aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
70s
max time network
74s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1796-66-0x0000000006440000-0x00000000067E0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1708	voiceadequovl.exe
1796	voiceadequovl.exe
1696	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1708	voiceadequovl.exe
1708	voiceadequovl.exe
1708	voiceadequovl.exe
1708	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1796 set thread context of 1696	1796	voiceadequovl.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	powershell.exe
436	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	voiceadequovl.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeIncreaseQuotaPrivilege	1264	wmic.exe
Token: SeSecurityPrivilege	1264	wmic.exe
Token: SeTakeOwnershipPrivilege	1264	wmic.exe
Token: SeLoadDriverPrivilege	1264	wmic.exe
Token: SeSystemProfilePrivilege	1264	wmic.exe
Token: SeSystemtimePrivilege	1264	wmic.exe
Token: SeProfSingleProcessPrivilege	1264	wmic.exe
Token: SeIncBasePriorityPrivilege	1264	wmic.exe
Token: SeCreatePagefilePrivilege	1264	wmic.exe
Token: SeBackupPrivilege	1264	wmic.exe
Token: SeRestorePrivilege	1264	wmic.exe
Token: SeShutdownPrivilege	1264	wmic.exe
Token: SeDebugPrivilege	1264	wmic.exe
Token: SeSystemEnvironmentPrivilege	1264	wmic.exe
Token: SeRemoteShutdownPrivilege	1264	wmic.exe
Token: SeUndockPrivilege	1264	wmic.exe
Token: SeManageVolumePrivilege	1264	wmic.exe
Token: 33	1264	wmic.exe
Token: 34	1264	wmic.exe
Token: 35	1264	wmic.exe
Token: SeIncreaseQuotaPrivilege	1264	wmic.exe
Token: SeSecurityPrivilege	1264	wmic.exe
Token: SeTakeOwnershipPrivilege	1264	wmic.exe
Token: SeLoadDriverPrivilege	1264	wmic.exe
Token: SeSystemProfilePrivilege	1264	wmic.exe
Token: SeSystemtimePrivilege	1264	wmic.exe
Token: SeProfSingleProcessPrivilege	1264	wmic.exe
Token: SeIncBasePriorityPrivilege	1264	wmic.exe
Token: SeCreatePagefilePrivilege	1264	wmic.exe
Token: SeBackupPrivilege	1264	wmic.exe
Token: SeRestorePrivilege	1264	wmic.exe
Token: SeShutdownPrivilege	1264	wmic.exe
Token: SeDebugPrivilege	1264	wmic.exe
Token: SeSystemEnvironmentPrivilege	1264	wmic.exe
Token: SeRemoteShutdownPrivilege	1264	wmic.exe
Token: SeUndockPrivilege	1264	wmic.exe
Token: SeManageVolumePrivilege	1264	wmic.exe
Token: 33	1264	wmic.exe
Token: 34	1264	wmic.exe
Token: 35	1264	wmic.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1708	1720	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1720 wrote to memory of 1708	1720	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1720 wrote to memory of 1708	1720	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1720 wrote to memory of 1708	1720	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1708 wrote to memory of 1796	1708	voiceadequovl.exe	27
PID 1708 wrote to memory of 1796	1708	voiceadequovl.exe	27
PID 1708 wrote to memory of 1796	1708	voiceadequovl.exe	27
PID 1708 wrote to memory of 1796	1708	voiceadequovl.exe	27
PID 1796 wrote to memory of 2028	1796	voiceadequovl.exe	28
PID 1796 wrote to memory of 2028	1796	voiceadequovl.exe	28
PID 1796 wrote to memory of 2028	1796	voiceadequovl.exe	28
PID 1796 wrote to memory of 2028	1796	voiceadequovl.exe	28
PID 1796 wrote to memory of 1516	1796	voiceadequovl.exe	30
PID 1796 wrote to memory of 1516	1796	voiceadequovl.exe	30
PID 1796 wrote to memory of 1516	1796	voiceadequovl.exe	30
PID 1796 wrote to memory of 1516	1796	voiceadequovl.exe	30
PID 1516 wrote to memory of 436	1516	cmd.exe	32
PID 1516 wrote to memory of 436	1516	cmd.exe	32
PID 1516 wrote to memory of 436	1516	cmd.exe	32
PID 1516 wrote to memory of 436	1516	cmd.exe	32
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1796 wrote to memory of 1696	1796	voiceadequovl.exe	33
PID 1696 wrote to memory of 1264	1696	voiceadequovl.exe	34
PID 1696 wrote to memory of 1264	1696	voiceadequovl.exe	34
PID 1696 wrote to memory of 1264	1696	voiceadequovl.exe	34
PID 1696 wrote to memory of 1264	1696	voiceadequovl.exe	34
PID 1696 wrote to memory of 1232	1696	voiceadequovl.exe	37
PID 1696 wrote to memory of 1232	1696	voiceadequovl.exe	37
PID 1696 wrote to memory of 1232	1696	voiceadequovl.exe	37
PID 1696 wrote to memory of 1232	1696	voiceadequovl.exe	37
PID 1232 wrote to memory of 1568	1232	cmd.exe	39
PID 1232 wrote to memory of 1568	1232	cmd.exe	39
PID 1232 wrote to memory of 1568	1232	cmd.exe	39
PID 1232 wrote to memory of 1568	1232	cmd.exe	39
PID 1696 wrote to memory of 1564	1696	voiceadequovl.exe	41
PID 1696 wrote to memory of 1564	1696	voiceadequovl.exe	41
PID 1696 wrote to memory of 1564	1696	voiceadequovl.exe	41
PID 1696 wrote to memory of 1564	1696	voiceadequovl.exe	41
PID 1564 wrote to memory of 1756	1564	cmd.exe	42
PID 1564 wrote to memory of 1756	1564	cmd.exe	42
PID 1564 wrote to memory of 1756	1564	cmd.exe	42
PID 1564 wrote to memory of 1756	1564	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
242.6MB

