aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
86s
max time network
90s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1744-66-0x0000000006390000-0x0000000006730000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
696	voiceadequovl.exe
1744	voiceadequovl.exe
908	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
696	voiceadequovl.exe
696	voiceadequovl.exe
696	voiceadequovl.exe
696	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 908	1744	voiceadequovl.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
948	powershell.exe
1924	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	voiceadequovl.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeIncreaseQuotaPrivilege	1484	wmic.exe
Token: SeSecurityPrivilege	1484	wmic.exe
Token: SeTakeOwnershipPrivilege	1484	wmic.exe
Token: SeLoadDriverPrivilege	1484	wmic.exe
Token: SeSystemProfilePrivilege	1484	wmic.exe
Token: SeSystemtimePrivilege	1484	wmic.exe
Token: SeProfSingleProcessPrivilege	1484	wmic.exe
Token: SeIncBasePriorityPrivilege	1484	wmic.exe
Token: SeCreatePagefilePrivilege	1484	wmic.exe
Token: SeBackupPrivilege	1484	wmic.exe
Token: SeRestorePrivilege	1484	wmic.exe
Token: SeShutdownPrivilege	1484	wmic.exe
Token: SeDebugPrivilege	1484	wmic.exe
Token: SeSystemEnvironmentPrivilege	1484	wmic.exe
Token: SeRemoteShutdownPrivilege	1484	wmic.exe
Token: SeUndockPrivilege	1484	wmic.exe
Token: SeManageVolumePrivilege	1484	wmic.exe
Token: 33	1484	wmic.exe
Token: 34	1484	wmic.exe
Token: 35	1484	wmic.exe
Token: SeIncreaseQuotaPrivilege	1484	wmic.exe
Token: SeSecurityPrivilege	1484	wmic.exe
Token: SeTakeOwnershipPrivilege	1484	wmic.exe
Token: SeLoadDriverPrivilege	1484	wmic.exe
Token: SeSystemProfilePrivilege	1484	wmic.exe
Token: SeSystemtimePrivilege	1484	wmic.exe
Token: SeProfSingleProcessPrivilege	1484	wmic.exe
Token: SeIncBasePriorityPrivilege	1484	wmic.exe
Token: SeCreatePagefilePrivilege	1484	wmic.exe
Token: SeBackupPrivilege	1484	wmic.exe
Token: SeRestorePrivilege	1484	wmic.exe
Token: SeShutdownPrivilege	1484	wmic.exe
Token: SeDebugPrivilege	1484	wmic.exe
Token: SeSystemEnvironmentPrivilege	1484	wmic.exe
Token: SeRemoteShutdownPrivilege	1484	wmic.exe
Token: SeUndockPrivilege	1484	wmic.exe
Token: SeManageVolumePrivilege	1484	wmic.exe
Token: 33	1484	wmic.exe
Token: 34	1484	wmic.exe
Token: 35	1484	wmic.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 696	1460	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1460 wrote to memory of 696	1460	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1460 wrote to memory of 696	1460	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1460 wrote to memory of 696	1460	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 696 wrote to memory of 1744	696	voiceadequovl.exe	27
PID 696 wrote to memory of 1744	696	voiceadequovl.exe	27
PID 696 wrote to memory of 1744	696	voiceadequovl.exe	27
PID 696 wrote to memory of 1744	696	voiceadequovl.exe	27
PID 1744 wrote to memory of 948	1744	voiceadequovl.exe	29
PID 1744 wrote to memory of 948	1744	voiceadequovl.exe	29
PID 1744 wrote to memory of 948	1744	voiceadequovl.exe	29
PID 1744 wrote to memory of 948	1744	voiceadequovl.exe	29
PID 1744 wrote to memory of 776	1744	voiceadequovl.exe	30
PID 1744 wrote to memory of 776	1744	voiceadequovl.exe	30
PID 1744 wrote to memory of 776	1744	voiceadequovl.exe	30
PID 1744 wrote to memory of 776	1744	voiceadequovl.exe	30
PID 776 wrote to memory of 1924	776	cmd.exe	32
PID 776 wrote to memory of 1924	776	cmd.exe	32
PID 776 wrote to memory of 1924	776	cmd.exe	32
PID 776 wrote to memory of 1924	776	cmd.exe	32
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 1744 wrote to memory of 908	1744	voiceadequovl.exe	33
PID 908 wrote to memory of 1484	908	voiceadequovl.exe	34
PID 908 wrote to memory of 1484	908	voiceadequovl.exe	34
PID 908 wrote to memory of 1484	908	voiceadequovl.exe	34
PID 908 wrote to memory of 1484	908	voiceadequovl.exe	34
PID 908 wrote to memory of 1452	908	voiceadequovl.exe	39
PID 908 wrote to memory of 1452	908	voiceadequovl.exe	39
PID 908 wrote to memory of 1452	908	voiceadequovl.exe	39
PID 908 wrote to memory of 1452	908	voiceadequovl.exe	39
PID 1452 wrote to memory of 1712	1452	cmd.exe	38
PID 1452 wrote to memory of 1712	1452	cmd.exe	38
PID 1452 wrote to memory of 1712	1452	cmd.exe	38
PID 1452 wrote to memory of 1712	1452	cmd.exe	38
PID 908 wrote to memory of 1336	908	voiceadequovl.exe	41
PID 908 wrote to memory of 1336	908	voiceadequovl.exe	41
PID 908 wrote to memory of 1336	908	voiceadequovl.exe	41
PID 908 wrote to memory of 1336	908	voiceadequovl.exe	41
PID 1336 wrote to memory of 1108	1336	cmd.exe	42
PID 1336 wrote to memory of 1108	1336	cmd.exe	42
PID 1336 wrote to memory of 1108	1336	cmd.exe	42
PID 1336 wrote to memory of 1108	1336	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:948
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:908
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1452
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1108

