aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
103s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1444-66-0x00000000066A0000-0x0000000006A40000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1092	voiceadequovl.exe
1444	voiceadequovl.exe
1572	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1092	voiceadequovl.exe
1092	voiceadequovl.exe
1092	voiceadequovl.exe
1092	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 1572	1444	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1100	powershell.exe
1560	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	voiceadequovl.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeIncreaseQuotaPrivilege	1468	wmic.exe
Token: SeSecurityPrivilege	1468	wmic.exe
Token: SeTakeOwnershipPrivilege	1468	wmic.exe
Token: SeLoadDriverPrivilege	1468	wmic.exe
Token: SeSystemProfilePrivilege	1468	wmic.exe
Token: SeSystemtimePrivilege	1468	wmic.exe
Token: SeProfSingleProcessPrivilege	1468	wmic.exe
Token: SeIncBasePriorityPrivilege	1468	wmic.exe
Token: SeCreatePagefilePrivilege	1468	wmic.exe
Token: SeBackupPrivilege	1468	wmic.exe
Token: SeRestorePrivilege	1468	wmic.exe
Token: SeShutdownPrivilege	1468	wmic.exe
Token: SeDebugPrivilege	1468	wmic.exe
Token: SeSystemEnvironmentPrivilege	1468	wmic.exe
Token: SeRemoteShutdownPrivilege	1468	wmic.exe
Token: SeUndockPrivilege	1468	wmic.exe
Token: SeManageVolumePrivilege	1468	wmic.exe
Token: 33	1468	wmic.exe
Token: 34	1468	wmic.exe
Token: 35	1468	wmic.exe
Token: SeIncreaseQuotaPrivilege	1468	wmic.exe
Token: SeSecurityPrivilege	1468	wmic.exe
Token: SeTakeOwnershipPrivilege	1468	wmic.exe
Token: SeLoadDriverPrivilege	1468	wmic.exe
Token: SeSystemProfilePrivilege	1468	wmic.exe
Token: SeSystemtimePrivilege	1468	wmic.exe
Token: SeProfSingleProcessPrivilege	1468	wmic.exe
Token: SeIncBasePriorityPrivilege	1468	wmic.exe
Token: SeCreatePagefilePrivilege	1468	wmic.exe
Token: SeBackupPrivilege	1468	wmic.exe
Token: SeRestorePrivilege	1468	wmic.exe
Token: SeShutdownPrivilege	1468	wmic.exe
Token: SeDebugPrivilege	1468	wmic.exe
Token: SeSystemEnvironmentPrivilege	1468	wmic.exe
Token: SeRemoteShutdownPrivilege	1468	wmic.exe
Token: SeUndockPrivilege	1468	wmic.exe
Token: SeManageVolumePrivilege	1468	wmic.exe
Token: 33	1468	wmic.exe
Token: 34	1468	wmic.exe
Token: 35	1468	wmic.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe
Token: SeSecurityPrivilege	1584	WMIC.exe
Token: SeTakeOwnershipPrivilege	1584	WMIC.exe
Token: SeLoadDriverPrivilege	1584	WMIC.exe
Token: SeSystemProfilePrivilege	1584	WMIC.exe
Token: SeSystemtimePrivilege	1584	WMIC.exe
Token: SeProfSingleProcessPrivilege	1584	WMIC.exe
Token: SeIncBasePriorityPrivilege	1584	WMIC.exe
Token: SeCreatePagefilePrivilege	1584	WMIC.exe
Token: SeBackupPrivilege	1584	WMIC.exe
Token: SeRestorePrivilege	1584	WMIC.exe
Token: SeShutdownPrivilege	1584	WMIC.exe
Token: SeDebugPrivilege	1584	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1584	WMIC.exe
Token: SeRemoteShutdownPrivilege	1584	WMIC.exe
Token: SeUndockPrivilege	1584	WMIC.exe
Token: SeManageVolumePrivilege	1584	WMIC.exe
Token: 33	1584	WMIC.exe
Token: 34	1584	WMIC.exe
Token: 35	1584	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1584	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 1092	1644	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1644 wrote to memory of 1092	1644	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1644 wrote to memory of 1092	1644	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1644 wrote to memory of 1092	1644	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1092 wrote to memory of 1444	1092	voiceadequovl.exe	28
PID 1092 wrote to memory of 1444	1092	voiceadequovl.exe	28
PID 1092 wrote to memory of 1444	1092	voiceadequovl.exe	28
PID 1092 wrote to memory of 1444	1092	voiceadequovl.exe	28
PID 1444 wrote to memory of 1100	1444	voiceadequovl.exe	29
PID 1444 wrote to memory of 1100	1444	voiceadequovl.exe	29
PID 1444 wrote to memory of 1100	1444	voiceadequovl.exe	29
PID 1444 wrote to memory of 1100	1444	voiceadequovl.exe	29
PID 1444 wrote to memory of 524	1444	voiceadequovl.exe	31
PID 1444 wrote to memory of 524	1444	voiceadequovl.exe	31
PID 1444 wrote to memory of 524	1444	voiceadequovl.exe	31
PID 1444 wrote to memory of 524	1444	voiceadequovl.exe	31
PID 524 wrote to memory of 1560	524	cmd.exe	33
PID 524 wrote to memory of 1560	524	cmd.exe	33
PID 524 wrote to memory of 1560	524	cmd.exe	33
PID 524 wrote to memory of 1560	524	cmd.exe	33
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1444 wrote to memory of 1572	1444	voiceadequovl.exe	34
PID 1572 wrote to memory of 1468	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1468	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1468	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1468	1572	voiceadequovl.exe	35
PID 1572 wrote to memory of 1532	1572	voiceadequovl.exe	39
PID 1572 wrote to memory of 1532	1572	voiceadequovl.exe	39
PID 1572 wrote to memory of 1532	1572	voiceadequovl.exe	39
PID 1572 wrote to memory of 1532	1572	voiceadequovl.exe	39
PID 1532 wrote to memory of 1584	1532	cmd.exe	40
PID 1532 wrote to memory of 1584	1532	cmd.exe	40
PID 1532 wrote to memory of 1584	1532	cmd.exe	40
PID 1532 wrote to memory of 1584	1532	cmd.exe	40
PID 1572 wrote to memory of 112	1572	voiceadequovl.exe	41
PID 1572 wrote to memory of 112	1572	voiceadequovl.exe	41
PID 1572 wrote to memory of 112	1572	voiceadequovl.exe	41
PID 1572 wrote to memory of 112	1572	voiceadequovl.exe	41
PID 112 wrote to memory of 1332	112	cmd.exe	43
PID 112 wrote to memory of 1332	112	cmd.exe	43
PID 112 wrote to memory of 1332	112	cmd.exe	43
PID 112 wrote to memory of 1332	112	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:524
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1532
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:112
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
245.4MB

