aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
73s
max time network
76s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1532-66-0x0000000006610000-0x00000000069B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1964	voiceadequovl.exe
1532	voiceadequovl.exe
704	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1964	voiceadequovl.exe
1964	voiceadequovl.exe
1964	voiceadequovl.exe
1964	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1532 set thread context of 704	1532	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
608	powershell.exe
952	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	voiceadequovl.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeIncreaseQuotaPrivilege	284	wmic.exe
Token: SeSecurityPrivilege	284	wmic.exe
Token: SeTakeOwnershipPrivilege	284	wmic.exe
Token: SeLoadDriverPrivilege	284	wmic.exe
Token: SeSystemProfilePrivilege	284	wmic.exe
Token: SeSystemtimePrivilege	284	wmic.exe
Token: SeProfSingleProcessPrivilege	284	wmic.exe
Token: SeIncBasePriorityPrivilege	284	wmic.exe
Token: SeCreatePagefilePrivilege	284	wmic.exe
Token: SeBackupPrivilege	284	wmic.exe
Token: SeRestorePrivilege	284	wmic.exe
Token: SeShutdownPrivilege	284	wmic.exe
Token: SeDebugPrivilege	284	wmic.exe
Token: SeSystemEnvironmentPrivilege	284	wmic.exe
Token: SeRemoteShutdownPrivilege	284	wmic.exe
Token: SeUndockPrivilege	284	wmic.exe
Token: SeManageVolumePrivilege	284	wmic.exe
Token: 33	284	wmic.exe
Token: 34	284	wmic.exe
Token: 35	284	wmic.exe
Token: SeIncreaseQuotaPrivilege	284	wmic.exe
Token: SeSecurityPrivilege	284	wmic.exe
Token: SeTakeOwnershipPrivilege	284	wmic.exe
Token: SeLoadDriverPrivilege	284	wmic.exe
Token: SeSystemProfilePrivilege	284	wmic.exe
Token: SeSystemtimePrivilege	284	wmic.exe
Token: SeProfSingleProcessPrivilege	284	wmic.exe
Token: SeIncBasePriorityPrivilege	284	wmic.exe
Token: SeCreatePagefilePrivilege	284	wmic.exe
Token: SeBackupPrivilege	284	wmic.exe
Token: SeRestorePrivilege	284	wmic.exe
Token: SeShutdownPrivilege	284	wmic.exe
Token: SeDebugPrivilege	284	wmic.exe
Token: SeSystemEnvironmentPrivilege	284	wmic.exe
Token: SeRemoteShutdownPrivilege	284	wmic.exe
Token: SeUndockPrivilege	284	wmic.exe
Token: SeManageVolumePrivilege	284	wmic.exe
Token: 33	284	wmic.exe
Token: 34	284	wmic.exe
Token: 35	284	wmic.exe
Token: SeIncreaseQuotaPrivilege	1240	WMIC.exe
Token: SeSecurityPrivilege	1240	WMIC.exe
Token: SeTakeOwnershipPrivilege	1240	WMIC.exe
Token: SeLoadDriverPrivilege	1240	WMIC.exe
Token: SeSystemProfilePrivilege	1240	WMIC.exe
Token: SeSystemtimePrivilege	1240	WMIC.exe
Token: SeProfSingleProcessPrivilege	1240	WMIC.exe
Token: SeIncBasePriorityPrivilege	1240	WMIC.exe
Token: SeCreatePagefilePrivilege	1240	WMIC.exe
Token: SeBackupPrivilege	1240	WMIC.exe
Token: SeRestorePrivilege	1240	WMIC.exe
Token: SeShutdownPrivilege	1240	WMIC.exe
Token: SeDebugPrivilege	1240	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1240	WMIC.exe
Token: SeRemoteShutdownPrivilege	1240	WMIC.exe
Token: SeUndockPrivilege	1240	WMIC.exe
Token: SeManageVolumePrivilege	1240	WMIC.exe
Token: 33	1240	WMIC.exe
Token: 34	1240	WMIC.exe
Token: 35	1240	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1240	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 1964	1260	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1260 wrote to memory of 1964	1260	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1260 wrote to memory of 1964	1260	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1260 wrote to memory of 1964	1260	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1964 wrote to memory of 1532	1964	voiceadequovl.exe	28
PID 1964 wrote to memory of 1532	1964	voiceadequovl.exe	28
PID 1964 wrote to memory of 1532	1964	voiceadequovl.exe	28
PID 1964 wrote to memory of 1532	1964	voiceadequovl.exe	28
PID 1532 wrote to memory of 608	1532	voiceadequovl.exe	30
PID 1532 wrote to memory of 608	1532	voiceadequovl.exe	30
PID 1532 wrote to memory of 608	1532	voiceadequovl.exe	30
PID 1532 wrote to memory of 608	1532	voiceadequovl.exe	30
PID 1532 wrote to memory of 1180	1532	voiceadequovl.exe	31
PID 1532 wrote to memory of 1180	1532	voiceadequovl.exe	31
PID 1532 wrote to memory of 1180	1532	voiceadequovl.exe	31
PID 1532 wrote to memory of 1180	1532	voiceadequovl.exe	31
PID 1180 wrote to memory of 952	1180	cmd.exe	33
PID 1180 wrote to memory of 952	1180	cmd.exe	33
PID 1180 wrote to memory of 952	1180	cmd.exe	33
PID 1180 wrote to memory of 952	1180	cmd.exe	33
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 1532 wrote to memory of 704	1532	voiceadequovl.exe	34
PID 704 wrote to memory of 284	704	voiceadequovl.exe	35
PID 704 wrote to memory of 284	704	voiceadequovl.exe	35
PID 704 wrote to memory of 284	704	voiceadequovl.exe	35
PID 704 wrote to memory of 284	704	voiceadequovl.exe	35
PID 704 wrote to memory of 1096	704	voiceadequovl.exe	38
PID 704 wrote to memory of 1096	704	voiceadequovl.exe	38
PID 704 wrote to memory of 1096	704	voiceadequovl.exe	38
PID 704 wrote to memory of 1096	704	voiceadequovl.exe	38
PID 1096 wrote to memory of 1240	1096	cmd.exe	40
PID 1096 wrote to memory of 1240	1096	cmd.exe	40
PID 1096 wrote to memory of 1240	1096	cmd.exe	40
PID 1096 wrote to memory of 1240	1096	cmd.exe	40
PID 704 wrote to memory of 1592	704	voiceadequovl.exe	41
PID 704 wrote to memory of 1592	704	voiceadequovl.exe	41
PID 704 wrote to memory of 1592	704	voiceadequovl.exe	41
PID 704 wrote to memory of 1592	704	voiceadequovl.exe	41
PID 1592 wrote to memory of 2036	1592	cmd.exe	43
PID 1592 wrote to memory of 2036	1592	cmd.exe	43
PID 1592 wrote to memory of 2036	1592	cmd.exe	43
PID 1592 wrote to memory of 2036	1592	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
126.2MB

