aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
78s
max time network
74s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/268-66-0x0000000006350000-0x00000000066F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
840	voiceadequovl.exe
268	voiceadequovl.exe
1660	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
840	voiceadequovl.exe
840	voiceadequovl.exe
840	voiceadequovl.exe
840	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 268 set thread context of 1660	268	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1516	powershell.exe
988	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	voiceadequovl.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeIncreaseQuotaPrivilege	904	wmic.exe
Token: SeSecurityPrivilege	904	wmic.exe
Token: SeTakeOwnershipPrivilege	904	wmic.exe
Token: SeLoadDriverPrivilege	904	wmic.exe
Token: SeSystemProfilePrivilege	904	wmic.exe
Token: SeSystemtimePrivilege	904	wmic.exe
Token: SeProfSingleProcessPrivilege	904	wmic.exe
Token: SeIncBasePriorityPrivilege	904	wmic.exe
Token: SeCreatePagefilePrivilege	904	wmic.exe
Token: SeBackupPrivilege	904	wmic.exe
Token: SeRestorePrivilege	904	wmic.exe
Token: SeShutdownPrivilege	904	wmic.exe
Token: SeDebugPrivilege	904	wmic.exe
Token: SeSystemEnvironmentPrivilege	904	wmic.exe
Token: SeRemoteShutdownPrivilege	904	wmic.exe
Token: SeUndockPrivilege	904	wmic.exe
Token: SeManageVolumePrivilege	904	wmic.exe
Token: 33	904	wmic.exe
Token: 34	904	wmic.exe
Token: 35	904	wmic.exe
Token: SeIncreaseQuotaPrivilege	904	wmic.exe
Token: SeSecurityPrivilege	904	wmic.exe
Token: SeTakeOwnershipPrivilege	904	wmic.exe
Token: SeLoadDriverPrivilege	904	wmic.exe
Token: SeSystemProfilePrivilege	904	wmic.exe
Token: SeSystemtimePrivilege	904	wmic.exe
Token: SeProfSingleProcessPrivilege	904	wmic.exe
Token: SeIncBasePriorityPrivilege	904	wmic.exe
Token: SeCreatePagefilePrivilege	904	wmic.exe
Token: SeBackupPrivilege	904	wmic.exe
Token: SeRestorePrivilege	904	wmic.exe
Token: SeShutdownPrivilege	904	wmic.exe
Token: SeDebugPrivilege	904	wmic.exe
Token: SeSystemEnvironmentPrivilege	904	wmic.exe
Token: SeRemoteShutdownPrivilege	904	wmic.exe
Token: SeUndockPrivilege	904	wmic.exe
Token: SeManageVolumePrivilege	904	wmic.exe
Token: 33	904	wmic.exe
Token: 34	904	wmic.exe
Token: 35	904	wmic.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemProfilePrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeProfSingleProcessPrivilege	956	WMIC.exe
Token: SeIncBasePriorityPrivilege	956	WMIC.exe
Token: SeCreatePagefilePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeDebugPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeRemoteShutdownPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: 33	956	WMIC.exe
Token: 34	956	WMIC.exe
Token: 35	956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 840	1204	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1204 wrote to memory of 840	1204	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1204 wrote to memory of 840	1204	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1204 wrote to memory of 840	1204	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 840 wrote to memory of 268	840	voiceadequovl.exe	28
PID 840 wrote to memory of 268	840	voiceadequovl.exe	28
PID 840 wrote to memory of 268	840	voiceadequovl.exe	28
PID 840 wrote to memory of 268	840	voiceadequovl.exe	28
PID 268 wrote to memory of 1516	268	voiceadequovl.exe	29
PID 268 wrote to memory of 1516	268	voiceadequovl.exe	29
PID 268 wrote to memory of 1516	268	voiceadequovl.exe	29
PID 268 wrote to memory of 1516	268	voiceadequovl.exe	29
PID 268 wrote to memory of 540	268	voiceadequovl.exe	31
PID 268 wrote to memory of 540	268	voiceadequovl.exe	31
PID 268 wrote to memory of 540	268	voiceadequovl.exe	31
PID 268 wrote to memory of 540	268	voiceadequovl.exe	31
PID 540 wrote to memory of 988	540	cmd.exe	33
PID 540 wrote to memory of 988	540	cmd.exe	33
PID 540 wrote to memory of 988	540	cmd.exe	33
PID 540 wrote to memory of 988	540	cmd.exe	33
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 268 wrote to memory of 1660	268	voiceadequovl.exe	34
PID 1660 wrote to memory of 904	1660	voiceadequovl.exe	36
PID 1660 wrote to memory of 904	1660	voiceadequovl.exe	36
PID 1660 wrote to memory of 904	1660	voiceadequovl.exe	36
PID 1660 wrote to memory of 904	1660	voiceadequovl.exe	36
PID 1660 wrote to memory of 1372	1660	voiceadequovl.exe	38
PID 1660 wrote to memory of 1372	1660	voiceadequovl.exe	38
PID 1660 wrote to memory of 1372	1660	voiceadequovl.exe	38
PID 1660 wrote to memory of 1372	1660	voiceadequovl.exe	38
PID 1372 wrote to memory of 956	1372	cmd.exe	40
PID 1372 wrote to memory of 956	1372	cmd.exe	40
PID 1372 wrote to memory of 956	1372	cmd.exe	40
PID 1372 wrote to memory of 956	1372	cmd.exe	40
PID 1660 wrote to memory of 1724	1660	voiceadequovl.exe	41
PID 1660 wrote to memory of 1724	1660	voiceadequovl.exe	41
PID 1660 wrote to memory of 1724	1660	voiceadequovl.exe	41
PID 1660 wrote to memory of 1724	1660	voiceadequovl.exe	41
PID 1724 wrote to memory of 1736	1724	cmd.exe	43
PID 1724 wrote to memory of 1736	1724	cmd.exe	43
PID 1724 wrote to memory of 1736	1724	cmd.exe	43
PID 1724 wrote to memory of 1736	1724	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
200.3MB

