aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
67s
max time network
72s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1608-66-0x0000000006550000-0x00000000068F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
976	voiceadequovl.exe
1608	voiceadequovl.exe
2012	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
976	voiceadequovl.exe
976	voiceadequovl.exe
976	voiceadequovl.exe
976	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 2012	1608	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
516	powershell.exe
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	voiceadequovl.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeIncreaseQuotaPrivilege	1160	wmic.exe
Token: SeSecurityPrivilege	1160	wmic.exe
Token: SeTakeOwnershipPrivilege	1160	wmic.exe
Token: SeLoadDriverPrivilege	1160	wmic.exe
Token: SeSystemProfilePrivilege	1160	wmic.exe
Token: SeSystemtimePrivilege	1160	wmic.exe
Token: SeProfSingleProcessPrivilege	1160	wmic.exe
Token: SeIncBasePriorityPrivilege	1160	wmic.exe
Token: SeCreatePagefilePrivilege	1160	wmic.exe
Token: SeBackupPrivilege	1160	wmic.exe
Token: SeRestorePrivilege	1160	wmic.exe
Token: SeShutdownPrivilege	1160	wmic.exe
Token: SeDebugPrivilege	1160	wmic.exe
Token: SeSystemEnvironmentPrivilege	1160	wmic.exe
Token: SeRemoteShutdownPrivilege	1160	wmic.exe
Token: SeUndockPrivilege	1160	wmic.exe
Token: SeManageVolumePrivilege	1160	wmic.exe
Token: 33	1160	wmic.exe
Token: 34	1160	wmic.exe
Token: 35	1160	wmic.exe
Token: SeIncreaseQuotaPrivilege	1160	wmic.exe
Token: SeSecurityPrivilege	1160	wmic.exe
Token: SeTakeOwnershipPrivilege	1160	wmic.exe
Token: SeLoadDriverPrivilege	1160	wmic.exe
Token: SeSystemProfilePrivilege	1160	wmic.exe
Token: SeSystemtimePrivilege	1160	wmic.exe
Token: SeProfSingleProcessPrivilege	1160	wmic.exe
Token: SeIncBasePriorityPrivilege	1160	wmic.exe
Token: SeCreatePagefilePrivilege	1160	wmic.exe
Token: SeBackupPrivilege	1160	wmic.exe
Token: SeRestorePrivilege	1160	wmic.exe
Token: SeShutdownPrivilege	1160	wmic.exe
Token: SeDebugPrivilege	1160	wmic.exe
Token: SeSystemEnvironmentPrivilege	1160	wmic.exe
Token: SeRemoteShutdownPrivilege	1160	wmic.exe
Token: SeUndockPrivilege	1160	wmic.exe
Token: SeManageVolumePrivilege	1160	wmic.exe
Token: 33	1160	wmic.exe
Token: 34	1160	wmic.exe
Token: 35	1160	wmic.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 976	1036	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1036 wrote to memory of 976	1036	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1036 wrote to memory of 976	1036	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1036 wrote to memory of 976	1036	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 976 wrote to memory of 1608	976	voiceadequovl.exe	28
PID 976 wrote to memory of 1608	976	voiceadequovl.exe	28
PID 976 wrote to memory of 1608	976	voiceadequovl.exe	28
PID 976 wrote to memory of 1608	976	voiceadequovl.exe	28
PID 1608 wrote to memory of 516	1608	voiceadequovl.exe	29
PID 1608 wrote to memory of 516	1608	voiceadequovl.exe	29
PID 1608 wrote to memory of 516	1608	voiceadequovl.exe	29
PID 1608 wrote to memory of 516	1608	voiceadequovl.exe	29
PID 1608 wrote to memory of 364	1608	voiceadequovl.exe	31
PID 1608 wrote to memory of 364	1608	voiceadequovl.exe	31
PID 1608 wrote to memory of 364	1608	voiceadequovl.exe	31
PID 1608 wrote to memory of 364	1608	voiceadequovl.exe	31
PID 364 wrote to memory of 1688	364	cmd.exe	33
PID 364 wrote to memory of 1688	364	cmd.exe	33
PID 364 wrote to memory of 1688	364	cmd.exe	33
PID 364 wrote to memory of 1688	364	cmd.exe	33
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 2012	1608	voiceadequovl.exe	34
PID 2012 wrote to memory of 1160	2012	voiceadequovl.exe	35
PID 2012 wrote to memory of 1160	2012	voiceadequovl.exe	35
PID 2012 wrote to memory of 1160	2012	voiceadequovl.exe	35
PID 2012 wrote to memory of 1160	2012	voiceadequovl.exe	35
PID 2012 wrote to memory of 1460	2012	voiceadequovl.exe	38
PID 2012 wrote to memory of 1460	2012	voiceadequovl.exe	38
PID 2012 wrote to memory of 1460	2012	voiceadequovl.exe	38
PID 2012 wrote to memory of 1460	2012	voiceadequovl.exe	38
PID 1460 wrote to memory of 1564	1460	cmd.exe	40
PID 1460 wrote to memory of 1564	1460	cmd.exe	40
PID 1460 wrote to memory of 1564	1460	cmd.exe	40
PID 1460 wrote to memory of 1564	1460	cmd.exe	40
PID 2012 wrote to memory of 1960	2012	voiceadequovl.exe	41
PID 2012 wrote to memory of 1960	2012	voiceadequovl.exe	41
PID 2012 wrote to memory of 1960	2012	voiceadequovl.exe	41
PID 2012 wrote to memory of 1960	2012	voiceadequovl.exe	41
PID 1960 wrote to memory of 1444	1960	cmd.exe	43
PID 1960 wrote to memory of 1444	1960	cmd.exe	43
PID 1960 wrote to memory of 1444	1960	cmd.exe	43
PID 1960 wrote to memory of 1444	1960	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
241.1MB