MD5
d6c2d1319cb22dda49e8f2bc2d3b6099

SHA1
2ee16d3f5e520cf27012eed12d85e3714967cf37

SHA256
08aa4829ae7192023c98fd95ab3bc80422b37223e480500c6088f8d533f274e6

SHA512
602ec93cddf14a7e3733dbde097d3ef437325baa860255a1b9a3220de260c2678fea7c43da015db9a7c095c0e3cbaa6129657005153c4d3656ea6813e799777f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
130.9MB

MD5
2386daf075639894840be2730f4ea73e

SHA1
e7b0ef4dc4fac647f43c11c646c173d0f8d5f95b

SHA256
3c269e4705ca04331679c9c75919f05c3dba654038c703d8b92ddf7c8afc5f46

SHA512
50eb1c617dc35ff57175874c2a877a56088798b8504b88de311b2a34ae3c6770526dcefae8323db3ebdc3e16a8704c80f5b8108f21b9bf1455ec9ce994247ad2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
47722663219ca33359489c3bf9e4b6a5

SHA1
c9ff731149a60561c7a8c08e1e84a8bd2d4d5cc5

SHA256
090c28f41ad8747dea2a408da2862890bc9e553e917fd0653bec881e1d04aed7

SHA512
fb2e9fbbd3c17688e0ee675d5dafd5dab3a6b8cd053fd71f3f556c97aedab6dbe48df82fbbb3320150f81778afa0be801a09b7782d6dfab217632995975f68ae

