aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
70s
max time network
73s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1108-66-0x00000000064C0000-0x0000000006860000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
880	voiceadequovl.exe
1108	voiceadequovl.exe
804	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
880	voiceadequovl.exe
880	voiceadequovl.exe
880	voiceadequovl.exe
880	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 804	1108	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
912	powershell.exe
844	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	voiceadequovl.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeIncreaseQuotaPrivilege	2008	wmic.exe
Token: SeSecurityPrivilege	2008	wmic.exe
Token: SeTakeOwnershipPrivilege	2008	wmic.exe
Token: SeLoadDriverPrivilege	2008	wmic.exe
Token: SeSystemProfilePrivilege	2008	wmic.exe
Token: SeSystemtimePrivilege	2008	wmic.exe
Token: SeProfSingleProcessPrivilege	2008	wmic.exe
Token: SeIncBasePriorityPrivilege	2008	wmic.exe
Token: SeCreatePagefilePrivilege	2008	wmic.exe
Token: SeBackupPrivilege	2008	wmic.exe
Token: SeRestorePrivilege	2008	wmic.exe
Token: SeShutdownPrivilege	2008	wmic.exe
Token: SeDebugPrivilege	2008	wmic.exe
Token: SeSystemEnvironmentPrivilege	2008	wmic.exe
Token: SeRemoteShutdownPrivilege	2008	wmic.exe
Token: SeUndockPrivilege	2008	wmic.exe
Token: SeManageVolumePrivilege	2008	wmic.exe
Token: 33	2008	wmic.exe
Token: 34	2008	wmic.exe
Token: 35	2008	wmic.exe
Token: SeIncreaseQuotaPrivilege	2008	wmic.exe
Token: SeSecurityPrivilege	2008	wmic.exe
Token: SeTakeOwnershipPrivilege	2008	wmic.exe
Token: SeLoadDriverPrivilege	2008	wmic.exe
Token: SeSystemProfilePrivilege	2008	wmic.exe
Token: SeSystemtimePrivilege	2008	wmic.exe
Token: SeProfSingleProcessPrivilege	2008	wmic.exe
Token: SeIncBasePriorityPrivilege	2008	wmic.exe
Token: SeCreatePagefilePrivilege	2008	wmic.exe
Token: SeBackupPrivilege	2008	wmic.exe
Token: SeRestorePrivilege	2008	wmic.exe
Token: SeShutdownPrivilege	2008	wmic.exe
Token: SeDebugPrivilege	2008	wmic.exe
Token: SeSystemEnvironmentPrivilege	2008	wmic.exe
Token: SeRemoteShutdownPrivilege	2008	wmic.exe
Token: SeUndockPrivilege	2008	wmic.exe
Token: SeManageVolumePrivilege	2008	wmic.exe
Token: 33	2008	wmic.exe
Token: 34	2008	wmic.exe
Token: 35	2008	wmic.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe
Token: SeSecurityPrivilege	1584	WMIC.exe
Token: SeTakeOwnershipPrivilege	1584	WMIC.exe
Token: SeLoadDriverPrivilege	1584	WMIC.exe
Token: SeSystemProfilePrivilege	1584	WMIC.exe
Token: SeSystemtimePrivilege	1584	WMIC.exe
Token: SeProfSingleProcessPrivilege	1584	WMIC.exe
Token: SeIncBasePriorityPrivilege	1584	WMIC.exe
Token: SeCreatePagefilePrivilege	1584	WMIC.exe
Token: SeBackupPrivilege	1584	WMIC.exe
Token: SeRestorePrivilege	1584	WMIC.exe
Token: SeShutdownPrivilege	1584	WMIC.exe
Token: SeDebugPrivilege	1584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1584	WMIC.exe
Token: SeRemoteShutdownPrivilege	1584	WMIC.exe
Token: SeUndockPrivilege	1584	WMIC.exe
Token: SeManageVolumePrivilege	1584	WMIC.exe
Token: 33	1584	WMIC.exe
Token: 34	1584	WMIC.exe
Token: 35	1584	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 880	1636	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1636 wrote to memory of 880	1636	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1636 wrote to memory of 880	1636	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1636 wrote to memory of 880	1636	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 880 wrote to memory of 1108	880	voiceadequovl.exe	28
PID 880 wrote to memory of 1108	880	voiceadequovl.exe	28
PID 880 wrote to memory of 1108	880	voiceadequovl.exe	28
PID 880 wrote to memory of 1108	880	voiceadequovl.exe	28
PID 1108 wrote to memory of 912	1108	voiceadequovl.exe	29
PID 1108 wrote to memory of 912	1108	voiceadequovl.exe	29
PID 1108 wrote to memory of 912	1108	voiceadequovl.exe	29
PID 1108 wrote to memory of 912	1108	voiceadequovl.exe	29
PID 1108 wrote to memory of 1336	1108	voiceadequovl.exe	31
PID 1108 wrote to memory of 1336	1108	voiceadequovl.exe	31
PID 1108 wrote to memory of 1336	1108	voiceadequovl.exe	31
PID 1108 wrote to memory of 1336	1108	voiceadequovl.exe	31
PID 1336 wrote to memory of 844	1336	cmd.exe	33
PID 1336 wrote to memory of 844	1336	cmd.exe	33
PID 1336 wrote to memory of 844	1336	cmd.exe	33
PID 1336 wrote to memory of 844	1336	cmd.exe	33
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 1108 wrote to memory of 804	1108	voiceadequovl.exe	34
PID 804 wrote to memory of 2008	804	voiceadequovl.exe	35
PID 804 wrote to memory of 2008	804	voiceadequovl.exe	35
PID 804 wrote to memory of 2008	804	voiceadequovl.exe	35
PID 804 wrote to memory of 2008	804	voiceadequovl.exe	35
PID 804 wrote to memory of 792	804	voiceadequovl.exe	38
PID 804 wrote to memory of 792	804	voiceadequovl.exe	38
PID 804 wrote to memory of 792	804	voiceadequovl.exe	38
PID 804 wrote to memory of 792	804	voiceadequovl.exe	38
PID 792 wrote to memory of 1584	792	cmd.exe	40
PID 792 wrote to memory of 1584	792	cmd.exe	40
PID 792 wrote to memory of 1584	792	cmd.exe	40
PID 792 wrote to memory of 1584	792	cmd.exe	40
PID 804 wrote to memory of 1632	804	voiceadequovl.exe	41
PID 804 wrote to memory of 1632	804	voiceadequovl.exe	41
PID 804 wrote to memory of 1632	804	voiceadequovl.exe	41
PID 804 wrote to memory of 1632	804	voiceadequovl.exe	41
PID 1632 wrote to memory of 1284	1632	cmd.exe	43
PID 1632 wrote to memory of 1284	1632	cmd.exe	43
PID 1632 wrote to memory of 1284	1632	cmd.exe	43
PID 1632 wrote to memory of 1284	1632	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:804
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:792
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
254.0MB

