aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
84s
max time network
88s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1572-66-0x0000000006380000-0x0000000006720000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1376	voiceadequovl.exe
1572	voiceadequovl.exe
1748	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1376	voiceadequovl.exe
1376	voiceadequovl.exe
1376	voiceadequovl.exe
1376	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1572 set thread context of 1748	1572	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
912	powershell.exe
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	voiceadequovl.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeIncreaseQuotaPrivilege	108	wmic.exe
Token: SeSecurityPrivilege	108	wmic.exe
Token: SeTakeOwnershipPrivilege	108	wmic.exe
Token: SeLoadDriverPrivilege	108	wmic.exe
Token: SeSystemProfilePrivilege	108	wmic.exe
Token: SeSystemtimePrivilege	108	wmic.exe
Token: SeProfSingleProcessPrivilege	108	wmic.exe
Token: SeIncBasePriorityPrivilege	108	wmic.exe
Token: SeCreatePagefilePrivilege	108	wmic.exe
Token: SeBackupPrivilege	108	wmic.exe
Token: SeRestorePrivilege	108	wmic.exe
Token: SeShutdownPrivilege	108	wmic.exe
Token: SeDebugPrivilege	108	wmic.exe
Token: SeSystemEnvironmentPrivilege	108	wmic.exe
Token: SeRemoteShutdownPrivilege	108	wmic.exe
Token: SeUndockPrivilege	108	wmic.exe
Token: SeManageVolumePrivilege	108	wmic.exe
Token: 33	108	wmic.exe
Token: 34	108	wmic.exe
Token: 35	108	wmic.exe
Token: SeIncreaseQuotaPrivilege	108	wmic.exe
Token: SeSecurityPrivilege	108	wmic.exe
Token: SeTakeOwnershipPrivilege	108	wmic.exe
Token: SeLoadDriverPrivilege	108	wmic.exe
Token: SeSystemProfilePrivilege	108	wmic.exe
Token: SeSystemtimePrivilege	108	wmic.exe
Token: SeProfSingleProcessPrivilege	108	wmic.exe
Token: SeIncBasePriorityPrivilege	108	wmic.exe
Token: SeCreatePagefilePrivilege	108	wmic.exe
Token: SeBackupPrivilege	108	wmic.exe
Token: SeRestorePrivilege	108	wmic.exe
Token: SeShutdownPrivilege	108	wmic.exe
Token: SeDebugPrivilege	108	wmic.exe
Token: SeSystemEnvironmentPrivilege	108	wmic.exe
Token: SeRemoteShutdownPrivilege	108	wmic.exe
Token: SeUndockPrivilege	108	wmic.exe
Token: SeManageVolumePrivilege	108	wmic.exe
Token: 33	108	wmic.exe
Token: 34	108	wmic.exe
Token: 35	108	wmic.exe
Token: SeIncreaseQuotaPrivilege	1504	WMIC.exe
Token: SeSecurityPrivilege	1504	WMIC.exe
Token: SeTakeOwnershipPrivilege	1504	WMIC.exe
Token: SeLoadDriverPrivilege	1504	WMIC.exe
Token: SeSystemProfilePrivilege	1504	WMIC.exe
Token: SeSystemtimePrivilege	1504	WMIC.exe
Token: SeProfSingleProcessPrivilege	1504	WMIC.exe
Token: SeIncBasePriorityPrivilege	1504	WMIC.exe
Token: SeCreatePagefilePrivilege	1504	WMIC.exe
Token: SeBackupPrivilege	1504	WMIC.exe
Token: SeRestorePrivilege	1504	WMIC.exe
Token: SeShutdownPrivilege	1504	WMIC.exe
Token: SeDebugPrivilege	1504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1504	WMIC.exe
Token: SeRemoteShutdownPrivilege	1504	WMIC.exe
Token: SeUndockPrivilege	1504	WMIC.exe
Token: SeManageVolumePrivilege	1504	WMIC.exe
Token: 33	1504	WMIC.exe
Token: 34	1504	WMIC.exe
Token: 35	1504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1504	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1376	1916	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1916 wrote to memory of 1376	1916	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1916 wrote to memory of 1376	1916	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1916 wrote to memory of 1376	1916	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1376 wrote to memory of 1572	1376	voiceadequovl.exe	29
PID 1376 wrote to memory of 1572	1376	voiceadequovl.exe	29
PID 1376 wrote to memory of 1572	1376	voiceadequovl.exe	29
PID 1376 wrote to memory of 1572	1376	voiceadequovl.exe	29
PID 1572 wrote to memory of 912	1572	voiceadequovl.exe	30
PID 1572 wrote to memory of 912	1572	voiceadequovl.exe	30
PID 1572 wrote to memory of 912	1572	voiceadequovl.exe	30
PID 1572 wrote to memory of 912	1572	voiceadequovl.exe	30
PID 1572 wrote to memory of 1320	1572	voiceadequovl.exe	32
PID 1572 wrote to memory of 1320	1572	voiceadequovl.exe	32
PID 1572 wrote to memory of 1320	1572	voiceadequovl.exe	32
PID 1572 wrote to memory of 1320	1572	voiceadequovl.exe	32
PID 1320 wrote to memory of 1932	1320	cmd.exe	34
PID 1320 wrote to memory of 1932	1320	cmd.exe	34
PID 1320 wrote to memory of 1932	1320	cmd.exe	34
PID 1320 wrote to memory of 1932	1320	cmd.exe	34
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1748	1572	voiceadequovl.exe	35
PID 1748 wrote to memory of 108	1748	voiceadequovl.exe	37
PID 1748 wrote to memory of 108	1748	voiceadequovl.exe	37
PID 1748 wrote to memory of 108	1748	voiceadequovl.exe	37
PID 1748 wrote to memory of 108	1748	voiceadequovl.exe	37
PID 1748 wrote to memory of 1656	1748	voiceadequovl.exe	39
PID 1748 wrote to memory of 1656	1748	voiceadequovl.exe	39
PID 1748 wrote to memory of 1656	1748	voiceadequovl.exe	39
PID 1748 wrote to memory of 1656	1748	voiceadequovl.exe	39
PID 1656 wrote to memory of 1504	1656	cmd.exe	41
PID 1656 wrote to memory of 1504	1656	cmd.exe	41
PID 1656 wrote to memory of 1504	1656	cmd.exe	41
PID 1656 wrote to memory of 1504	1656	cmd.exe	41
PID 1748 wrote to memory of 1432	1748	voiceadequovl.exe	42
PID 1748 wrote to memory of 1432	1748	voiceadequovl.exe	42
PID 1748 wrote to memory of 1432	1748	voiceadequovl.exe	42
PID 1748 wrote to memory of 1432	1748	voiceadequovl.exe	42
PID 1432 wrote to memory of 1212	1432	cmd.exe	44
PID 1432 wrote to memory of 1212	1432	cmd.exe	44
PID 1432 wrote to memory of 1212	1432	cmd.exe	44
PID 1432 wrote to memory of 1212	1432	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
353.0MB

