aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
79s
max time network
83s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/912-66-0x00000000064B0000-0x0000000006850000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1324	voiceadequovl.exe
912	voiceadequovl.exe
1776	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1324	voiceadequovl.exe
1324	voiceadequovl.exe
1324	voiceadequovl.exe
1324	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 912 set thread context of 1776	912	voiceadequovl.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
304	powershell.exe
240	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	voiceadequovl.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	240	powershell.exe
Token: SeIncreaseQuotaPrivilege	1992	wmic.exe
Token: SeSecurityPrivilege	1992	wmic.exe
Token: SeTakeOwnershipPrivilege	1992	wmic.exe
Token: SeLoadDriverPrivilege	1992	wmic.exe
Token: SeSystemProfilePrivilege	1992	wmic.exe
Token: SeSystemtimePrivilege	1992	wmic.exe
Token: SeProfSingleProcessPrivilege	1992	wmic.exe
Token: SeIncBasePriorityPrivilege	1992	wmic.exe
Token: SeCreatePagefilePrivilege	1992	wmic.exe
Token: SeBackupPrivilege	1992	wmic.exe
Token: SeRestorePrivilege	1992	wmic.exe
Token: SeShutdownPrivilege	1992	wmic.exe
Token: SeDebugPrivilege	1992	wmic.exe
Token: SeSystemEnvironmentPrivilege	1992	wmic.exe
Token: SeRemoteShutdownPrivilege	1992	wmic.exe
Token: SeUndockPrivilege	1992	wmic.exe
Token: SeManageVolumePrivilege	1992	wmic.exe
Token: 33	1992	wmic.exe
Token: 34	1992	wmic.exe
Token: 35	1992	wmic.exe
Token: SeIncreaseQuotaPrivilege	1992	wmic.exe
Token: SeSecurityPrivilege	1992	wmic.exe
Token: SeTakeOwnershipPrivilege	1992	wmic.exe
Token: SeLoadDriverPrivilege	1992	wmic.exe
Token: SeSystemProfilePrivilege	1992	wmic.exe
Token: SeSystemtimePrivilege	1992	wmic.exe
Token: SeProfSingleProcessPrivilege	1992	wmic.exe
Token: SeIncBasePriorityPrivilege	1992	wmic.exe
Token: SeCreatePagefilePrivilege	1992	wmic.exe
Token: SeBackupPrivilege	1992	wmic.exe
Token: SeRestorePrivilege	1992	wmic.exe
Token: SeShutdownPrivilege	1992	wmic.exe
Token: SeDebugPrivilege	1992	wmic.exe
Token: SeSystemEnvironmentPrivilege	1992	wmic.exe
Token: SeRemoteShutdownPrivilege	1992	wmic.exe
Token: SeUndockPrivilege	1992	wmic.exe
Token: SeManageVolumePrivilege	1992	wmic.exe
Token: 33	1992	wmic.exe
Token: 34	1992	wmic.exe
Token: 35	1992	wmic.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe
Token: SeSecurityPrivilege	1564	WMIC.exe
Token: SeTakeOwnershipPrivilege	1564	WMIC.exe
Token: SeLoadDriverPrivilege	1564	WMIC.exe
Token: SeSystemProfilePrivilege	1564	WMIC.exe
Token: SeSystemtimePrivilege	1564	WMIC.exe
Token: SeProfSingleProcessPrivilege	1564	WMIC.exe
Token: SeIncBasePriorityPrivilege	1564	WMIC.exe
Token: SeCreatePagefilePrivilege	1564	WMIC.exe
Token: SeBackupPrivilege	1564	WMIC.exe
Token: SeRestorePrivilege	1564	WMIC.exe
Token: SeShutdownPrivilege	1564	WMIC.exe
Token: SeDebugPrivilege	1564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1564	WMIC.exe
Token: SeRemoteShutdownPrivilege	1564	WMIC.exe
Token: SeUndockPrivilege	1564	WMIC.exe
Token: SeManageVolumePrivilege	1564	WMIC.exe
Token: 33	1564	WMIC.exe
Token: 34	1564	WMIC.exe
Token: 35	1564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1564	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1324	2012	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2012 wrote to memory of 1324	2012	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2012 wrote to memory of 1324	2012	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 2012 wrote to memory of 1324	2012	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	26
PID 1324 wrote to memory of 912	1324	voiceadequovl.exe	27
PID 1324 wrote to memory of 912	1324	voiceadequovl.exe	27
PID 1324 wrote to memory of 912	1324	voiceadequovl.exe	27
PID 1324 wrote to memory of 912	1324	voiceadequovl.exe	27
PID 912 wrote to memory of 304	912	voiceadequovl.exe	28
PID 912 wrote to memory of 304	912	voiceadequovl.exe	28
PID 912 wrote to memory of 304	912	voiceadequovl.exe	28
PID 912 wrote to memory of 304	912	voiceadequovl.exe	28
PID 912 wrote to memory of 1712	912	voiceadequovl.exe	30
PID 912 wrote to memory of 1712	912	voiceadequovl.exe	30
PID 912 wrote to memory of 1712	912	voiceadequovl.exe	30
PID 912 wrote to memory of 1712	912	voiceadequovl.exe	30
PID 1712 wrote to memory of 240	1712	cmd.exe	32
PID 1712 wrote to memory of 240	1712	cmd.exe	32
PID 1712 wrote to memory of 240	1712	cmd.exe	32
PID 1712 wrote to memory of 240	1712	cmd.exe	32
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 912 wrote to memory of 1776	912	voiceadequovl.exe	33
PID 1776 wrote to memory of 1992	1776	voiceadequovl.exe	34
PID 1776 wrote to memory of 1992	1776	voiceadequovl.exe	34
PID 1776 wrote to memory of 1992	1776	voiceadequovl.exe	34
PID 1776 wrote to memory of 1992	1776	voiceadequovl.exe	34
PID 1776 wrote to memory of 2036	1776	voiceadequovl.exe	37
PID 1776 wrote to memory of 2036	1776	voiceadequovl.exe	37
PID 1776 wrote to memory of 2036	1776	voiceadequovl.exe	37
PID 1776 wrote to memory of 2036	1776	voiceadequovl.exe	37
PID 2036 wrote to memory of 1564	2036	cmd.exe	39
PID 2036 wrote to memory of 1564	2036	cmd.exe	39
PID 2036 wrote to memory of 1564	2036	cmd.exe	39
PID 2036 wrote to memory of 1564	2036	cmd.exe	39
PID 1776 wrote to memory of 1648	1776	voiceadequovl.exe	41
PID 1776 wrote to memory of 1648	1776	voiceadequovl.exe	41
PID 1776 wrote to memory of 1648	1776	voiceadequovl.exe	41
PID 1776 wrote to memory of 1648	1776	voiceadequovl.exe	41
PID 1648 wrote to memory of 1580	1648	cmd.exe	42
PID 1648 wrote to memory of 1580	1648	cmd.exe	42
PID 1648 wrote to memory of 1580	1648	cmd.exe	42
PID 1648 wrote to memory of 1580	1648	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:240
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
185.0MB