MD5
0af8c11fc74e6c349b0583bc477abb35

SHA1
e7315b7aefc7af70fb73f7f3e0487ea6276af558

SHA256
c4b22747aef21aa0757092f716681557cacf696148b6a91639e0dd85f1750833

SHA512
d8818940edce8e00753d97c1896e3fe5c885be9e6b9b0b9e634212eeaf4b3012c6c815d4623b44836981274f21945190869cfc27635bce29d90a47ef93bebe3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
249.1MB

MD5
a541299db67e787c139af97bdf1f4d9c

SHA1
d67e97dbf7dcbb69588bf6263e66d436b8dd11d7

SHA256
28e78502d52ce117b23263b8dad4259b6c08d34edc8ac11bacc8faa9c9ba49ff

SHA512
7e9acf6b5b95e1b42b77f1489b9ee2b620257b239da0d0aa9ff3c35861d7700a5da859909917825cc7521060a045021097c530a83ec53e378a98097ea8fdc1ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
96ee83ba477ea96a9383debd9f8333f9

SHA1
ca4e5f0c3b8284134931b8c66e20d86ec41143b8

SHA256
b190815e071a464f90441bff84b571b5bf007d7c9568f5e22a2624a95a6aa9c0

SHA512
ec42f4fa0b51b0509943ffae67d7d123e89233b246719bff79eef44e8096e4e30bd655106bdae46a74384dcb8b224a6fa70dd0e7acbb926c7cab7090cda24599

