aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
89s
max time network
93s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1608-66-0x0000000006580000-0x0000000006920000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
2020	voiceadequovl.exe
1608	voiceadequovl.exe
660	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2020	voiceadequovl.exe
2020	voiceadequovl.exe
2020	voiceadequovl.exe
2020	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1608 set thread context of 660	1608	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1184	powershell.exe
956	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	voiceadequovl.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeIncreaseQuotaPrivilege	768	wmic.exe
Token: SeSecurityPrivilege	768	wmic.exe
Token: SeTakeOwnershipPrivilege	768	wmic.exe
Token: SeLoadDriverPrivilege	768	wmic.exe
Token: SeSystemProfilePrivilege	768	wmic.exe
Token: SeSystemtimePrivilege	768	wmic.exe
Token: SeProfSingleProcessPrivilege	768	wmic.exe
Token: SeIncBasePriorityPrivilege	768	wmic.exe
Token: SeCreatePagefilePrivilege	768	wmic.exe
Token: SeBackupPrivilege	768	wmic.exe
Token: SeRestorePrivilege	768	wmic.exe
Token: SeShutdownPrivilege	768	wmic.exe
Token: SeDebugPrivilege	768	wmic.exe
Token: SeSystemEnvironmentPrivilege	768	wmic.exe
Token: SeRemoteShutdownPrivilege	768	wmic.exe
Token: SeUndockPrivilege	768	wmic.exe
Token: SeManageVolumePrivilege	768	wmic.exe
Token: 33	768	wmic.exe
Token: 34	768	wmic.exe
Token: 35	768	wmic.exe
Token: SeIncreaseQuotaPrivilege	768	wmic.exe
Token: SeSecurityPrivilege	768	wmic.exe
Token: SeTakeOwnershipPrivilege	768	wmic.exe
Token: SeLoadDriverPrivilege	768	wmic.exe
Token: SeSystemProfilePrivilege	768	wmic.exe
Token: SeSystemtimePrivilege	768	wmic.exe
Token: SeProfSingleProcessPrivilege	768	wmic.exe
Token: SeIncBasePriorityPrivilege	768	wmic.exe
Token: SeCreatePagefilePrivilege	768	wmic.exe
Token: SeBackupPrivilege	768	wmic.exe
Token: SeRestorePrivilege	768	wmic.exe
Token: SeShutdownPrivilege	768	wmic.exe
Token: SeDebugPrivilege	768	wmic.exe
Token: SeSystemEnvironmentPrivilege	768	wmic.exe
Token: SeRemoteShutdownPrivilege	768	wmic.exe
Token: SeUndockPrivilege	768	wmic.exe
Token: SeManageVolumePrivilege	768	wmic.exe
Token: 33	768	wmic.exe
Token: 34	768	wmic.exe
Token: 35	768	wmic.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe
Token: SeSecurityPrivilege	1592	WMIC.exe
Token: SeTakeOwnershipPrivilege	1592	WMIC.exe
Token: SeLoadDriverPrivilege	1592	WMIC.exe
Token: SeSystemProfilePrivilege	1592	WMIC.exe
Token: SeSystemtimePrivilege	1592	WMIC.exe
Token: SeProfSingleProcessPrivilege	1592	WMIC.exe
Token: SeIncBasePriorityPrivilege	1592	WMIC.exe
Token: SeCreatePagefilePrivilege	1592	WMIC.exe
Token: SeBackupPrivilege	1592	WMIC.exe
Token: SeRestorePrivilege	1592	WMIC.exe
Token: SeShutdownPrivilege	1592	WMIC.exe
Token: SeDebugPrivilege	1592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1592	WMIC.exe
Token: SeRemoteShutdownPrivilege	1592	WMIC.exe
Token: SeUndockPrivilege	1592	WMIC.exe
Token: SeManageVolumePrivilege	1592	WMIC.exe
Token: 33	1592	WMIC.exe
Token: 34	1592	WMIC.exe
Token: 35	1592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1592	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2020	1516	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1516 wrote to memory of 2020	1516	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1516 wrote to memory of 2020	1516	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1516 wrote to memory of 2020	1516	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 2020 wrote to memory of 1608	2020	voiceadequovl.exe	28
PID 2020 wrote to memory of 1608	2020	voiceadequovl.exe	28
PID 2020 wrote to memory of 1608	2020	voiceadequovl.exe	28
PID 2020 wrote to memory of 1608	2020	voiceadequovl.exe	28
PID 1608 wrote to memory of 1184	1608	voiceadequovl.exe	29
PID 1608 wrote to memory of 1184	1608	voiceadequovl.exe	29
PID 1608 wrote to memory of 1184	1608	voiceadequovl.exe	29
PID 1608 wrote to memory of 1184	1608	voiceadequovl.exe	29
PID 1608 wrote to memory of 1028	1608	voiceadequovl.exe	32
PID 1608 wrote to memory of 1028	1608	voiceadequovl.exe	32
PID 1608 wrote to memory of 1028	1608	voiceadequovl.exe	32
PID 1608 wrote to memory of 1028	1608	voiceadequovl.exe	32
PID 1028 wrote to memory of 956	1028	cmd.exe	33
PID 1028 wrote to memory of 956	1028	cmd.exe	33
PID 1028 wrote to memory of 956	1028	cmd.exe	33
PID 1028 wrote to memory of 956	1028	cmd.exe	33
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 1608 wrote to memory of 660	1608	voiceadequovl.exe	34
PID 660 wrote to memory of 768	660	voiceadequovl.exe	35
PID 660 wrote to memory of 768	660	voiceadequovl.exe	35
PID 660 wrote to memory of 768	660	voiceadequovl.exe	35
PID 660 wrote to memory of 768	660	voiceadequovl.exe	35
PID 660 wrote to memory of 1684	660	voiceadequovl.exe	38
PID 660 wrote to memory of 1684	660	voiceadequovl.exe	38
PID 660 wrote to memory of 1684	660	voiceadequovl.exe	38
PID 660 wrote to memory of 1684	660	voiceadequovl.exe	38
PID 1684 wrote to memory of 1592	1684	cmd.exe	40
PID 1684 wrote to memory of 1592	1684	cmd.exe	40
PID 1684 wrote to memory of 1592	1684	cmd.exe	40
PID 1684 wrote to memory of 1592	1684	cmd.exe	40
PID 660 wrote to memory of 944	660	voiceadequovl.exe	43
PID 660 wrote to memory of 944	660	voiceadequovl.exe	43
PID 660 wrote to memory of 944	660	voiceadequovl.exe	43
PID 660 wrote to memory of 944	660	voiceadequovl.exe	43
PID 944 wrote to memory of 1644	944	cmd.exe	42
PID 944 wrote to memory of 1644	944	cmd.exe	42
PID 944 wrote to memory of 1644	944	cmd.exe	42
PID 944 wrote to memory of 1644	944	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:660
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:944

