aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
71s
max time network
75s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1840-66-0x00000000063D0000-0x0000000006770000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1028	voiceadequovl.exe
1840	voiceadequovl.exe
1480	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1028	voiceadequovl.exe
1028	voiceadequovl.exe
1028	voiceadequovl.exe
1028	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1840 set thread context of 1480	1840	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
912	powershell.exe
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	voiceadequovl.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeIncreaseQuotaPrivilege	1844	wmic.exe
Token: SeSecurityPrivilege	1844	wmic.exe
Token: SeTakeOwnershipPrivilege	1844	wmic.exe
Token: SeLoadDriverPrivilege	1844	wmic.exe
Token: SeSystemProfilePrivilege	1844	wmic.exe
Token: SeSystemtimePrivilege	1844	wmic.exe
Token: SeProfSingleProcessPrivilege	1844	wmic.exe
Token: SeIncBasePriorityPrivilege	1844	wmic.exe
Token: SeCreatePagefilePrivilege	1844	wmic.exe
Token: SeBackupPrivilege	1844	wmic.exe
Token: SeRestorePrivilege	1844	wmic.exe
Token: SeShutdownPrivilege	1844	wmic.exe
Token: SeDebugPrivilege	1844	wmic.exe
Token: SeSystemEnvironmentPrivilege	1844	wmic.exe
Token: SeRemoteShutdownPrivilege	1844	wmic.exe
Token: SeUndockPrivilege	1844	wmic.exe
Token: SeManageVolumePrivilege	1844	wmic.exe
Token: 33	1844	wmic.exe
Token: 34	1844	wmic.exe
Token: 35	1844	wmic.exe
Token: SeIncreaseQuotaPrivilege	1844	wmic.exe
Token: SeSecurityPrivilege	1844	wmic.exe
Token: SeTakeOwnershipPrivilege	1844	wmic.exe
Token: SeLoadDriverPrivilege	1844	wmic.exe
Token: SeSystemProfilePrivilege	1844	wmic.exe
Token: SeSystemtimePrivilege	1844	wmic.exe
Token: SeProfSingleProcessPrivilege	1844	wmic.exe
Token: SeIncBasePriorityPrivilege	1844	wmic.exe
Token: SeCreatePagefilePrivilege	1844	wmic.exe
Token: SeBackupPrivilege	1844	wmic.exe
Token: SeRestorePrivilege	1844	wmic.exe
Token: SeShutdownPrivilege	1844	wmic.exe
Token: SeDebugPrivilege	1844	wmic.exe
Token: SeSystemEnvironmentPrivilege	1844	wmic.exe
Token: SeRemoteShutdownPrivilege	1844	wmic.exe
Token: SeUndockPrivilege	1844	wmic.exe
Token: SeManageVolumePrivilege	1844	wmic.exe
Token: 33	1844	wmic.exe
Token: 34	1844	wmic.exe
Token: 35	1844	wmic.exe
Token: SeIncreaseQuotaPrivilege	1032	WMIC.exe
Token: SeSecurityPrivilege	1032	WMIC.exe
Token: SeTakeOwnershipPrivilege	1032	WMIC.exe
Token: SeLoadDriverPrivilege	1032	WMIC.exe
Token: SeSystemProfilePrivilege	1032	WMIC.exe
Token: SeSystemtimePrivilege	1032	WMIC.exe
Token: SeProfSingleProcessPrivilege	1032	WMIC.exe
Token: SeIncBasePriorityPrivilege	1032	WMIC.exe
Token: SeCreatePagefilePrivilege	1032	WMIC.exe
Token: SeBackupPrivilege	1032	WMIC.exe
Token: SeRestorePrivilege	1032	WMIC.exe
Token: SeShutdownPrivilege	1032	WMIC.exe
Token: SeDebugPrivilege	1032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1032	WMIC.exe
Token: SeRemoteShutdownPrivilege	1032	WMIC.exe
Token: SeUndockPrivilege	1032	WMIC.exe
Token: SeManageVolumePrivilege	1032	WMIC.exe
Token: 33	1032	WMIC.exe
Token: 34	1032	WMIC.exe
Token: 35	1032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1032	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1028	1428	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1428 wrote to memory of 1028	1428	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1428 wrote to memory of 1028	1428	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1428 wrote to memory of 1028	1428	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1028 wrote to memory of 1840	1028	voiceadequovl.exe	28
PID 1028 wrote to memory of 1840	1028	voiceadequovl.exe	28
PID 1028 wrote to memory of 1840	1028	voiceadequovl.exe	28
PID 1028 wrote to memory of 1840	1028	voiceadequovl.exe	28
PID 1840 wrote to memory of 912	1840	voiceadequovl.exe	29
PID 1840 wrote to memory of 912	1840	voiceadequovl.exe	29
PID 1840 wrote to memory of 912	1840	voiceadequovl.exe	29
PID 1840 wrote to memory of 912	1840	voiceadequovl.exe	29
PID 1840 wrote to memory of 1172	1840	voiceadequovl.exe	31
PID 1840 wrote to memory of 1172	1840	voiceadequovl.exe	31
PID 1840 wrote to memory of 1172	1840	voiceadequovl.exe	31
PID 1840 wrote to memory of 1172	1840	voiceadequovl.exe	31
PID 1172 wrote to memory of 1504	1172	cmd.exe	33
PID 1172 wrote to memory of 1504	1172	cmd.exe	33
PID 1172 wrote to memory of 1504	1172	cmd.exe	33
PID 1172 wrote to memory of 1504	1172	cmd.exe	33
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1840 wrote to memory of 1480	1840	voiceadequovl.exe	34
PID 1480 wrote to memory of 1844	1480	voiceadequovl.exe	35
PID 1480 wrote to memory of 1844	1480	voiceadequovl.exe	35
PID 1480 wrote to memory of 1844	1480	voiceadequovl.exe	35
PID 1480 wrote to memory of 1844	1480	voiceadequovl.exe	35
PID 1480 wrote to memory of 956	1480	voiceadequovl.exe	38
PID 1480 wrote to memory of 956	1480	voiceadequovl.exe	38
PID 1480 wrote to memory of 956	1480	voiceadequovl.exe	38
PID 1480 wrote to memory of 956	1480	voiceadequovl.exe	38
PID 956 wrote to memory of 1032	956	cmd.exe	40
PID 956 wrote to memory of 1032	956	cmd.exe	40
PID 956 wrote to memory of 1032	956	cmd.exe	40
PID 956 wrote to memory of 1032	956	cmd.exe	40
PID 1480 wrote to memory of 2024	1480	voiceadequovl.exe	41
PID 1480 wrote to memory of 2024	1480	voiceadequovl.exe	41
PID 1480 wrote to memory of 2024	1480	voiceadequovl.exe	41
PID 1480 wrote to memory of 2024	1480	voiceadequovl.exe	41
PID 2024 wrote to memory of 836	2024	cmd.exe	43
PID 2024 wrote to memory of 836	2024	cmd.exe	43
PID 2024 wrote to memory of 836	2024	cmd.exe	43
PID 2024 wrote to memory of 836	2024	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:956
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
344.1MB

