aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
100s
max time network
105s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/2040-66-0x00000000064F0000-0x0000000006890000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1932	voiceadequovl.exe
2040	voiceadequovl.exe
1692	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1932	voiceadequovl.exe
1932	voiceadequovl.exe
1932	voiceadequovl.exe
1932	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1692	2040	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1612	powershell.exe
1196	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	voiceadequovl.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeIncreaseQuotaPrivilege	1180	wmic.exe
Token: SeSecurityPrivilege	1180	wmic.exe
Token: SeTakeOwnershipPrivilege	1180	wmic.exe
Token: SeLoadDriverPrivilege	1180	wmic.exe
Token: SeSystemProfilePrivilege	1180	wmic.exe
Token: SeSystemtimePrivilege	1180	wmic.exe
Token: SeProfSingleProcessPrivilege	1180	wmic.exe
Token: SeIncBasePriorityPrivilege	1180	wmic.exe
Token: SeCreatePagefilePrivilege	1180	wmic.exe
Token: SeBackupPrivilege	1180	wmic.exe
Token: SeRestorePrivilege	1180	wmic.exe
Token: SeShutdownPrivilege	1180	wmic.exe
Token: SeDebugPrivilege	1180	wmic.exe
Token: SeSystemEnvironmentPrivilege	1180	wmic.exe
Token: SeRemoteShutdownPrivilege	1180	wmic.exe
Token: SeUndockPrivilege	1180	wmic.exe
Token: SeManageVolumePrivilege	1180	wmic.exe
Token: 33	1180	wmic.exe
Token: 34	1180	wmic.exe
Token: 35	1180	wmic.exe
Token: SeIncreaseQuotaPrivilege	1180	wmic.exe
Token: SeSecurityPrivilege	1180	wmic.exe
Token: SeTakeOwnershipPrivilege	1180	wmic.exe
Token: SeLoadDriverPrivilege	1180	wmic.exe
Token: SeSystemProfilePrivilege	1180	wmic.exe
Token: SeSystemtimePrivilege	1180	wmic.exe
Token: SeProfSingleProcessPrivilege	1180	wmic.exe
Token: SeIncBasePriorityPrivilege	1180	wmic.exe
Token: SeCreatePagefilePrivilege	1180	wmic.exe
Token: SeBackupPrivilege	1180	wmic.exe
Token: SeRestorePrivilege	1180	wmic.exe
Token: SeShutdownPrivilege	1180	wmic.exe
Token: SeDebugPrivilege	1180	wmic.exe
Token: SeSystemEnvironmentPrivilege	1180	wmic.exe
Token: SeRemoteShutdownPrivilege	1180	wmic.exe
Token: SeUndockPrivilege	1180	wmic.exe
Token: SeManageVolumePrivilege	1180	wmic.exe
Token: 33	1180	wmic.exe
Token: 34	1180	wmic.exe
Token: 35	1180	wmic.exe
Token: SeIncreaseQuotaPrivilege	1948	WMIC.exe
Token: SeSecurityPrivilege	1948	WMIC.exe
Token: SeTakeOwnershipPrivilege	1948	WMIC.exe
Token: SeLoadDriverPrivilege	1948	WMIC.exe
Token: SeSystemProfilePrivilege	1948	WMIC.exe
Token: SeSystemtimePrivilege	1948	WMIC.exe
Token: SeProfSingleProcessPrivilege	1948	WMIC.exe
Token: SeIncBasePriorityPrivilege	1948	WMIC.exe
Token: SeCreatePagefilePrivilege	1948	WMIC.exe
Token: SeBackupPrivilege	1948	WMIC.exe
Token: SeRestorePrivilege	1948	WMIC.exe
Token: SeShutdownPrivilege	1948	WMIC.exe
Token: SeDebugPrivilege	1948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1948	WMIC.exe
Token: SeRemoteShutdownPrivilege	1948	WMIC.exe
Token: SeUndockPrivilege	1948	WMIC.exe
Token: SeManageVolumePrivilege	1948	WMIC.exe
Token: 33	1948	WMIC.exe
Token: 34	1948	WMIC.exe
Token: 35	1948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1948	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1932	1568	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1568 wrote to memory of 1932	1568	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1568 wrote to memory of 1932	1568	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1568 wrote to memory of 1932	1568	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1932 wrote to memory of 2040	1932	voiceadequovl.exe	28
PID 1932 wrote to memory of 2040	1932	voiceadequovl.exe	28
PID 1932 wrote to memory of 2040	1932	voiceadequovl.exe	28
PID 1932 wrote to memory of 2040	1932	voiceadequovl.exe	28
PID 2040 wrote to memory of 1612	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 1612	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 1612	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 1612	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 1336	2040	voiceadequovl.exe	31
PID 2040 wrote to memory of 1336	2040	voiceadequovl.exe	31
PID 2040 wrote to memory of 1336	2040	voiceadequovl.exe	31
PID 2040 wrote to memory of 1336	2040	voiceadequovl.exe	31
PID 1336 wrote to memory of 1196	1336	cmd.exe	33
PID 1336 wrote to memory of 1196	1336	cmd.exe	33
PID 1336 wrote to memory of 1196	1336	cmd.exe	33
PID 1336 wrote to memory of 1196	1336	cmd.exe	33
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 2040 wrote to memory of 1692	2040	voiceadequovl.exe	34
PID 1692 wrote to memory of 1180	1692	voiceadequovl.exe	35
PID 1692 wrote to memory of 1180	1692	voiceadequovl.exe	35
PID 1692 wrote to memory of 1180	1692	voiceadequovl.exe	35
PID 1692 wrote to memory of 1180	1692	voiceadequovl.exe	35
PID 1692 wrote to memory of 1576	1692	voiceadequovl.exe	39
PID 1692 wrote to memory of 1576	1692	voiceadequovl.exe	39
PID 1692 wrote to memory of 1576	1692	voiceadequovl.exe	39
PID 1692 wrote to memory of 1576	1692	voiceadequovl.exe	39
PID 1576 wrote to memory of 1948	1576	cmd.exe	40
PID 1576 wrote to memory of 1948	1576	cmd.exe	40
PID 1576 wrote to memory of 1948	1576	cmd.exe	40
PID 1576 wrote to memory of 1948	1576	cmd.exe	40
PID 1692 wrote to memory of 1568	1692	voiceadequovl.exe	42
PID 1692 wrote to memory of 1568	1692	voiceadequovl.exe	42
PID 1692 wrote to memory of 1568	1692	voiceadequovl.exe	42
PID 1692 wrote to memory of 1568	1692	voiceadequovl.exe	42
PID 1568 wrote to memory of 1776	1568	cmd.exe	43
PID 1568 wrote to memory of 1776	1568	cmd.exe	43
PID 1568 wrote to memory of 1776	1568	cmd.exe	43
PID 1568 wrote to memory of 1776	1568	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
302.2MB