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
132.2MB

MD5
eab5cef8105b7fcda26f350e49b94491

SHA1
876746bb2c58a35307c2739866e7226b4486f51c

SHA256
9b9a9804c12a27b18365bf4fd4cfaa3c3ce0b6be36c1ce09fd7711a117efb888

SHA512
9502febfdad00a5565919cc0c60fc049d0162de0308f1a2a174f91152c892085475ae3328a3be922957141b8c0a7b5f37f67904488d483a6b1087cb482c6bd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
128.6MB

MD5
9850956ff9ed10ed32d3deb2476dc1dd

SHA1
8ca10127c7c6f30a622941e09ae81c19d4a9732e

SHA256
532f1c59a5d41f13e5711ece51596c0210e74339fc084e85adcce7b1791034e0

SHA512
5c23abc8bb23ae891e749642fbd1a9648b4b724d3957decb640b49df73b5abea0b4b331d3224585c249f33d3a7aaa7dd3e2293add08282739e820158fbd352c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
879016125cb28e093ee3751f03d22ef9

SHA1
425153a88493926c257b823f320f6cd95dd2fee8

SHA256
ada9252f6b07bfa59f8763b17597fc445c86b92fc9b232ab626c26ed9fdb52ae

SHA512
d4d7aa4eadd348e7cb9ce9960267e6d87ef3bee6743a02f420a541b020fa34e981a2854fb17c6fdfdaaa5fba1e2143f6b220bf42f57aba2fec70d2880c85631f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
127.6MB

MD5
2a8309212c75cf61083fecd055b3abfe

SHA1
49c92d345fc03e59ea3537d40168b237065d7796

SHA256
73fe0ada5f76a53d0866905ad613cec50eafa98be4e7f28cacb996cbe3fb1256

SHA512
f741894e8e124e967c1a71ee6a9e5d7649074934f77dbe3d6517b5f83ce14b3e201e4582d19fe9edf24ba52ff4358884258c4c51b58755b578b351a6b30d832e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
122.9MB