MD5
79f11a7a4c3cdc4b382ee15d7f97cebe

SHA1
dd84670f7eb9782f4e23f3ee4e113812b0b342e5

SHA256
b5678223821212283655ad16e83617a0b7dd518280d7a18a5ebac98ef16b6c1f

SHA512
cac2db44b6bdaa6b2e3d8da3e1368883f6a43910510fd63a298cb9f4ebbb88db3334eb5d60fe0568d60d36ab2db7edc6dea84cae3c8d21b46575162b8888b2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
332.3MB

MD5
43396fb7d5ad803bac4a41cc4632f49d

SHA1
f5733c8b65855b090de1e437609a2544442ed28e

SHA256
9d7628b87cda14e9a29b6035bae644f7efd98f02a659d8ea066c4fb4216cc584

SHA512
930bdf89c2b3eae150b320b701f7aeee544bfcc139e06d0c62a42b4588ed6fee693c29c995ac9ae69f6df1f0d2a398e09ff423247d7a3ad042486d32bc219c9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
4ae503707d0b43c14cbb339df8967d11

SHA1
0b4ad0495bd3a49ac84888524bcb14cdf6904b71

SHA256
3fe4df51ce34d27f521f70aba66890c5e778c61754a9a0993816e91e262bae86

SHA512
e07e7a70e8d2dc32f127944bdcfcf96b2f38a1310dfbffe5782eb157d0194b44a81354e0e6d81b26c2aac95ff260b8be6c9542b46713e484d6ad5063926ca052