MD5
583a9857fbf0b0fbd2f0f890404b146f

SHA1
97d06409be8bf0e717cdc97646cba09d0b3fb505

SHA256
a43d04f96f98f189b76330b20645d400ff6944b998867ceabf96e4f4cbee3881

SHA512
23fce96fed753c591dd2594f19dc7f47eea110d21732b62d06ff677f566b8db3a7715ff24c8f787a4d6ea92f90a499efc90405f34569124895089224ab0ff431

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
301.3MB

MD5
d76efe2152d9e5acc370a555db003d74

SHA1
0bc4a2f606d382aed02816d526cf10ddc495034a

SHA256
05c59cc9676a6faf42ce92056bec1d43cc543b7b53d951485dd600f1bbdf4643

SHA512
1c251cdd98b4884ede1ebd1cfd72d9759ec63fd3df55a45035cc5dc4569ee9b689b42ed39738dafb01f00f6056ba7130009001d1a14202cfd7898b1ff5219fc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a2b87b94c82ad2cc146aa0cc7ff4ceb6

SHA1
d0a1e792e99dff1ba8e264a799a520326ca69b53

SHA256
53aa11b91f65610c1e0d97632f424fd2effe99bf80f1341ea771c61f6fbe48e3

SHA512
d14d11fef96d5a7fd972acc6180ebaac53262f704cd14df4c53647a776ccd2bb0eb58af697d969218f17dd577d5bb1b2f9b070ccc7060e4ba668cf7be1f9d41f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
222.9MB