MD5
bf9bd28054bbeb5a25fb32b4972d7214

SHA1
3ca243291ab673c4016475df554a1c3e638c07bc

SHA256
2af78b75bf469ff6fa82bd08714dc962a71f68a02b71508ebb92ca85bee3be4b

SHA512
dce57f04d0a120c03ea467f066d23a03065355d1bbcebf3e26187a9d78e2a2b8fc752e875784dd0d88712992665060d29e63ae6d36ee7f0f39e7dc6654db1939

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
181.8MB

MD5
6336dc43809b3a8d622c0b563fe57fc5

SHA1
e8795273f8a563ef2fb017cc13560f422afebbb3

SHA256
8cee8b2088127980dea5b74f1eac6faac1c73bffe069972a6b0629fc21349574

SHA512
8bcfb8f00f532c41dbad1a3622685eb76a4e105041d37a7ad80cd69d6d0bc2e366adde85d53b51cc266d7446e5ab6f536e5e8d509c39ddff7003356656b9310b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
32b447e1a2f7be76cf32e3cd91a61852

SHA1
e774d775f295a9cf80604250900f5b4347688555

SHA256
55877232c9e65977ec7a7e140df7e515b04481293771c25e9885eb8c2e656124

SHA512
0fd83bf9c70e170182044098a716dedc8f1cd14c9d2db4e6734290010d5ac01ac6ef83313ff1ba560cd34db8cf468d62a105d0f05e86f60ad9031adeb1768778

