aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
68s
max time network
73s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1336-66-0x00000000064B0000-0x0000000006850000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1288	voiceadequovl.exe
1336	voiceadequovl.exe
1132	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1288	voiceadequovl.exe
1288	voiceadequovl.exe
1288	voiceadequovl.exe
1288	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1336 set thread context of 1132	1336	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1768	powershell.exe
1656	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	voiceadequovl.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeIncreaseQuotaPrivilege	1360	wmic.exe
Token: SeSecurityPrivilege	1360	wmic.exe
Token: SeTakeOwnershipPrivilege	1360	wmic.exe
Token: SeLoadDriverPrivilege	1360	wmic.exe
Token: SeSystemProfilePrivilege	1360	wmic.exe
Token: SeSystemtimePrivilege	1360	wmic.exe
Token: SeProfSingleProcessPrivilege	1360	wmic.exe
Token: SeIncBasePriorityPrivilege	1360	wmic.exe
Token: SeCreatePagefilePrivilege	1360	wmic.exe
Token: SeBackupPrivilege	1360	wmic.exe
Token: SeRestorePrivilege	1360	wmic.exe
Token: SeShutdownPrivilege	1360	wmic.exe
Token: SeDebugPrivilege	1360	wmic.exe
Token: SeSystemEnvironmentPrivilege	1360	wmic.exe
Token: SeRemoteShutdownPrivilege	1360	wmic.exe
Token: SeUndockPrivilege	1360	wmic.exe
Token: SeManageVolumePrivilege	1360	wmic.exe
Token: 33	1360	wmic.exe
Token: 34	1360	wmic.exe
Token: 35	1360	wmic.exe
Token: SeIncreaseQuotaPrivilege	1360	wmic.exe
Token: SeSecurityPrivilege	1360	wmic.exe
Token: SeTakeOwnershipPrivilege	1360	wmic.exe
Token: SeLoadDriverPrivilege	1360	wmic.exe
Token: SeSystemProfilePrivilege	1360	wmic.exe
Token: SeSystemtimePrivilege	1360	wmic.exe
Token: SeProfSingleProcessPrivilege	1360	wmic.exe
Token: SeIncBasePriorityPrivilege	1360	wmic.exe
Token: SeCreatePagefilePrivilege	1360	wmic.exe
Token: SeBackupPrivilege	1360	wmic.exe
Token: SeRestorePrivilege	1360	wmic.exe
Token: SeShutdownPrivilege	1360	wmic.exe
Token: SeDebugPrivilege	1360	wmic.exe
Token: SeSystemEnvironmentPrivilege	1360	wmic.exe
Token: SeRemoteShutdownPrivilege	1360	wmic.exe
Token: SeUndockPrivilege	1360	wmic.exe
Token: SeManageVolumePrivilege	1360	wmic.exe
Token: 33	1360	wmic.exe
Token: 34	1360	wmic.exe
Token: 35	1360	wmic.exe
Token: SeIncreaseQuotaPrivilege	1676	WMIC.exe
Token: SeSecurityPrivilege	1676	WMIC.exe
Token: SeTakeOwnershipPrivilege	1676	WMIC.exe
Token: SeLoadDriverPrivilege	1676	WMIC.exe
Token: SeSystemProfilePrivilege	1676	WMIC.exe
Token: SeSystemtimePrivilege	1676	WMIC.exe
Token: SeProfSingleProcessPrivilege	1676	WMIC.exe
Token: SeIncBasePriorityPrivilege	1676	WMIC.exe
Token: SeCreatePagefilePrivilege	1676	WMIC.exe
Token: SeBackupPrivilege	1676	WMIC.exe
Token: SeRestorePrivilege	1676	WMIC.exe
Token: SeShutdownPrivilege	1676	WMIC.exe
Token: SeDebugPrivilege	1676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1676	WMIC.exe
Token: SeRemoteShutdownPrivilege	1676	WMIC.exe
Token: SeUndockPrivilege	1676	WMIC.exe
Token: SeManageVolumePrivilege	1676	WMIC.exe
Token: 33	1676	WMIC.exe
Token: 34	1676	WMIC.exe
Token: 35	1676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1676	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1288	1304	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1304 wrote to memory of 1288	1304	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1304 wrote to memory of 1288	1304	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1304 wrote to memory of 1288	1304	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1288 wrote to memory of 1336	1288	voiceadequovl.exe	28
PID 1288 wrote to memory of 1336	1288	voiceadequovl.exe	28
PID 1288 wrote to memory of 1336	1288	voiceadequovl.exe	28
PID 1288 wrote to memory of 1336	1288	voiceadequovl.exe	28
PID 1336 wrote to memory of 1768	1336	voiceadequovl.exe	29
PID 1336 wrote to memory of 1768	1336	voiceadequovl.exe	29
PID 1336 wrote to memory of 1768	1336	voiceadequovl.exe	29
PID 1336 wrote to memory of 1768	1336	voiceadequovl.exe	29
PID 1336 wrote to memory of 1368	1336	voiceadequovl.exe	32
PID 1336 wrote to memory of 1368	1336	voiceadequovl.exe	32
PID 1336 wrote to memory of 1368	1336	voiceadequovl.exe	32
PID 1336 wrote to memory of 1368	1336	voiceadequovl.exe	32
PID 1368 wrote to memory of 1656	1368	cmd.exe	33
PID 1368 wrote to memory of 1656	1368	cmd.exe	33
PID 1368 wrote to memory of 1656	1368	cmd.exe	33
PID 1368 wrote to memory of 1656	1368	cmd.exe	33
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1336 wrote to memory of 1132	1336	voiceadequovl.exe	34
PID 1132 wrote to memory of 1360	1132	voiceadequovl.exe	35
PID 1132 wrote to memory of 1360	1132	voiceadequovl.exe	35
PID 1132 wrote to memory of 1360	1132	voiceadequovl.exe	35
PID 1132 wrote to memory of 1360	1132	voiceadequovl.exe	35
PID 1132 wrote to memory of 1668	1132	voiceadequovl.exe	38
PID 1132 wrote to memory of 1668	1132	voiceadequovl.exe	38
PID 1132 wrote to memory of 1668	1132	voiceadequovl.exe	38
PID 1132 wrote to memory of 1668	1132	voiceadequovl.exe	38
PID 1668 wrote to memory of 1676	1668	cmd.exe	40
PID 1668 wrote to memory of 1676	1668	cmd.exe	40
PID 1668 wrote to memory of 1676	1668	cmd.exe	40
PID 1668 wrote to memory of 1676	1668	cmd.exe	40
PID 1132 wrote to memory of 940	1132	voiceadequovl.exe	42
PID 1132 wrote to memory of 940	1132	voiceadequovl.exe	42
PID 1132 wrote to memory of 940	1132	voiceadequovl.exe	42
PID 1132 wrote to memory of 940	1132	voiceadequovl.exe	42
PID 940 wrote to memory of 820	940	cmd.exe	43
PID 940 wrote to memory of 820	940	cmd.exe	43
PID 940 wrote to memory of 820	940	cmd.exe	43
PID 940 wrote to memory of 820	940	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
162.7MB