MD5
077126cba54c20deaa3452ee688a8e16

SHA1
368f560513d481d0ed09fea31a0772d58a00c6d4

SHA256
cd2917cfc46c8c7c3dcd06af780ac1dc60e71b88b0051bebde18ca484c613804

SHA512
2c841740ca5d47281b3b5c6223a6384c80330216f1a20f2a5223436d0be2f58de899f23540a1ea45d1d6b985638a14c28c379f01551792b2723cd90200863c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
237.3MB

MD5
bd5f06d8fa56c21166126169e67c1281

SHA1
d246326e46be1d38ea07732d29eefed917940719

SHA256
4d319bdb6800b4b1a35f5925325f66420e3f872b55d428b4f76d5101fdca386d

SHA512
85fb39e4617dfbae2f1bff0694a5a3feef97675bcc47e628136978bff947621f736b64fa23910a133f703b8b192a9d4b4d8cfac0984d5740d5da6024925bb589

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5a7b861184acecb6433a8cc4430152d9

SHA1
f5dc6adc441b38ae0248c7329e94a3ad4e224d79

SHA256
5011a90f4499acc3df424153ecb9d17ed92e468ec2ffff74fbf9853de0bbe429

SHA512
09ffd4eca65f9b71694a5f868ca2b2365d42ed9f5dfbf689d7d3dfc94c0db32fa61b79291b75f533a818238e8a39095c88949de3bbd7d9ca8464cf5a7d66056b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
204.4MB

MD5
57373b33ea8ca2e1442e47246dd969d6

SHA1
1082c2f82fef7d48a1b6685fc503174ae1d90b26

SHA256
df27c6ac4b5b1aa31553840237970b53b0409d764ed131f6ecc2fad1d7d47e97

SHA512
bd0ea446edd4a5ad3277ac5c7c59c5935162051dce59fbbe8c70f26e52ffcaf478e91eeb04e7cfdfbc759755d1b80976950632d9f20ae9f66ecfe70ff6f3f960