MD5
5b8ad212f44cf3ad115496eb048af447

SHA1
868bc103d9ec8455e65ae53612c3847af05191ef

SHA256
d6a66d45c60bbe33a27e28431944a833e443b68ab3addd0be80a18d5953c6cfc

SHA512
4f62b503e6c76667a6c99bd00933354c4ae789902eeb8cc72d071772c4a87bb532994d4c3edfef0e288ab96e24d9bca0b57768b8fe10fc1b182d4a5994b7a8ff

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
209.6MB

MD5
0003a74141cee1fa186a9c2ac982274c

SHA1
533f3373aa433045d2d92cd279a11e844f4c3488

SHA256
9330b3227eeef4b70d026ba9ca0a8366a0c1eee419908b8da89c6abf384ef79f

SHA512
f6975abf234da840f40dbdda9f52252e874b0080d1a476f2a3e46890ff177f6804d7c5eab2e2ce4e9b783e052ab2926c4f29c5f4b4f785e9b5f6dbb4aa0031bc

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
93.9MB

MD5
386b0672384a225dc2f5fe85c9bbc14e

SHA1
d8044eedbb60f2695c6aed059b084cbfdc8a609e

SHA256
c73679ffa6e993ba6efa1f477a78b7f2a623f217b0fce12a8178e8d23ba41f14

SHA512
231cf7594f4b37056dde6707c54472f838fab81a941045600baed293f62fc38d84f3cc887ed745f0a459ffd4a31cef3878b2d9e269cfef9098f566cd261eee68

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
218.0MB

MD5
a22a5751f3aa2eae28d5dab239056219

SHA1
bbc115343ebdd66292144ba528b42c8a521af354

SHA256
6b76cd6e00b58c0bd7fd117e3c86caaa78e69e93067108d37ba10b70ce736402

SHA512
fa9d57e9856dc3e48edc8bf2f0bdc79b6cc6ee2d770405d4f29063875633b1e99fa925fe5b9aca235eccefa3c163da2febcece7bc0610ede6f4d351f2cb6b557

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
217.1MB

MD5
93ff16d788397f804bc815d1c803592d

SHA1
b67fadd613456dc08f75a4a2747d79a06d9ab985

SHA256
a58c880aefacb5c5e1442077f8f272c47a6f9a53a44dd5581814417952bf484e

SHA512
4c25e1ddfe2824111885db69f3b50e71fe440623d88dd064dbf34eccfc34375145ab900b29572acab3ec6df2eddb59e25190fd0c92eba8f797c935cdead01f94

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
193.0MB

MD5
8bac2afd16a17bf428e35295cc47c9db

SHA1
46fa2a38694fd9853c3700f15fc058789d6a8334

SHA256
098097e59c2df893fb5c58646f1c6a65ea8e53214423d1eec879a7c330eaa0e2

SHA512
f642f289121cdbe17c358af7207d02b91de27d5d4a92954d48f82acee1fd4294067d243873f9d05472b95e0c3adb73b1997109262988b737d78b1bc168647252

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
222.1MB

MD5
2a156441132081e393bad29e252275e3

SHA1
9add153e38195bd3c1846e8fc2024e2588252c0b

SHA256
fdcf8add8146e09b0d7ab104892092c778333731a187c00e09f6aa11e78530a2

SHA512
29ec46a74b8466d10f401a085f19baa01c2bb97009e94a48bb69a119ab7d810570829b6cad394a2a46917e2c44e5300a5125b5ca7b255b15cab7ea7d07102d06

Download Submit
memory/1196-94-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/1196-93-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-69-0x0000000070310000-0x00000000708BB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-70-0x0000000070310000-0x00000000708BB000-memory.dmp

Filesize
5.7MB

Download
memory/1612-71-0x0000000070310000-0x00000000708BB000-memory.dmp

Filesize
5.7MB

Download
memory/1692-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1692-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1932-56-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/2040-65-0x00000000011D0000-0x0000000001944000-memory.dmp

Filesize
7.5MB

Download
memory/2040-66-0x00000000064F0000-0x0000000006890000-memory.dmp

Filesize
3.6MB

Download
memory/2040-74-0x00000000054D0000-0x0000000005642000-memory.dmp

Filesize
1.4MB

Download