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
304.9MB

MD5
73fbea2cbbf347a0635c6f21996d8d8d

SHA1
2abba8eec1c70d3e126dad91ffaf0b359b9ca500

SHA256
64d25d945b8a04e08845555916355beecc4592be0b9fa367a55dc8ab51189bea

SHA512
be5684cbca2279166ca49fb9428c1d4918c36ddc34e151ef5c98b5831125edc586b55ea808f155b08774b3784217a707250f59b2c01e6cd52b893fd8d19782d8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
296.2MB

MD5
94e900f8cf474440fb93e4ef583189bf

SHA1
21382fb4bd298c2992a80108d2191be2defc2033

SHA256
1dff72ebf5401ec57be814ba6130f66b74194065dfffadc2a8855361b7774abe

SHA512
28acf99b6794534b609477cf9e9326c1ad649488557a8a6bb06a628d46190ebe3b1a31e811bc0f6c209aa60b497495847e9518e6a9d532f7092b1e435fe36bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
190.1MB

MD5
74b7b807c458040f9c5875a82a56071f

SHA1
ff5e54a1418a3ba25c31d28e9798e330e66c42c7

SHA256
3ac6614d0069e63a6dec220aeebd14035396291acdd580fc81aaf243a1a445a3

SHA512
8f6da82c4d63ea3f8744a60e74a0e0e6f9e7e54b83b8aca254dd64cac509658d295085b4b88ec923716d639d6920158cd6a9a1eb162b96b6c3a65a1b8e838338

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
303.2MB

MD5
6e0758d434a9da0908ab3054e2c4319c

SHA1
93f9153c7e85e2c9ae3c9f7e8c0a58dce22bdcb5

SHA256
7b81a9b2c3fd5a9a25d3a0c01efcc9de0f5dfba44cc286a6257b1648571a7445

SHA512
bf212c263fd51dc2ca90b440d06348ea1d56c0798aba663565b015f78cd1cd85668094d75bef9558ea157654429c1ad63a147bfe3397e47c53274c7c8c77fe1f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
298.1MB

MD5
5e9b142257637b08e9a75c08aab06809

SHA1
0c693269c7461321d0d00a38a5169436ea9287bb

SHA256
c87bfd9f6dd945e340e19bc3a7340b8768e658e6b4ecc825b346b89e73e31042

SHA512
821158c21526007ab8a85e547a05486dbdac77e1603815736a46f13e4135e5196c5bcdeb1baf4e2f684d97bd8b4cf3ae705b02b91c0881ae6922f586f5732d37

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
303.9MB

MD5
afcd405ca13ddcf19a40b3c0f8534064

SHA1
b6660c1b8be14bf655eff397666025e4884d4cd5

SHA256
691d931e2f26401835e68ee9aa701432bd1d0ed097ecdf870700f6a94f522061

SHA512
4ca9dbafa1ec519956fe0b258237a0c7c72c73d3568a11a510959921b45c22abeb37929480e0c33d5886aaeb6d5b04d2e63b7fbae68550e7d50e2a5400433bc5

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
301.1MB

MD5
617ca5119542e7cfd33dd2de907f957c

SHA1
26f97c7abde1f4d038c3c1ab7bdc333a2c26df4b

SHA256
bad16e0dffa2707950481b16392335817f24d341d6e5c030de48e1a6795e3bcf

SHA512
f4eb7186d3c87b3812246442b0b08005e7e1a8e09f56dbbc9d88130aadd060c3b747649987570e7a387ff1ad8f415d234d86929d006fc7af28751063f216feec

Download Submit
memory/912-69-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/912-70-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/912-71-0x000000006F640000-0x000000006FBEB000-memory.dmp

Filesize
5.7MB

Download
memory/1028-56-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1480-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1480-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1504-95-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-91-0x000000006F1C0000-0x000000006F76B000-memory.dmp

Filesize
5.7MB

Download
memory/1840-74-0x0000000005330000-0x00000000054A2000-memory.dmp

Filesize
1.4MB

Download
memory/1840-66-0x00000000063D0000-0x0000000006770000-memory.dmp

Filesize
3.6MB

Download
memory/1840-65-0x0000000000BD0000-0x0000000001344000-memory.dmp

Filesize
7.5MB

Download