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
218.6MB

MD5
d9584b9239dd7d4d684251785d9ef0ce

SHA1
5258758539d57d93d9f9f985f958c8984807d3ab

SHA256
f4afeeb8a742f5e92ad1893454f37ca2d434fc63f5c0d42eea854305d9c30a8d

SHA512
ec27763cbb74c1e0bf4dee691b0d13cf4a0c11cc78e6afc934d51e4913e1ec1b38c5ebc983205402b318febc31397b7f39e0d846f44c27a820173c44de536c8d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.6MB

MD5
59518f100046ebff41b3d81447ac253b

SHA1
f5bd384ee65dd0d69332d4777fab0f9433508dfa

SHA256
9eb62d33832b222bbeebe8b48213355a3b01c98b5a7b980456fcd341e382ca60

SHA512
029ddcb2bf369a8ca6a9b0d9c4fde6b7d0c7513619ce12908a99180edb75deceffacdfbe12b11d51c9ff7010f5a8bb4d25a2089d14f4b0a6faaa9c3bbf39a0a2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
131.4MB

MD5
072715b36982ecf5dcf743a2e0444857

SHA1
e0033892d4f25cc1a6b6748a963d846b22c8a4ec

SHA256
e898614a9f2b4f7d0b5612d1c3604c35a2605bc5e90e12c179cd1cc097794d6e

SHA512
12eef2f3e1c7a532e5f3c82d8f284b81d2b0d6dacf348d733ed7e36be5eda4bcc677e5b08dc479c7783709cc0ca29714e4825f530120824f45f3ad394df5a59a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
223.9MB

MD5
74efc6baf1034da8305dfb7bf6725687

SHA1
fe43da7ddd34194de07b73ecec9893f181317495

SHA256
eb63177176d66c9a8332404d79f9b8aa3e6d72e5f9eb4123559d2c822f2f78c8

SHA512
10ef5123b118e0430ed094a15e1b088bd7244b419caafd98a13af2043632be75223299ae0b35fbed379fe238a67c021383825c8601e2f7d3834a267155bf6121

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
218.2MB

MD5
7e46f6cc343b9f066dcaf2ae0e78983b

SHA1
9bc31476b0388973c329e97fe882b0ca56d4bf2a

SHA256
826d0b831b44e2a392299dc044cb543902d29a30a8bf44408ba5cb6b2aba7a58

SHA512
62a7978c787526860100e8bc039cc285da8150396b32e8c49970dcc10cf682b381c5258c73250c28d7068b04091561722929218424d6e92e275190a7eaca4a8c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
220.7MB

MD5
4fd44663f64a5f1f52f809ad6256be6c

SHA1
2936c551ae9d092b4c1eeb69ae033dfcc38990d7

SHA256
04e1e051a5302e694f8f4bd98834c4d4482af7b03f5df11ba43911c6e47c10ad

SHA512
97a4ec8d650d296ed7ddcf914ac329efbf60a8188c3dcf810fd509474fc042b1535510f80824b82acf2cacc55cd8b36f05e6111db29ef067f922ca74613865e3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
222.1MB

MD5
a99239d087cfd0c7da41af5dd7b196be

SHA1
71f4e9a87dbc4276a1846d154e6f2623273fae2b

SHA256
15791c728cd8256025144dbd8e6c0bd212e9d85719ada0c2c695c068ee93a312

SHA512
908247bf92de2f730095013d2e07657de2810c6d5b68a54a037ed5b55792d7a306ef421ee474f7bf2397700ec1f63582f618df606bcdc92cac6ffe1bb0e49622

Download Submit
memory/804-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/804-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/844-93-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/844-95-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/880-56-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/912-69-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/912-71-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/912-70-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/1108-66-0x00000000064C0000-0x0000000006860000-memory.dmp

Filesize
3.6MB

Download
memory/1108-74-0x0000000005490000-0x0000000005602000-memory.dmp

Filesize
1.4MB

Download
memory/1108-65-0x00000000009A0000-0x0000000001114000-memory.dmp

Filesize
7.5MB

Download