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
236.4MB

MD5
b6e5272cf9a4eb78d565d55927a70c6f

SHA1
a662864217dd6a06a8aa0ce394f81017a3618268

SHA256
167bd83f98195b1fa99f2fdd9ad12f14896b5a37cdf3f655cbe33c0e73cb84c3

SHA512
f8dccdbe7aac0d8a265c10dd7fa9c3f56f2b8e795eb7cd104982f6c0c25d99d944639da5f8bd6e114857668eeba0c30b4e3c8c3d23759810c8ffcb9d78d1bebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
225.7MB

MD5
ba9b669562cb546341c7d4385fa9089d

SHA1
be1fef2af2c3f05a74c03c6d72d665dc049bfb86

SHA256
a0f106b61c99f2a1f855cd2ea8219c911b147272cbff355b617d7988d6962a72

SHA512
2c45213930221e29e35f888bb926513184bb4bc86ccb05810468bca97a1589e7c23c7e98a2cb9d2de33fb77c443f2a0ab0f7fba00009054df8f4c65d3403f96c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9d2a748c3024e751b66176534f90b7a2

SHA1
7df2fb9f1a8a2971b2cea7bc4476f709d2b3351a

SHA256
290e727f8e27a9503481e9d689fb733bb33d337a31cda128d77d3dce8132ffaa

SHA512
3d9988662c03a2403b6bc4224fd2a27d3f4264a952536616fa9cb92df1c37a592bd0310e549c56db41810e6e0155a7cf25ade3f3dae082fc57532b6f684485e0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
164.6MB

