aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
83s
max time network
77s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/908-66-0x00000000063B0000-0x0000000006750000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1812	voiceadequovl.exe
908	voiceadequovl.exe
1640	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1812	voiceadequovl.exe
1812	voiceadequovl.exe
1812	voiceadequovl.exe
1812	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 908 set thread context of 1640	908	voiceadequovl.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1204	powershell.exe
1724	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	908	voiceadequovl.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeIncreaseQuotaPrivilege	320	wmic.exe
Token: SeSecurityPrivilege	320	wmic.exe
Token: SeTakeOwnershipPrivilege	320	wmic.exe
Token: SeLoadDriverPrivilege	320	wmic.exe
Token: SeSystemProfilePrivilege	320	wmic.exe
Token: SeSystemtimePrivilege	320	wmic.exe
Token: SeProfSingleProcessPrivilege	320	wmic.exe
Token: SeIncBasePriorityPrivilege	320	wmic.exe
Token: SeCreatePagefilePrivilege	320	wmic.exe
Token: SeBackupPrivilege	320	wmic.exe
Token: SeRestorePrivilege	320	wmic.exe
Token: SeShutdownPrivilege	320	wmic.exe
Token: SeDebugPrivilege	320	wmic.exe
Token: SeSystemEnvironmentPrivilege	320	wmic.exe
Token: SeRemoteShutdownPrivilege	320	wmic.exe
Token: SeUndockPrivilege	320	wmic.exe
Token: SeManageVolumePrivilege	320	wmic.exe
Token: 33	320	wmic.exe
Token: 34	320	wmic.exe
Token: 35	320	wmic.exe
Token: SeIncreaseQuotaPrivilege	320	wmic.exe
Token: SeSecurityPrivilege	320	wmic.exe
Token: SeTakeOwnershipPrivilege	320	wmic.exe
Token: SeLoadDriverPrivilege	320	wmic.exe
Token: SeSystemProfilePrivilege	320	wmic.exe
Token: SeSystemtimePrivilege	320	wmic.exe
Token: SeProfSingleProcessPrivilege	320	wmic.exe
Token: SeIncBasePriorityPrivilege	320	wmic.exe
Token: SeCreatePagefilePrivilege	320	wmic.exe
Token: SeBackupPrivilege	320	wmic.exe
Token: SeRestorePrivilege	320	wmic.exe
Token: SeShutdownPrivilege	320	wmic.exe
Token: SeDebugPrivilege	320	wmic.exe
Token: SeSystemEnvironmentPrivilege	320	wmic.exe
Token: SeRemoteShutdownPrivilege	320	wmic.exe
Token: SeUndockPrivilege	320	wmic.exe
Token: SeManageVolumePrivilege	320	wmic.exe
Token: 33	320	wmic.exe
Token: 34	320	wmic.exe
Token: 35	320	wmic.exe
Token: SeIncreaseQuotaPrivilege	952	WMIC.exe
Token: SeSecurityPrivilege	952	WMIC.exe
Token: SeTakeOwnershipPrivilege	952	WMIC.exe
Token: SeLoadDriverPrivilege	952	WMIC.exe
Token: SeSystemProfilePrivilege	952	WMIC.exe
Token: SeSystemtimePrivilege	952	WMIC.exe
Token: SeProfSingleProcessPrivilege	952	WMIC.exe
Token: SeIncBasePriorityPrivilege	952	WMIC.exe
Token: SeCreatePagefilePrivilege	952	WMIC.exe
Token: SeBackupPrivilege	952	WMIC.exe
Token: SeRestorePrivilege	952	WMIC.exe
Token: SeShutdownPrivilege	952	WMIC.exe
Token: SeDebugPrivilege	952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	952	WMIC.exe
Token: SeRemoteShutdownPrivilege	952	WMIC.exe
Token: SeUndockPrivilege	952	WMIC.exe
Token: SeManageVolumePrivilege	952	WMIC.exe
Token: 33	952	WMIC.exe
Token: 34	952	WMIC.exe
Token: 35	952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	952	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1812	1752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1752 wrote to memory of 1812	1752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1752 wrote to memory of 1812	1752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1752 wrote to memory of 1812	1752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1812 wrote to memory of 908	1812	voiceadequovl.exe	27
PID 1812 wrote to memory of 908	1812	voiceadequovl.exe	27
PID 1812 wrote to memory of 908	1812	voiceadequovl.exe	27
PID 1812 wrote to memory of 908	1812	voiceadequovl.exe	27
PID 908 wrote to memory of 1204	908	voiceadequovl.exe	28
PID 908 wrote to memory of 1204	908	voiceadequovl.exe	28
PID 908 wrote to memory of 1204	908	voiceadequovl.exe	28
PID 908 wrote to memory of 1204	908	voiceadequovl.exe	28
PID 908 wrote to memory of 1780	908	voiceadequovl.exe	30
PID 908 wrote to memory of 1780	908	voiceadequovl.exe	30
PID 908 wrote to memory of 1780	908	voiceadequovl.exe	30
PID 908 wrote to memory of 1780	908	voiceadequovl.exe	30
PID 1780 wrote to memory of 1724	1780	cmd.exe	32
PID 1780 wrote to memory of 1724	1780	cmd.exe	32
PID 1780 wrote to memory of 1724	1780	cmd.exe	32
PID 1780 wrote to memory of 1724	1780	cmd.exe	32
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 908 wrote to memory of 1640	908	voiceadequovl.exe	33
PID 1640 wrote to memory of 320	1640	voiceadequovl.exe	34
PID 1640 wrote to memory of 320	1640	voiceadequovl.exe	34
PID 1640 wrote to memory of 320	1640	voiceadequovl.exe	34
PID 1640 wrote to memory of 320	1640	voiceadequovl.exe	34
PID 1640 wrote to memory of 656	1640	voiceadequovl.exe	38
PID 1640 wrote to memory of 656	1640	voiceadequovl.exe	38
PID 1640 wrote to memory of 656	1640	voiceadequovl.exe	38
PID 1640 wrote to memory of 656	1640	voiceadequovl.exe	38
PID 656 wrote to memory of 952	656	cmd.exe	39
PID 656 wrote to memory of 952	656	cmd.exe	39
PID 656 wrote to memory of 952	656	cmd.exe	39
PID 656 wrote to memory of 952	656	cmd.exe	39
PID 1640 wrote to memory of 996	1640	voiceadequovl.exe	41
PID 1640 wrote to memory of 996	1640	voiceadequovl.exe	41
PID 1640 wrote to memory of 996	1640	voiceadequovl.exe	41
PID 1640 wrote to memory of 996	1640	voiceadequovl.exe	41
PID 996 wrote to memory of 912	996	cmd.exe	42
PID 996 wrote to memory of 912	996	cmd.exe	42
PID 996 wrote to memory of 912	996	cmd.exe	42
PID 996 wrote to memory of 912	996	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1204
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:996
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
245.2MB