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
126.4MB

MD5
1c4ae59ec483f22c894fafa909e940a1

SHA1
9a024a4c1130110e8804db7c1c6d06c1e54f6564

SHA256
93a646ca4e3751c780b08ede25b0295177ca437965d69637368795f5679016bd

SHA512
ac13a6768348a0dd3c83c747c579ffc46adc9b668837dd20fc685ab27330af874d71d9f725f918e02d03a812dacd7ad7022f103aae68c9601b6a385fb9ea1d79

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
127.1MB

MD5
ca7751a62794d737ffbfa3a138f2e362

SHA1
da90b328afffed5f72eb96869e99327ef01f99da

SHA256
7f1fd06cb2bdb0cd74902488b0488d08f7c0793d31d4f3358758a72b408493c3

SHA512
c9830f6328c17ddce3e7bba79828cf56eb5eeb741b1ba9c91eddaf24b4f6f648c96d1a7820896a54e04c47a064b7195461cdd78568129e28ae6b990a774a9054

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
96.6MB

MD5
aa4137f9a1532fa3f733337f6960c8bd

SHA1
ce624fd6f8e1bdc0ac89d60b8cc945bf0201c342

SHA256
467375ec2d7f6bf36f99e82164931e9a40592f69c829ec73c9bed8d0ebb1d83e

SHA512
2adcfa88da4639f75e53b43d68714fa3f1dc37c77ebe0d81c74937941863957711dc4adc30c23ce76109c62a7ed63beb71613cab1f7d63c5f6fee866f6255101

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
122.9MB

MD5
c6eedd8ce5f6401eb66bd32ded16413e

SHA1
ea54e7f31e273fd6dd7782bb2055d710e15ae73a

SHA256
48e9dddfcfa579d090545ef250cab2ffc05cba63d0b84719eb1cc7c09d943986

SHA512
6c854e65a74acf402c577ea0800b01ceb6ef8e447043c2d8c279552899c034e43ba86c2fc60f51df13e80a669618fb95af64cffef0b78cdf7add8d9664e3c2e2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
125.8MB

MD5
cecbe80158bc68da4d929481ab0505db

SHA1
263fef38f3a826c1f2214158f2808b4c9da8832b

SHA256
1f7fd62fee013723e4beab7af2c4ece08bc2b8e467fd0d06d31d162ffdb7feaa

SHA512
b5d3a450e96fc646f89827b4a0206d3c8f838ccad97d099dbdc46af041a107b4f95472bc8691ac7be0f90b352a3a8734059cdd1ceaf5f65ff9358b41d8324942

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
126.1MB

MD5
abd55c2fd97b715821c8c50dbca0794d

SHA1
7f68fefa96a716b37db98858a7be607fac2330cb

SHA256
227771947b73aa483e58c180eb73891903b7a50b07983a21600f0fd0c7a0ad73

SHA512
08f6d6c5575b2b347a81fa5cf6926426ae60218994285d758b0226013279cf851a75a3e868d46af85829e5c137bb8f9b723194b8d5c2407ab0bf5b1f3e3d2717

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
123.4MB

MD5
68196d7cd35dda3ad35bab6212054c7e

SHA1
d2a1e9f3f0e6ee0e51efee911d2023f59d90a99f

SHA256
9db67860561edf98f64272e534c3e85713fb7aa3f0706c31762caca4f649e4f5

SHA512
71507533bcdb384cd449874276c3c88f195a253d6c450086cafa5acbc8afe3417e735918d823834e48a6ce37e8bd9d18bc771fe2ed14906ab507ca13934d6936

Download Submit
memory/608-70-0x000000006FBB0000-0x000000007015B000-memory.dmp

Filesize
5.7MB

Download
memory/608-71-0x000000006FBB0000-0x000000007015B000-memory.dmp

Filesize
5.7MB

Download
memory/608-69-0x000000006FBB0000-0x000000007015B000-memory.dmp

Filesize
5.7MB

Download
memory/704-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/704-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/952-93-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/952-94-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/1532-74-0x0000000005610000-0x0000000005782000-memory.dmp

Filesize
1.4MB

Download
memory/1532-66-0x0000000006610000-0x00000000069B0000-memory.dmp

Filesize
3.6MB

Download
memory/1532-65-0x0000000000D50000-0x00000000014C4000-memory.dmp

Filesize
7.5MB

Download
memory/1964-56-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download