MD5
7014f29273946079fe2b3a691578fd1b

SHA1
42c385a6643861e9ae1be2b6ae445c6a2791657e

SHA256
97c3f687a205d0932be413076dfea42affb61e5dafa3c45455a0b19002e66324

SHA512
8fc48b843e964d7c9c954a12a86e053ea2ddc87781e0b34793d4b37bfb8ae55fbc0781150bf8296854f093add6e9f7c4bc9b12436141e44013300b10eae394f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
241.6MB

MD5
287ab4ca9355e7c3477fa155936db3cd

SHA1
06164d25327673a514bf66ea588e84f6c9579977

SHA256
c718c2e55b5004b49fed9db99659ab8226cc24c675569961f669bf7cb15bdc5c

SHA512
61475912a833f7731abed03edb841b7ad9bdbaad98def5eeb332720d1da1d44a79494f10a39968048ed16404becb2b78a107361f5599f0bf748ca934ebccbf49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0d89b1c09afe4176815f7886edd080e2

SHA1
f4df610798a4c513230ad77a0e8de565a0da1b2d

SHA256
6c2e01612a3a22354b8eb6e6d50ce946d8811cde0730996cefc2b94ed7eea799

SHA512
e94d1b858e9ac43b5c9391df359a5347ab9d09c81f34e325e872bf09d6d8324a692524889c71a34524238c6bca94ff8f88bf8bc6c773c93cf03e07b076defcb0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
232.8MB

MD5
e15dc21c77c0fb8f0ecaa122628fd4b9

SHA1
dc138753fb8192e68e33e2ff35b5d4d9e11c5907

SHA256
185d8e8ce3be1727834111b3b23ba53deee6ad7ef041bdf461d550d40f44ccf3

SHA512
6d00543cfb3f9c1212e53a0bfbccbc6f75bf26b5670d1d3b4e6bcd6ac6a1797f8917bd7f0cc6a21b33c5cc1f38c0928f6687b484578028e33769bdd47f6b6e4f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
219.8MB