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
204.2MB

MD5
9df1ed3fa85d20ff41c3eefa0ff5bb90

SHA1
b1d728e70535c97d2ae953f923b1cf8ee7c5d6be

SHA256
ed807fe9b7fa21ba6c606386b1340e7dc2b592f1ad773c629d9509451d9294e5

SHA512
f03f689dd4939f35caa861331ae0d3b0bc8d3af62fcb4e403bd799b3af2371035413c75887051718ba57f0fdc6808d5a4770bdeb0f694ef87a4aa624a1a64c39

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
128.8MB

MD5
f0bb2454e04804a60159225f9d6a2555

SHA1
0908fa2fb52696d973f3dbbed7aca94f440cf9d8

SHA256
a6354d36ff7604685421e9c09055030b8bc9eeb243cc4ed4b2f3cf8276b2f8e4

SHA512
0da6c3a4bbad328345315a5445ffbbb63eea2b5d2ee3e66f08483e43ed5e2a02bfe7909cee6777c8ede8a9374ba53d6bb9f11bd87ef5c5474ff175f7d7d6514a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
205.4MB

MD5
560953d98297af7e09a3c1dfe32f5b0a

SHA1
d04220cea64cfefa41c7de5c4bada435ca02384f

SHA256
b7205d24f0e066c949e3c8a3f5464675dd2e00d960dda6e2b90ac1f9b213283b

SHA512
24afd136d0ccaadcd78e131a4d3f76d95af212077a28cd537c9216a27e425665e2e8b65791db2a9209ac3d4ae8f3064a2e7265f2dc3ad1fdddc30d9ac3ba53c1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
206.9MB

MD5
d87e1fdbc14da66477aa8f9d5e94f654

SHA1
de9d0f8f2ea004a13b7fac458fb540f056bb51f7

SHA256
c0a5377f28f918e6506f16390f3232d8fee0dda21417f3052603a285a8eddd4d

SHA512
57790c982a4995b3d03cf48e8345b1a92d7b87f1e243b7a6464a661339281a2d78f83b6a0274badf9de63dee98f66559f3b1873269c5dc21c799d0c6bed5bcb6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
205.1MB

MD5
54ce438638162736eff622ee4331417e

SHA1
c607155aa4b070c139f42a87bd10ed174e075754

SHA256
4fd095bf713f2c929afea96e4c1b009d16981ed00196bb5dd55224b8ff3807a3

SHA512
fef0a7c6c32d3e831c8f192ec1e316752035d8a7bdbe53d2e55e2144fd006b0a126eb5f8b8fd6bc9f41f4c43787f8eaf595fa636a74c64d0a6cea188e373e535

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
201.2MB

MD5
3757d308c012da2344c827540d035cb2

SHA1
e8e23cee83f0b8728388572ccf2d6196cd9d0ace

SHA256
c97b572dcbd666e0fe2695be0464a8d58bc3a74a5157a492573306fd11ad48e8

SHA512
800727ad161a5e5fc8819e4e5ac91305ff83727b818ad3a113b7980252ada1a62a3761fe6ec3994033c33159e9491880e52c51112809c0b6f0d2175c210f492c

Download Submit
memory/516-69-0x000000006FBA0000-0x000000007014B000-memory.dmp

Filesize
5.7MB

Download
memory/516-70-0x000000006FBA0000-0x000000007014B000-memory.dmp

Filesize
5.7MB

Download
memory/516-71-0x000000006FBA0000-0x000000007014B000-memory.dmp

Filesize
5.7MB

Download
memory/976-56-0x0000000075BB1000-0x0000000075BB3000-memory.dmp

Filesize
8KB

Download
memory/1608-74-0x0000000005550000-0x00000000056C2000-memory.dmp

Filesize
1.4MB

Download
memory/1608-66-0x0000000006550000-0x00000000068F0000-memory.dmp

Filesize
3.6MB

Download
memory/1608-65-0x0000000000E60000-0x00000000015D4000-memory.dmp

Filesize
7.5MB

Download
memory/1688-94-0x000000006F8F0000-0x000000006FE9B000-memory.dmp

Filesize
5.7MB

Download
memory/1688-90-0x000000006F8F0000-0x000000006FE9B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/2012-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download