MD5
5d8e1ec3062deca04b1f4d09ea300c59

SHA1
6ced94659b4ca0489ac52dabe1aedec7b51988ba

SHA256
76391ff564b71574f850b4818e6f9aaf4753e8fc76b02a40915dc0a66c49de7d

SHA512
c5b4e2a603dc618cb069dbc2be586cf73ebad656a4caedce1b484588a9117437ffe5eae0088642257b8dae183a00ac3126240667c7ebea718459653ad375c8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
157.5MB

MD5
088a475ef1834dbf10a0858718829b2c

SHA1
4d81047b55056f0c825c51988ce4fa66428931a2

SHA256
6a3666f4736bf032329fc9344a62421fc729b68f9af7d3403d1f713ced2d5338

SHA512
e3158b72b9ee772f6ba74f7d277bc81b34204d840b47be552b7e4f3db291c0e70c72944ee098816fb83a9c49d9a126e29ebf36bb8d460059054c11ba94879ceb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
55b719b8568cb5567b682f593b47bb38

SHA1
e9a4f97819a2b19116c01d8208c07fe3c1e923fc

SHA256
ae0efee51479cbb6ade4b8092573cdaea7302fc9308951694ce7e19f6a0a3887

SHA512
716ecf1d4e3975e0f9219d3288b4c9b0eb1ccc15a546fcb131cf12ad6f4b58834f7a4b3dc7ae7acae39a5658ace1061e86799eb393b4173bb8993ec52e744c8b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
152.1MB