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
174.2MB

MD5
922337c74955b8e68da4c472065311e1

SHA1
93c64db075dec27fd06babe5c26cfbaf7cc54f32

SHA256
ea08e133a62d1f5f360ae8c54f19c4b67b3079e0e0edc3b3c63287586123d805

SHA512
c3b26c34dc220f3e264d8cedd6ac197497f61ff6f9ee955587639c4fc63f01389bd6215373ff97f1aec71e03df8c8e065c465cd0d76fa7c43e1b99f1e0aed0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
178.2MB

MD5
3d7dde2cdf26f939dd1d3c0246bb915c

SHA1
87883de597fa999ecaa79b86717b49c0ddce79c2

SHA256
a7ccdce93cf240b6a9ae76a0712255a550fb800f93797aa0f2591e9f56f0c170

SHA512
c5f18a7260394bf9636f7255cdd42d155cd6d529a9b32e7344a09eea027d39f93ba7ad082d4d5973a459a879d03b6108c1853da272109e430f3c0863b5ef1a58

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
102.4MB

MD5
1ec650b5440db7b987d3433d6bc66397

SHA1
a81addde74f31f44952c64738eaae05a47488cf0

SHA256
3b7cfef4e603f6ff27b323ae562e52daacb896b0b48edafb3cb854b545d7f28e

SHA512
828c9260c2292164aa44d0e95090e6c3a8fae8024f9f1edd6c0468517ebdf59afead911e4334ffa7ddc580a8593f343278f73eab3374a11b86804da404999d12

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
174.7MB

MD5
9bf2388db1f305e519662cc3d4eba454

SHA1
b370d8aa93a58b9ada60d83a45d10d9d03bc3e8c

SHA256
8f712eed16df0ef74728157bfbae899ea32d2fea770679ccb2e2f39f81330184

SHA512
035e7453342b6adae19c99cc6a0b50fb9c8d1c0b7c37c82129fb58a69b96fa6a8f1b0742285031390645b22094645a328ffeef3c759b648451a2d77b5bb983a1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
175.6MB

MD5
6e1448446a800d8a68499b3e24106d8d

SHA1
f95426df9461c15d6900ce7f540eb5e6e55a9b27

SHA256
cad765949cbd8e49610a4f3e84d5656b3154d4ced789761afeae16418fea9bb4

SHA512
a82920a00707bf43f87c9b5d7e5a3711e1550c0ab1fb0dba169f4d220f2335e256ad9e0be9df9347a3de8bf80b5d872ceba89ccaeb2ad92056fc0287c7b74743

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
172.9MB

MD5
028cb6d430cb1562a0dceaad81be77b1

SHA1
65e4f71537c2dcd2d7e4feecd900c740e66cfabb

SHA256
b1d3e246e85d2134da097e8f514a38fe31d75e849e206fcc7ebc948e295c9fe1

SHA512
60cb5dfd37e9b99322894dab9365b153fe686a20fe1f7a6784a3f0ce53037fbbcefb2ffe31a6c466236037146793298b074e4e1200af1f7dd864daec06b08597

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
176.4MB

MD5
09b2a65d66e03e86b4fe8d39fcb58347

SHA1
eaf3e6fac73499d59624d703dccb1a19c9df3529

SHA256
94b33338fda5409802f85c9f5591358767bb83a56636b2b4c8134e0e4e88f8aa

SHA512
07befd09d066875505c357f458d7480537a8e1fda73f7aa2e4ee9eb86724466f60cb08c1496f90cbe8609e7a226b3f650a66e82d1fc8c5a3d928efea1130cc6e

Download Submit
memory/240-78-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/240-94-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/304-69-0x000000006F5B0000-0x000000006FB5B000-memory.dmp

Filesize
5.7MB

Download
memory/304-70-0x000000006F5B0000-0x000000006FB5B000-memory.dmp

Filesize
5.7MB

Download
memory/304-71-0x000000006F5B0000-0x000000006FB5B000-memory.dmp

Filesize
5.7MB

Download
memory/912-66-0x00000000064B0000-0x0000000006850000-memory.dmp

Filesize
3.6MB

Download
memory/912-74-0x00000000052C0000-0x0000000005432000-memory.dmp

Filesize
1.4MB

Download
memory/912-65-0x00000000008A0000-0x0000000001014000-memory.dmp

Filesize
7.5MB

Download
memory/1324-56-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1776-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-79-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1776-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download