aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
137s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1520-66-0x00000000066E0000-0x0000000006A80000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1692	voiceadequovl.exe
1520	voiceadequovl.exe
1272	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1692	voiceadequovl.exe
1692	voiceadequovl.exe
1692	voiceadequovl.exe
1692	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 1272	1520	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1196	powershell.exe
1188	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1520	voiceadequovl.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeIncreaseQuotaPrivilege	1532	wmic.exe
Token: SeSecurityPrivilege	1532	wmic.exe
Token: SeTakeOwnershipPrivilege	1532	wmic.exe
Token: SeLoadDriverPrivilege	1532	wmic.exe
Token: SeSystemProfilePrivilege	1532	wmic.exe
Token: SeSystemtimePrivilege	1532	wmic.exe
Token: SeProfSingleProcessPrivilege	1532	wmic.exe
Token: SeIncBasePriorityPrivilege	1532	wmic.exe
Token: SeCreatePagefilePrivilege	1532	wmic.exe
Token: SeBackupPrivilege	1532	wmic.exe
Token: SeRestorePrivilege	1532	wmic.exe
Token: SeShutdownPrivilege	1532	wmic.exe
Token: SeDebugPrivilege	1532	wmic.exe
Token: SeSystemEnvironmentPrivilege	1532	wmic.exe
Token: SeRemoteShutdownPrivilege	1532	wmic.exe
Token: SeUndockPrivilege	1532	wmic.exe
Token: SeManageVolumePrivilege	1532	wmic.exe
Token: 33	1532	wmic.exe
Token: 34	1532	wmic.exe
Token: 35	1532	wmic.exe
Token: SeIncreaseQuotaPrivilege	1532	wmic.exe
Token: SeSecurityPrivilege	1532	wmic.exe
Token: SeTakeOwnershipPrivilege	1532	wmic.exe
Token: SeLoadDriverPrivilege	1532	wmic.exe
Token: SeSystemProfilePrivilege	1532	wmic.exe
Token: SeSystemtimePrivilege	1532	wmic.exe
Token: SeProfSingleProcessPrivilege	1532	wmic.exe
Token: SeIncBasePriorityPrivilege	1532	wmic.exe
Token: SeCreatePagefilePrivilege	1532	wmic.exe
Token: SeBackupPrivilege	1532	wmic.exe
Token: SeRestorePrivilege	1532	wmic.exe
Token: SeShutdownPrivilege	1532	wmic.exe
Token: SeDebugPrivilege	1532	wmic.exe
Token: SeSystemEnvironmentPrivilege	1532	wmic.exe
Token: SeRemoteShutdownPrivilege	1532	wmic.exe
Token: SeUndockPrivilege	1532	wmic.exe
Token: SeManageVolumePrivilege	1532	wmic.exe
Token: 33	1532	wmic.exe
Token: 34	1532	wmic.exe
Token: 35	1532	wmic.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1692	1900	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1900 wrote to memory of 1692	1900	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1900 wrote to memory of 1692	1900	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1900 wrote to memory of 1692	1900	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1692 wrote to memory of 1520	1692	voiceadequovl.exe	28
PID 1692 wrote to memory of 1520	1692	voiceadequovl.exe	28
PID 1692 wrote to memory of 1520	1692	voiceadequovl.exe	28
PID 1692 wrote to memory of 1520	1692	voiceadequovl.exe	28
PID 1520 wrote to memory of 1196	1520	voiceadequovl.exe	29
PID 1520 wrote to memory of 1196	1520	voiceadequovl.exe	29
PID 1520 wrote to memory of 1196	1520	voiceadequovl.exe	29
PID 1520 wrote to memory of 1196	1520	voiceadequovl.exe	29
PID 1520 wrote to memory of 1612	1520	voiceadequovl.exe	31
PID 1520 wrote to memory of 1612	1520	voiceadequovl.exe	31
PID 1520 wrote to memory of 1612	1520	voiceadequovl.exe	31
PID 1520 wrote to memory of 1612	1520	voiceadequovl.exe	31
PID 1612 wrote to memory of 1188	1612	cmd.exe	33
PID 1612 wrote to memory of 1188	1612	cmd.exe	33
PID 1612 wrote to memory of 1188	1612	cmd.exe	33
PID 1612 wrote to memory of 1188	1612	cmd.exe	33
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1520 wrote to memory of 1272	1520	voiceadequovl.exe	34
PID 1272 wrote to memory of 1532	1272	voiceadequovl.exe	35
PID 1272 wrote to memory of 1532	1272	voiceadequovl.exe	35
PID 1272 wrote to memory of 1532	1272	voiceadequovl.exe	35
PID 1272 wrote to memory of 1532	1272	voiceadequovl.exe	35
PID 1272 wrote to memory of 544	1272	voiceadequovl.exe	38
PID 1272 wrote to memory of 544	1272	voiceadequovl.exe	38
PID 1272 wrote to memory of 544	1272	voiceadequovl.exe	38
PID 1272 wrote to memory of 544	1272	voiceadequovl.exe	38
PID 544 wrote to memory of 1728	544	cmd.exe	40
PID 544 wrote to memory of 1728	544	cmd.exe	40
PID 544 wrote to memory of 1728	544	cmd.exe	40
PID 544 wrote to memory of 1728	544	cmd.exe	40
PID 1272 wrote to memory of 1984	1272	voiceadequovl.exe	41
PID 1272 wrote to memory of 1984	1272	voiceadequovl.exe	41
PID 1272 wrote to memory of 1984	1272	voiceadequovl.exe	41
PID 1272 wrote to memory of 1984	1272	voiceadequovl.exe	41
PID 1984 wrote to memory of 560	1984	cmd.exe	43
PID 1984 wrote to memory of 560	1984	cmd.exe	43
PID 1984 wrote to memory of 560	1984	cmd.exe	43
PID 1984 wrote to memory of 560	1984	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1196
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1272
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
843c86bb72916281ab2a7af23f1deda6