MD5
629a7134a5ad106df98e2602d263479f

SHA1
a5f6094f6a81303a46a44bf03a9ca89355e8402c

SHA256
01800b9b235040b3e7e866d8e8319e95a988ae50d682ab2546c79db8a4c0d50b

SHA512
6f02a6757841f50cccd7c9aa26f51c7b3864e585022c9bb230383bcd580659b50b228afbb03900e4c88a7bfd4725693fc04c358495c88fe006a30c4167c4b462

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
162.8MB

MD5
5e9379369af1529f8ba8c18d81705c6d

SHA1
f8725a0a080cbcbc784cfe701ff128c31ea4847f

SHA256
b4ec27049f86ca4a466a3b06111e16c16fdcabb784adc4ce3c73fe586dacb163

SHA512
d182bd5914f8b399da705dd6967bb36371da50d0f028706deb643adf53dc5cfe036ce8ea3ac6b273499abc6d1d07ad72e4ae6f8c9a8959599534f0dd9b1d1751

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
50.3MB

MD5
02002993c771cf33dfb3beeb850801f0

SHA1
e5c6046a8273815b48c595595fbffdcc4eaed894

SHA256
3cb1d52d2ce804cf6281e20d31bea8218a389283b3593094923fc9dcf5772d99

SHA512
262368d60caeeae7ef3eca0e92c60140459b9f90a9c5e35a21765ca93a49512490a4a3fff28659b8b1acaff6eabc53b788b27bac0c7ea8cb32381c2751ba3161

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
169.3MB

MD5
b00fb80485b3cfe9b5d0c0ff60e71aac

SHA1
db4794cd0ee67f1a38c1692456ed9b9207fc5d3d

SHA256
f63510b55e94746bcf7f6a8e252e82f804c09cd89c675f5e4ecaf79b9a273c6e

SHA512
91d731a9befc67a6eca2367134fda11654ad42b49c2ae96a2cf9cd7686adb104a9babf47aa570b0f59b25245b40319288200ca580c48fe5c35bea969e410f607

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
165.7MB

MD5
e26239edf4658362b1e28d45215b9a9e

SHA1
84cb54c76e0e0e5ab32a6ab967902ee0d89b0a9b

SHA256
48aaf8c768c9492b9d0213c0ef8340e109367684fa2283c681bc5c0fb68f81ff

SHA512
e13c246857fd335098156e30110724568a81f5ed2ebc446407ba11f86b634c6438f1e2efcf405c4ac07ad1a150dc4e0a75b69fd61aeade1ce390bc0738653532

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
157.7MB

MD5
ba93392c90e163d76c64a9a077b2eb8b

SHA1
96984be6f4f5bdd24553bbd49c10e260173f427e

SHA256
2d05af1cd4a944f9cbdc925d3f28d26f6c69560b9e4d4c35702cfd7153498d4a

SHA512
34e39e7d7882943bf3fc72d2f5019404a5b5670cc44e1f08ddfb3b7915c7735762a45895b65b10fb4422e3fb51ebde81b52f58230f3e3c0cdb6241cdb8f15fee

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
166.5MB

MD5
3a1bf74ae2c299b807471f6023c07315

SHA1
dc1a6e4c6c265cd84ff6e68201f0d41fe141ffd4

SHA256
f6c106149ccfe612f885985e3fdcfee409c78a6cb74bb139f9f83e4cf1f4fe5d

SHA512
8ca31a4e97c5a041492693417788fee8f8523cc6b860c92f371926635b9d15fdc58def82bfb8a0a93e483756992c38a045a0fb5eb44e60f8b6927e20ba85c8e7

Download Submit
memory/660-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/660-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/956-92-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/956-95-0x000000006F780000-0x000000006FD2B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-69-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-71-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1184-70-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1608-75-0x0000000005330000-0x00000000054A2000-memory.dmp

Filesize
1.4MB

Download
memory/1608-66-0x0000000006580000-0x0000000006920000-memory.dmp

Filesize
3.6MB

Download
memory/1608-65-0x0000000000F80000-0x00000000016F4000-memory.dmp

Filesize
7.5MB

Download
memory/2020-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download