MD5
e089f9d7e65b87bda8170919a383a353

SHA1
a810cf15350b0b9ad62ad94242195e125c5e5e7a

SHA256
49a991dc8487b956d490f08d631b8318fdd75dc1e18246ee4127fd58af7633ed

SHA512
d07fde9b2e73a4083f45ada65e7f94498f3cc4cab1ae859badae5c5d224edc270a1e8ced0ae6699cdbd3da9854df5b9b3d93993aa435aabdb6b817455915ef7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
239.3MB

MD5
7c05a45332b086da12d90585f90c3c70

SHA1
0c087774964762e93fdda44672fb0dae1a7cc77f

SHA256
14c1c172f20ba6e9ddcfea8328f7f98fdd094f0fb332dd58775465aa79a1809c

SHA512
b114d85cab1238ecb55168f53398ec344699f6077f55d03db2676757fb9799f7857d3221e47242db44bc24da53d51d35c056d3a0148a5ec5db2a3f167bbb057d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ef9a9b34368bd15a53a992420326aba8

SHA1
88a6b414e4d704178000addd5cb64c0efd87e130

SHA256
8a909dd6c7bfdf6c1261c45a063e0fb4f322ade526b06cdfcc953df8f0959fc3

SHA512
271cff2c2cf43eb50b9cf36f66393ebbe8075a41e1df37d7822300571a9b09c83af8c9f888ec46703c1b89a670c6eead3495841a638e878f49a2c74e559e8972