SHA1
15d8039051329e0417e2708f995c7ff17820b7d1

SHA256
47e7e85ddabfd5b9ba6b81f92f52194e9ffce968479361c5384e6cfb1849b8ae

SHA512
d59ccb712a2db19b1febc58f67659995fe21a1ae8ca1516c3608cdff822a9ad08ab14bcfebccf630844265b39c477414b45b45deba84ffaa5a56cd3eff2fe604

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
212.8MB

MD5
d4e5116e6f2441d785661926b71905e5

SHA1
bd4415146056624f9751bca5caa2b80fb9e09ccd

SHA256
479493c46d0a0548109fee3287e90059b472f2bc75efba542d88f0184b8aa46d

SHA512
eaf731f0ee7eb122fad4eec43289918bfb2fdf67b8d219205b487d4483e2c1b5a6926ba3c72983f0017d773b6c8f0b0b8aba1fe0f2646d9a3a9d8267ce469732

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
212.2MB

MD5
d69c66bebe946a210941f02b2a475c19

SHA1
68f86bb0d06e5bfcc0f571bdfb72e92be2c5a105

SHA256
365c968b9cb4d1f1a26dc45ad55787182712319617e8bb2e4c6a49e7d6e9878b

SHA512
abad4648e363cd6ad57132a25b04b918d6c311c384fe1bec628df0a53df5bd4fde3d82db3291cc8201b5d1efc819312b8996430875994e986d0b402cd267613b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
63.2MB

MD5
8a8a8970c7ab8d24980a5987f1a53e43

SHA1
c94d588b8ec297f06cf17a0ef81d3f490c68ccf2

SHA256
30a4500144b5b0ae3a27f5b65efb705656007695610d0106279927a0cf9005be

SHA512
d64b9147d451c6a1a428a681629a33a98110b6865e2d5c74843f37b3e1c56a89f0566bbb46ced8f749b098c95a2a2c11f0b891f22b68549b2e4b855861326286

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
210.2MB

MD5
4a9c4a5aeed110ee25b8c58f60e4e479

SHA1
76df73b2865edd261875dcfae7b14e7382cc37b8

SHA256
fa8d56fb8c3f2249e2881caf806e5963409aa5386f7652a2130a8eb128ef6c7c

SHA512
ff3af842c9a194e27e7b1f279f35367e4fd1ce265ca394f6abf9a452bcef96de77fda7d6365e410d3e7cbb38f3d9dfde602054995534bab03d3841ba0a52d88b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
219.0MB

MD5
1875e8356ae6fe9c3bbeba2a47d6c8db

SHA1
966d7f9497ec531ab2dcff145a6c0d5d98021956

SHA256
e94217fc43aec36311bc3f8fcc830a5bfdc8fe0796fc1f693991629f7c5a9506

SHA512
8ac5819fd71c6725f2a9a1dd682a05d6587606ebc725d9c2c7000a52a7f0dda471dcd4cab061026bcfbcd9bf173ca71ac272394e4492a2c3008b076a20fa158e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
220.8MB

MD5
04a6aa97eb31213048e722122504cd96

SHA1
e33989a43ca7c1d820975f128e52b1f9095d1a12

SHA256
342b2922a163c9c2df35393c161823470af4231c75a28f201f246bb959ec0778

SHA512
3d69eb7fc91837768291c21e309f81f8902b9b03896f43e3fc03fc6f603b7fd7c804c9aa4ea885fa3ae51b3e16eed1d932e485c06210a2a4712af6d03803c046

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.7MB

MD5
0a63fbd0c9f5471b97b7de491978208e

SHA1
536754b16bc60b7fc6a705380ff796e7f6b064a9

SHA256
bdceee0b2ee3aa04c2b90c891e8d1fe46b3316ecf1de31502e0f7ac6991dad45

SHA512
b2c461437b85b5be916f3e95c9565a85284c8589128b5a789e0224d6f356ff88a7ef4771aaf070e4c580fe892c64bc2d51174e625dc909f366c0f21b4ab34525

Download Submit
memory/1188-92-0x000000006F520000-0x000000006FACB000-memory.dmp

Filesize
5.7MB

Download
memory/1188-84-0x000000006F520000-0x000000006FACB000-memory.dmp

Filesize
5.7MB

Download
memory/1196-69-0x000000006F7A0000-0x000000006FD4B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-70-0x000000006F7A0000-0x000000006FD4B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-71-0x000000006F7A0000-0x000000006FD4B000-memory.dmp

Filesize
5.7MB

Download
memory/1272-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-102-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1272-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1520-73-0x00000000055B0000-0x0000000005722000-memory.dmp

Filesize
1.4MB

Download
memory/1520-65-0x0000000001330000-0x0000000001AA4000-memory.dmp

Filesize
7.5MB

Download
memory/1520-66-0x00000000066E0000-0x0000000006A80000-memory.dmp

Filesize
3.6MB

Download
memory/1692-56-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download