MD5
66069dbb78dfa25eea6ac4f5e3cd28b0

SHA1
10be876081d0f0532b64d01cf37021d6a67eaa4d

SHA256
41490700db2d27975507adfeb9573ad1ff49658e3c8aaeeff7c22d95889e13e2

SHA512
77d446b4ae609e132e2416c084ec24d8780f2f72af4e36178d73f5aa7840096fcd9a880f88ca8860953aa6b994b7f81441b3aaa16d5fccd501782805075f547c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
205.2MB

MD5
279fbf5bdb21eeca6aa6b27855c7c558

SHA1
a7f9709e92be4939c5bcca1573fa69aa84e32120

SHA256
a9b2c1ab583632100ce1640b0b0cef8e866982269bf72ed23ffbb2bccc464ad2

SHA512
9dcd1add95020693b1c1927ef8971dd6fab2e2f1e5aacb992f79b34fe582b5189867de8ea9b78072b4ffbcbb4be0ec8902647c693d9a550ca748ae05f657544d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f2ac871854f224a60d384fd5844c38ea

SHA1
d6c538707e09a1f9ebf621cbdfe220f378c01677

SHA256
163c7ee6b11b0e0359619209ca99828b42b07f370f50712e4cfa8d75df3734fa

SHA512
81cb2fa4fdc8b2c663619040eb7c5ff75b3e808b573ff5589cc8a1a09b70b351c2ea9c6cbe696ab25b54014c6796bd07a542fdc3fd97505a3f3a23ed95e8c042