MD5
631e4030c4b84ba7f8a29336bedf67d8

SHA1
c415580334846f5ac03907111b87a0ddc2e7e22e

SHA256
bd31509043c80d79e3c05fb3beb155c18c5e6b938e2224210bcb10dee10b8531

SHA512
ccbd57b0ad314fbc3990dec5f000f619a9c9d7b3f8f2591d2c8a4f5a9d81231c54bdf5f0002223ae3cab69603f9e0afe6e2ae9eb932adaf8a63d1aa7a7482e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
343.8MB

MD5
cd4c63fdb89884d2c60b38432d3c8cd3

SHA1
2435c7c92a98826ee816ec79128583bd6899d0ea

SHA256
7466c28f301dbbf51c5d1a32286cc474658b80d9fd49fe9b082a02377e6d8858

SHA512
9d028f47ec16408376b4eb0bab6c69a9e37008300cb85e47c1de2d51d5527735485af20842ee0844f099fabaff30f0ce0ddc0e45e708bd5f3b662e01730f1f95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
594372a65d0dd057e8229f04279ce5f3

SHA1
d397e8d18df1e1889cf343d29ba1ff50761ff1b8

SHA256
8e7e921c80787abe19e0d866e7efcaa1895f8e96f05df4e6abbc59ed70931f55

SHA512
b1d9d47189f7cbfe1583d3eaa5f2c23e430fe06aed3b80a71233c4a968d9fe5527a7582947c8726375dba532c3112dca79bef0a6a9033a354ddf01daa482cca4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
245.6MB