MD5
0d0780c7b26026dc2ef2bdca2b7c1b90

SHA1
53b4f3a88014dee148d226c5b937e8022f2b7e25

SHA256
7c359ed2210a59fa1ed32dca9a9b5bb950c7cee04c4a4407c76fb0e9be8f0837

SHA512
915133df429b5ca31045b0e14e3a88a3bcaef4c4136bc83dde6000eed8b47205d4f7187700c25816ee49d3b2510fdd7ad3597566258c8caf3c5583a768287473

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
156.6MB

MD5
09c60e6c07a3ceeb62efed378c0fec17

SHA1
1aa699e99d18d21d37e72d9e1e608b5aa6b53b1e

SHA256
c521b45e1102cda557e6a06dbfa3fb14deb98d00860556d05c3c25ecab1781b4

SHA512
993e83755dc4704b4c3737380e887ffb846e271f813192f51359444cb47d91cbb04d51d1263be02ca6438baff9351897d3ccf6f1f7d010dbedf520fd3153d09e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
88.4MB

MD5
81254a01a5c85947cf0e62c0dac7053b

SHA1
e33a78a9a1215e7dc21e1761d3874b1b0df64c11

SHA256
b1894a6d900994f4adecf24f884de678f519b9c0cdfbb22b7ddfbb52ba19cea3

SHA512
fa09471e15798f4a97bb6ee196bb132213bcdb1af06e31c714110f9022bd45d27e566b7f0045fab460f30f4a48dcf85f0b5c633be003d457febc0b80de734cba

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
150.8MB

MD5
9aada5bc62bea286bf93f24bd8245788

SHA1
a48208264837e3169f4fff716d6eec8efc9531a4

SHA256
e07f2c7035a95e527944d5f9839aa79d356702bcf7b1f6ee4d2b212c0b387d1e

SHA512
372b457c717bc9e6028300560d2a2fe4375505dd950ce73eb2dfecbfd912b8637b6669f6697bf3e9907b28204dbb2ab6ebf409fa4d2dde1a91e32c15aa3eb2cb

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
157.3MB

MD5
cdecfe9d867f8288e1154f6ed587681c

SHA1
a3bb66a1690678a719dc2d6c049ea78e742e28d9

SHA256
54d346e198b2d2f6f08297a958040ae92ba0718f0f368ed57c213fa5bfa13bb2

SHA512
9b5a123045641c71bea9f1a95c12ea494fdba1ab56b7e9383f77e55e280b177cee881c8edf9de9f482f4711c55eec5df919640e6294a74b5306dcdcecfa1b8f8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
154.9MB

MD5
8eb9d37a2d795fff4910e3a4a82b9ade

SHA1
226696140d632d00774f40479359d05ee00e02f6

SHA256
4f4261bf679c002502afbf3efdd6aba0026ebc7881738379db8f9aec64881751

SHA512
26dae1c6764e93d1cc74128c81f17bcfe3cafca4e2182ec918ed79fc2907947b6afd3b483be79a9cda462570fbd3f155e83af98876e5501c697ccae5239b42ec

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
150.3MB

MD5
4f9efcb935150b482a7ed1b22466de9c

SHA1
8840698491e0c0df6b0a125564e868eb7da56c00

SHA256
72134bde2fcee1e413edebb15fb49f6389d2d78e0b2f76a8f34717b7c628e468

SHA512
794ab9c2cbc02045a530162e00874d41e7521bec991f5f6d022b59233b9ed3ae45f896ba64b3bb0cca757a5e3234ce4ff1ab7da7cf737227a8ee2a8f250f9b49

Download Submit
memory/1132-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1132-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1288-56-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1336-73-0x0000000005330000-0x00000000054A2000-memory.dmp

Filesize
1.4MB

Download
memory/1336-65-0x0000000000A00000-0x0000000001174000-memory.dmp

Filesize
7.5MB

Download
memory/1336-66-0x00000000064B0000-0x0000000006850000-memory.dmp

Filesize
3.6MB

Download
memory/1656-90-0x000000006FD90000-0x000000007033B000-memory.dmp

Filesize
5.7MB

Download
memory/1656-94-0x000000006FD90000-0x000000007033B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-70-0x0000000070050000-0x00000000705FB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-71-0x0000000070050000-0x00000000705FB000-memory.dmp

Filesize
5.7MB

Download
memory/1768-69-0x0000000070050000-0x00000000705FB000-memory.dmp

Filesize
5.7MB

Download