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
218.0MB

MD5
a22a5751f3aa2eae28d5dab239056219

SHA1
bbc115343ebdd66292144ba528b42c8a521af354

SHA256
6b76cd6e00b58c0bd7fd117e3c86caaa78e69e93067108d37ba10b70ce736402

SHA512
fa9d57e9856dc3e48edc8bf2f0bdc79b6cc6ee2d770405d4f29063875633b1e99fa925fe5b9aca235eccefa3c163da2febcece7bc0610ede6f4d351f2cb6b557

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
222.8MB

MD5
5f274ca42843e23fb7c6551b5945e77b

SHA1
405fd041d8906665309366d41df33829d49b4413

SHA256
8d66bf1e823b6de909f776c54499fec4924c48839c5fe6df61e1f39813845d41

SHA512
b479f095d5d4889a9316613659ee41f11c2ba5a3ace2c64d7880fd4fc9a1253f2c0b225ffb23d98456a17bcf06a2ead27a1cf2e6f4c744805a650be7334a9896

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
94.7MB

MD5
93ef81d660880e4d49a09726d12b8b6e

SHA1
a222f48217e1128b8247894598fa34cf5b38b685

SHA256
bed009bea0ae87956c1af3519ca33929087ee66b427c72de2bccc56ed9525b99

SHA512
b84dddc20d33f64359768be5cc271d7368eb3c0650ce5d03402c2cb11967b8c250e91816d587ef1c5a7c8ebec1c85df33e22c2a32d7b2585b8e6f173287e9f0e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
227.1MB

MD5
a349e52b02efac0a1a99991b39ce49c7

SHA1
9ffa7bd39fc13a668212c8caca13b7de7c2b1e1c

SHA256
f8904a6e15b1707e1c187b97acea3568abedd38be2b822600af703a48a4e700e

SHA512
4b48e5528163555a941c65b8444d6dfd5ea546f854e8528347973dc959f17e221fee15c6c37c41986f750d652ebbae5601bfa0abfb8987c60704725c7369c7b3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
214.8MB

MD5
985e39b4d4fb9aea11df9a7d05cd3fbc

SHA1
6ed2e5003892b76b09e61618e2812a5929e265eb

SHA256
d23cd4cd44ac00d44115e68958bf24e1db93116fab0b7214ef456cafaf04bb72

SHA512
1930936c081a80af840e1c54193a0946d1cec0f643b87ff2cd12d3d48c1bf8789ff5aa16bc6ea006bf73e24f42734de853e732c88a3212d7b114cc5a4d16035f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
221.8MB

MD5
90e7c8111992d356c60975cf0907f333

SHA1
bacef1cad47e4cc3623813848dbe7a12ed5ab260

SHA256
7cd61473450b9b764bbabb1fc1f5ba2c03ac05a52b211cc168fca87c4875b684

SHA512
e2e0a251a72718bf38c4ca1f2194405908b52e75466adf09860c1ba444d6290bda928802c308c0cbdf0a24c5c39cfc6a84f923e270b11dc5194483d3ac10fcae

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
226.3MB

MD5
8594f5b69c6e88150a86beaa456e74a6

SHA1
4f2ca01c37381494f547b7e8f915bab450e4b61d

SHA256
088a474e61cb61dea884589e8b161c87102b4f531d89ecd16a7ddbd9dd1dbf5e

SHA512
093402b503790998de21b5ecaf77085e3c974ff4ef1db65870c108c8f9df3a71c671b99fd40e13b554ae115e03c7e343abc51a167f42f6caa0066f23cde46fff

Download Submit
memory/1092-56-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1100-69-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-70-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1100-71-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1444-73-0x00000000054E0000-0x0000000005652000-memory.dmp

Filesize
1.4MB

Download
memory/1444-66-0x00000000066A0000-0x0000000006A40000-memory.dmp

Filesize
3.6MB

Download
memory/1444-65-0x0000000001050000-0x00000000017C4000-memory.dmp

Filesize
7.5MB

Download
memory/1560-77-0x000000006FE90000-0x000000007043B000-memory.dmp

Filesize
5.7MB

Download
memory/1560-95-0x000000006FE90000-0x000000007043B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1572-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download