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
231.2MB

MD5
cea8f666ec9db232b45623cddf90ae4d

SHA1
20c35261ecc27a3adadb6b1dc2228a9d4b7f28db

SHA256
b0f2be19b84be0a95a21a84315b3766799a401d7b1a2ebad86bd53978dece646

SHA512
4167b6ca20cdb75f2909cced6b6cb4246b6c561f4c7b62f536f35d8206c1b08d7109264a538035bdb778ba7efe0b2e8fe6e8d7d988f5774893f8ac7b7032df2d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
225.0MB

MD5
69e23a2d90fe3571c8953399af60ee01

SHA1
0837c69acdf4540bf96cb84f74a40a58bc9f3d33

SHA256
55712ffc82e491708354e9a2f8b47c506fc9ffcd78f45787a9642ab7f9cf399e

SHA512
3c10011692b5c0519463f142759375e507b03b98281a3942a407f713e30495afa2c75aaf21ebc58318e4cda674860a8dbd028952a40ed7ab5b58c13d81ec08f1

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
131.1MB

MD5
20935fcabb70b595a488dfe3eaddc12e

SHA1
7b807d870e38eeceb4f91b499147570f1d6144b7

SHA256
bda9d5a7fdba413972b69cee5c78ccbd24cef3c507dcec97f02f43a2432ad618

SHA512
4e6ab1f386376af1aeb7399a14a7ce118ebb0612d19e832d612b71b7493ed31d737ca4a779c55ba4cac9cf96fce5352abb7b3343b269d33e00907990f387158e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
226.1MB

MD5
38d3c6bf1e0018233a17df9747a2e34f

SHA1
b9b8b04ab66feb53aad8df4749f15ca75865ed18

SHA256
231dbabef208c3298ee37b7769fc0bacc6e055fa30be28016c2ed8a522336850

SHA512
13f2d80467ae895221e5843fab6e57547d476934641f271bbeb1056cc2511566ba0bbd13e7831cfe69e60de9fdfb2f50e98d52c36372985108b679bef605c2c9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
228.8MB

MD5
2ce2254ce09fbdc5cc626dad11f34a57

SHA1
66fc9a6b19c28350499761f1e63501831efb1c25

SHA256
70b21d3d7ed2043f03bb665ae3fe28f88538857ce4deded965636c8a2ce3b3fe

SHA512
5e4180a918e6866827714e5ee5a48acf9a5d0b476312eae1e84e4a19c3c7df485e029be2fa937d17201ff3caa8f68bc16b61d7ea411cca7b284d9074f5d07c8b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
223.4MB

MD5
d8569ba5e3b0085620dfd8432b8a359b

SHA1
a26cf8587818cdcec994f43fc1924f95b16731b3

SHA256
67bc9e9708d7042f85043c6ee2d950a323f9dbd7bde4234bb72022e7293dc27e

SHA512
447c2b6dc744798b465066f096f7c2920549fdfe6515e86db2e60ce7262ecb3ab6c3bdf00ff58bf8b12b50db70afbe9f9c99547f1768e66740119204e7de6fcc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
224.8MB

MD5
fe474e243402dc12e95690eccfcedd8c

SHA1
1e7a34b3eee3d33066ab81fe7652513abf0cabed

SHA256
d7501a958d770a147c5c085ac9a32127218edffe5d83720aabaed37260f313a1

SHA512
34f31fc105a8b94211d6e9819cfd5a7571cb61a3a4fb600bef81bf50d88c33cd014e0050013c81f533c6594a18a6e6cf6fe4a212d6185db56859ac5d2e25a6b7

Download Submit
memory/908-76-0x0000000005380000-0x00000000054F2000-memory.dmp

Filesize
1.4MB

Download
memory/908-65-0x0000000000950000-0x00000000010C4000-memory.dmp

Filesize
7.5MB

Download
memory/908-66-0x00000000063B0000-0x0000000006750000-memory.dmp

Filesize
3.6MB

Download
memory/1204-69-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-70-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/1204-71-0x000000006F950000-0x000000006FEFB000-memory.dmp

Filesize
5.7MB

Download
memory/1640-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-100-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1640-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1724-92-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download
memory/1724-101-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download
memory/1812-56-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download