6f21c1e8c5d96fd1d110a7ada6676fdd737fdfa1bf1b15d4d1b0873f

SHA512
dbafebaed8c0c9cfb2f2a8b0c428f6e9676e7f3ae40fc23c9ad9160a7718ddb1c38605fa18aeec14cc9c2365c272848c6d20c1d14f54da24a7f5f524ed7f70e9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
278.8MB

MD5
c6386c1955043cc4311bbb9c28936ed4

SHA1
d401c08444a2d99dc29aeae3361a24965f433cf8

SHA256
0fe82fbca2e268bd1771cc973b96ca62ac315c695dcfafaa6fa057d2245e4afe

SHA512
5bcb7a8d3393839c07d1aaa6443035b021f5728b14b22cb69b6dd8673f013eb35b3aa83812f48e3e404941a80a68e239f14b9e2c24a4ea090d818ce7b1a46190

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
137.5MB

MD5
750f2aface81a0345880b787ad3cddcb

SHA1
f9784012ba7a828e34b6afdcdfc85e43fa6495e8

SHA256
a4a3c40a038e3c872b01f7f8029ac775bfd21c6ec89e659e054a9dac534c1bee

SHA512
120c748ab9bdb5d3cef28d9bc4fb286ac8fcf0efe1b4f4161ca900e27964761b42c4cbca7b728601a209966582806001a0fa3dce8670007762cff49308bc5798

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
275.9MB

MD5
08ad120dc98efd1256d0aafdb1edf4c5

SHA1
1bec3652db7f4b8a3140133171410ff5c152023e

SHA256
9156aff5d3d95a108e7c532188ad0348ef052110f35fab55f7ebc33bb9f5ab5f

SHA512
464a2a9267f8469d4ad95580f84080e2cb81a902ce1b6f98876e9e2565aa52bed7761c86e98c8e7a19e87ee155b7ea8ab515f159d6999dba43caa77139083490

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
278.3MB

MD5
39b43f658e31362e332cf1edbcaba087

SHA1
18046e0d467687fcb4a7a443b056caea569b808a

SHA256
49a1c707f038c65de7eb34e5c65cee4b7bceb2dbe4dc2608190831e9aab1e17c

SHA512
59ae28fe53fb6ee6e40ecd0092c2752ec40d84d9687b71be268ed2c60ceeb4f6f2df64bb73d7efabd8a440911ae81572b48751a8fd5d55758404a76b537b7d47

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
279.5MB

MD5
724e02003cb74a4e67e5268ab1017dd3

SHA1
5395222719f56faccea717d682c5290ccb909f08

SHA256
c72afc14bcd86250df6fce537eca5192fe34c9d53cb82854f0a6ca698550d342

SHA512
eaacc3c5a9ff84ce9b176282c06f4c3e25d2f8728231c060fca981a6b62332021c0c6c41a66d225839e0538abe2727bb1c5b53965707f57553f1c0225545b9c9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
279.5MB

MD5
ec43ff9379a37b73f519202c757b0c60

SHA1
b407bf761b6b8a671aece026f6b450f603cc1dfc

SHA256
c59f813424944b00b2bdbd3990ec08d6af12cf36378c061daaa4b7c2a653a535

SHA512
509ba82594e1228d0968ea7f706dccac4e84077c27b2a67548885a5503f03285af2ad0d3509038e0b136943e3302c71d694b43ea6832ddaca8da28324b06cbe4

Download Submit
memory/944-65-0x0000000000870000-0x0000000000FE4000-memory.dmp

Filesize
7.5MB

Download
memory/944-66-0x00000000063F0000-0x0000000006790000-memory.dmp

Filesize
3.6MB

Download
memory/944-74-0x00000000052A0000-0x0000000005412000-memory.dmp

Filesize
1.4MB

Download
memory/1404-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1404-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1576-88-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/1576-94-0x000000006F120000-0x000000006F6CB000-memory.dmp

Filesize
5.7MB

Download
memory/1776-56-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download
memory/2028-71-0x000000006F3F0000-0x000000006F99B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-69-0x000000006F3F0000-0x000000006F99B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-70-0x000000006F3F0000-0x000000006F99B000-memory.dmp

Filesize
5.7MB

Download