MD5
08fcd202abe80d4fa558955e82421ac4

SHA1
4839c2f949bc9eab8666f186def9b8f3f5330b8c

SHA256
1aa2d4033e11c3b00a7aa281e369d10af64fa2a7565bf9c63c5a88686d033e26

SHA512
5df3972d65712d2b605c0b72beb04a8b02f62cb099a75c75a9bbcaa052b52e568a6a9e3cdb7b6d1941eb39c24c9d5fcc4303a41d39a7acc0a24671d3b5954d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
199.3MB

MD5
033f95ce9c62bbddd06fd7f8e3da62fd

SHA1
89d271d2b90cad924fe9e9eae5da57bf340f16b9

SHA256
070cc1ac932a5fe627914b1667f434d85b3e9e9894e1e83d1baa5507a402f7b8

SHA512
96a897c6a3d4e6903c2fbaf6b434e61eb1c53387a0c974ada4214c5a538915dab7b1c032ba1a4267e917ed76954324d3b247024a6fc13db8943c570b2894df52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5a6a0e1db324678a4e90f9af13cf056c

SHA1
9642d8ff34312b2977f85aec493a353a960525f1

SHA256
1582d064083c5c9da18a0b1687f4bfcbf8203855ef7b91fb0b7861a280c5b7b2

SHA512
7ade5845b4610a49145fbed204214c51d8e50d907973ca1b06b29b2a6329f1ee75187fee1d746ea0975c96901cb20d3811c17ac9656d070b1c8becee0b5b392c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
161.2MB

MD5
4f74692a45dcee2ba1a9c81c16873302

SHA1
596c2f86ea6c867a66375128a8c7b974539b38f9

SHA256
49d770ef0b989370d09d168049bb7902b40fba60b7d4ae2d55a530b830962c63

SHA512
fc274aac615fcfa1d6047268a581311f603e30c262f4b3aa4d9a3058fe8d79d93fcbf79db8803a1780cd781781e669929f2bda0e1c295aa54ab5148d7db6c177