MD5
c6eedd8ce5f6401eb66bd32ded16413e

SHA1
ea54e7f31e273fd6dd7782bb2055d710e15ae73a

SHA256
48e9dddfcfa579d090545ef250cab2ffc05cba63d0b84719eb1cc7c09d943986

SHA512
6c854e65a74acf402c577ea0800b01ceb6ef8e447043c2d8c279552899c034e43ba86c2fc60f51df13e80a669618fb95af64cffef0b78cdf7add8d9664e3c2e2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
84.2MB

MD5
5423a9cea29934b85298e62a6d69dd31

SHA1
c97723979917928e457b5b7c0d3cea1c2b79ea96

SHA256
894e10983a62b95126f3893f357e907bca689c6dc9697961ab25701afb299fb9

SHA512
ba52ecb54b82f9935063e520629293598436b3fba795646d0a0ae0a54f91083826f19d7ae5cd6b5b6ee161a7ae15edadabc928558be2fea8f693208a375012b7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
125.4MB

MD5
4fe84ee974ba533e55467ca4b0bfa5a2

SHA1
86c7385de7aa8924d4c6a4c159d9ccf4d5eb1b5e

SHA256
6f74433485d795b248d1a4f9b8861495857e65acc31549685e41b9576d491aca

SHA512
8362ea2745be9c80e886750b69c1e3540bbba669c7847880378b7fa80102b281fcb20a520b62a61a968a853861a9a4bb04d075f5a16efb6b0fd8fab2ebbe3918

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
124.6MB

MD5
702908051de48336770ce1f4009284a3

SHA1
f84296fdc9b4b2e61fb24b889ecfbc722ad16990

SHA256
c846ff40e75615bbca88ce9c77006f4ad278ba4e1d213edb8994076a2eaca8a4

SHA512
0d33f9f4a190b4b3a1153ab2cb7fa7f4b4dbe2fbe1607ab071dc43e32b6eef3df49ee8fa478b4d0dc22fcdca7111ea4f95d20f9042aaffee799937133d2fb1a6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
124.7MB

MD5
e4463e48bbe5c9fbd580973809932d7b

SHA1
12cc01d93441d348ef5167935ace0c987141ae68

SHA256
d398c28e782acefd9270c13d0bfdb071e60d839355f10497a06d2d1dd85fd9c0

SHA512
619f9c1cfa1c4cd47607e575ab9b7338bc57984f633c07e4da54dcba524781372d197f996724623bbb241e31ac08d18b3f163e72db9a26c2d4eb806ff39efae9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
125.3MB

MD5
f273c9a77bb9e2ef4728dbc902796bcc

SHA1
ba8251f9ebe19d5cecb113346677a1b96430d369

SHA256
5d52573fdef13c9bba35daed2307bd2ea9173afe90a909d68c0a5e40fa9a5d2a

SHA512
f133709e05a0d7ac6e47422687ea7a0abedf623c750afada577f1e2f0ab05a2dd62857883be7fa95b69a4c15f711348e7c07a92013337ff602aa126422f1d949

Download Submit
memory/696-56-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/908-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/908-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/948-69-0x000000006FD00000-0x00000000702AB000-memory.dmp

Filesize
5.7MB

Download
memory/948-71-0x000000006FD00000-0x00000000702AB000-memory.dmp

Filesize
5.7MB

Download
memory/948-70-0x000000006FD00000-0x00000000702AB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-74-0x00000000053E0000-0x0000000005552000-memory.dmp

Filesize
1.4MB

Download
memory/1744-66-0x0000000006390000-0x0000000006730000-memory.dmp

Filesize
3.6MB

Download
memory/1744-65-0x00000000010A0000-0x0000000001814000-memory.dmp

Filesize
7.5MB

Download
memory/1924-93-0x000000006FCC0000-0x000000007026B000-memory.dmp

Filesize
5.7MB

Download
memory/1924-95-0x000000006FCC0000-0x000000007026B000-memory.dmp

Filesize
5.7MB

Download