MD5
cc39e8fd5ff45f4e030f5c80271379aa

SHA1
c2553f4b978797bc1aaed7fda87eb4b4bc12dd05

SHA256
f219254289f2fa65faa7135f638e255f65df1413994ce541e5a9c1ef7b4c342d

SHA512
4341d78086f4a97cb97d1ca5dc05a1ecf9240c58e1d24aca34c07f67aadb30e59d8217dc3baff0a9a55dbac0132414d0111e7252fcc979e125076ece641c81f0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
234.1MB

MD5
575b400c7be2fbc92ccd103a28eb1474

SHA1
a5281076451414a56bd339b91690f22612a921ee

SHA256
358f6eb45337e119bd740d32d1b9fc7ea5b13eb7382abb428635144e4b68055a

SHA512
c18b0b0020968b3de96deac84c548e6c45c6bc5b4e250d143e9c4967fad71d82248f7c4a182ddafd861d4691dd90e27eb2973fbb3fc615aee3d6b19d9a8ccf54

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
108.9MB

MD5
321bb9f58b7838c37a7b17d73dabe6db

SHA1
78c7f3d799203f38cdaf88fef4571496ceb4d633

SHA256
52180401956ff58bfac2e5b9843c1a70b1abf89c8c8812f96ccf9f08e5354899

SHA512
5f00cec9ae0d6b37a5b0ee1804798f748f9a3f5ab7a2969674d4407960fbdf8d5d229976ee37a19413ef005f55a9ac76b8d82160dbe29eff9912439cdc162875

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.5MB

MD5
5d6cd8ac333bea4a4ed594e36238074e

SHA1
89db5b5aa3d7e9acbf3806e333484ee831016b84

SHA256
d5685c76ec2d11e7b317fb85afc8b8055a87bb2eb5362c84fd14965418462416

SHA512
7e0b87beb0e56e625ed52666dd56f11034db84cbb0e9cf30ee007d91a58ab3d8a4a8750ebeba074e6603e54fcd7fbfb2a70008e2989e770cf2f364549aa0d04f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
246.6MB

MD5
69879de934b18b58ce43ed6af510dddb

SHA1
75c2d5bca0a04260ad6ab25cc1800a16cbf8f039

SHA256
e0ee93605ecbebfdf1d5a48f424d23fdeea430671763a177ea266ee0d6cb489d

SHA512
310041800833984719b07942e75aa729b05935e61b4f9f395c6387b501f24557857231ea24948644da66951931d8eb0c7436ba1d473941b808d24b775c223dff

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.4MB

MD5
82918a2e594ffff4fd930f1ef2544973

SHA1
fff7feda6d8c16f194efdc652a391ca5600f7ad1

SHA256
4a93eee583ffbdb69ed090602398d08233e1fd96ab74b4e9f6721a740d108f14

SHA512
0f7b5aba27622742ac93628aba6064347619995095eba1d67a0c2fdf4a78f7aa70a3d45a358e579f8d9e5c49e14f168791cea366df9903bafe6404d4c3982a45

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
246.3MB

MD5
006b5062f8a83d69449b326353af5a95

SHA1
410a0e0aa3fdaef97ab54a978043dcffe8a2a7d3

SHA256
42bd4fb964722cecf260b291bf1e88073c570e32a77bcf826fec76c311cd45e6

SHA512
ada6cb8143cc067b609e573e549f219ce7856f50d339a16d832a6c4fd368b75ffafffcb0ce18e958c8fc06c4a656c347ff0a6a66094640ed6546eac5def7663d

Download Submit
memory/912-69-0x000000006F8C0000-0x000000006FE6B000-memory.dmp

Filesize
5.7MB

Download
memory/912-70-0x000000006F8C0000-0x000000006FE6B000-memory.dmp

Filesize
5.7MB

Download
memory/912-71-0x000000006F8C0000-0x000000006FE6B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-56-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1572-74-0x0000000005370000-0x00000000054E2000-memory.dmp

Filesize
1.4MB

Download
memory/1572-65-0x0000000000F10000-0x0000000001684000-memory.dmp

Filesize
7.5MB

Download
memory/1572-66-0x0000000006380000-0x0000000006720000-memory.dmp

Filesize
3.6MB

Download
memory/1748-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-90-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1748-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1932-77-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-88-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download