MD5
ff6b2103cef2ed205270f5642541440a

SHA1
a2962750fa0af4846c27ee310ca5596c9569686c

SHA256
60b16db81b3a5928204f6aa8bcb8518e06b2f22f385cf4c25ba89e7a8c42c922

SHA512
02f01cf99f987a1e5a64ace442fde9f4118b01804262403fbda1546ceb7bda35fd8825a5f7c0b62484b64ff2549baa39efcc5d8bd9b20811eeb213646ff9823a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
170.4MB

MD5
f3fa4803f495f9b6e44c94bce86ee2e3

SHA1
9660963681a21d2bf129e39b1199e0623d74e5b6

SHA256
7c0efb0e2d2f0538b878a2e29deac036f70f9d9764bac7e6bc47b00172936a01

SHA512
f94cd31681efae9fc070696c55c6425e7fbf5efcaad0124723ad835bfb5fac0a09d9eefd53595fc7a29a37ee36b6c01a87795aea73c3468419ee083cb841d4e8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
230.2MB

MD5
8e591699358113dcd597b534225591bc

SHA1
a1ca2b4e714d110c0e8cff7cb57be9e2ea5af0b1

SHA256
deb95d519d56627049fd80c30ffd5aa8255c2cc636fa5e2236907ef98be132c8

SHA512
e594578a87b3824c47185e297a2cbc183bd63fdb25c83227559e731d3152b0bf666e71aac51fa17455f0c430d551bfaf594d1598f8252a7f080c9d927b125e5f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
232.1MB

MD5
0a61eaac0b5a340d602866709ec67d3f

SHA1
fae8fda61fcedb0b9c95a502accef9c65373772b

SHA256
9211e26e4f17372b886d95c3d5e05415865b803ebdf262a3fa5139ba06cec2b5

SHA512
500e4d43625fa923fb6d9df510db0381b58ac23b5282c48676a5cee518bdfc40f1bfe31a94868886699bcdda6df667ad1329962c2f5fe3e224b147c729c02250

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
211.2MB

MD5
b3687e6bff3a60d13c49765e31baebcb

SHA1
4f1b4a5b1940c20c55d766d8894bee675ec1e96a

SHA256
e57671e57d66b6a2a5efa573036379dc1f1dc4bb197fa7249b1ddf5697ff1d17

SHA512
fb5ffa73c7ad72a71734385ad19432045d6b9664ff2f1e0f174763c44c7ece82a8dbf9abb7d0835cfac9ba876b23386e5ef9f41a4a5d354299301341df8e46d1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
230.2MB

MD5
8e591699358113dcd597b534225591bc

SHA1
a1ca2b4e714d110c0e8cff7cb57be9e2ea5af0b1

SHA256
deb95d519d56627049fd80c30ffd5aa8255c2cc636fa5e2236907ef98be132c8

SHA512
e594578a87b3824c47185e297a2cbc183bd63fdb25c83227559e731d3152b0bf666e71aac51fa17455f0c430d551bfaf594d1598f8252a7f080c9d927b125e5f

Download Submit
memory/436-78-0x000000006FCD0000-0x000000007027B000-memory.dmp

Filesize
5.7MB

Download
memory/1696-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-100-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1696-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1708-56-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1796-76-0x0000000005370000-0x00000000054E2000-memory.dmp

Filesize
1.4MB

Download
memory/1796-66-0x0000000006440000-0x00000000067E0000-memory.dmp

Filesize
3.6MB

Download
memory/1796-65-0x0000000000C00000-0x0000000001374000-memory.dmp

Filesize
7.5MB

Download
memory/2028-71-0x000000006FF90000-0x000000007053B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-69-0x000000006FF90000-0x000000007053B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-70-0x000000006FF90000-0x000000007053B000-memory.dmp

Filesize
5.7MB

Download