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
170.4MB

MD5
2c435856f8690c03d1a9ddae2d005e0f

SHA1
8b68bd4b183db3989d86d293d0dac6e5d1fee4ac

SHA256
51b4077de97f30b8126872362823b30a040a8255025ad0381ca1241487867b71

SHA512
00b75c0b6373b03db5ee5752238a6be8d8fc4d21fc2570ba68c24e213912d0fe45880b45352e62f47966010d1972dda042fe20e6ef2b0dc133d2382f4d0fd875

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
111.1MB

MD5
f5dabd8678302af7d11aa4f5f2246fd1

SHA1
120e486ea6c8b7f8f5f7801529db37f88fd98f24

SHA256
66b2c98e0cbe080e5841648164109fa61388acc10c9ef5794768e653e04bfc26

SHA512
1bbb2c8f9f03be5a98b83499cb97b54184dd9af1ed31b74ce6f5384c8ead86d57ba747525321b03629bde4377bc70a4385bc10fbb892bae22e1e365a2d883cf1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
166.6MB

MD5
2e837922db90303d768b8065a6fa4101

SHA1
85cb3b1c15b8429546df1ff566d8ee263aeffceb

SHA256
87568de346a9d083f6de7bdecb32e839c5da50479544fdfb282bbfc3fa08189e

SHA512
7c0e894e3760afd3333d918b9c19707eac038ecdab72f56bee7488ac75635152b51c70a99722e54afd283efb152898eb1aebf484e5c2cff2c08605da05c51840

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
164.4MB

MD5
42b8f242d4b5c03a3f36f982f9bb2589

SHA1
13157d22cc40b2921bf0d4065b90f7d6fcb56ae5

SHA256
4bcb4e0fc5effb17ad9207cac31f2ffbfc50ca4ffac1c4964408d0243dfd23d7

SHA512
60e25846d15428f16459ef95c19bdfcce65b4d9a721ea241d4431ed6d9fce6666cbd4c11f3040caac3ae7e43a3cb3730bea62d432a55fb97d6437325a3818baa

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
169.9MB

MD5
3a03065b18960d2326a9d423d502cbe8

SHA1
c0888361fef93ff0b0f1f6807278af8513f26a27

SHA256
0e8b10bdd5dd1327a9fbadefc0a0557715049e766b25aec49516b42e0d00de13

SHA512
558c7ddc5c4ae0563b250afc768fef4c081ce5284500ce9ac928ff50aabb8b2cd644774d8de5552ae44f1af32a205250abd7fd24eac999a1044deb74b9234eb8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
166.9MB

MD5
42677575e111230062cc0a34895a852d

SHA1
fbcb0619e016262752cfb4853dda04fefa1ab157

SHA256
9507d6ba1da6cfe6bf2276c84a015d2d9d2856cc8e07e12e143fbe6476d36469

SHA512
b69b820c195d5ab8481d3aaf092f9be25d9d49cd2e275628cde06d48615dd34721948ec102c0b4ba74a838b336ebe6ec362c7383575964e81f09f3e07cec8ed1

Download Submit
memory/268-74-0x0000000005320000-0x0000000005492000-memory.dmp

Filesize
1.4MB

Download
memory/268-66-0x0000000006350000-0x00000000066F0000-memory.dmp

Filesize
3.6MB

Download
memory/268-65-0x0000000000850000-0x0000000000FC4000-memory.dmp

Filesize
7.5MB

Download
memory/840-56-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/988-93-0x000000006F280000-0x000000006F82B000-memory.dmp

Filesize
5.7MB

Download
memory/988-101-0x000000006F280000-0x000000006F82B000-memory.dmp

Filesize
5.7MB

Download
memory/1516-71-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-69-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-70-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/1660-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1660-100-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download