aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
97s
max time network
102s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1752-66-0x0000000006460000-0x0000000006800000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
2028	voiceadequovl.exe
1752	voiceadequovl.exe
1616	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1616	1752	voiceadequovl.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1056	powershell.exe
1548	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	voiceadequovl.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeIncreaseQuotaPrivilege	1824	wmic.exe
Token: SeSecurityPrivilege	1824	wmic.exe
Token: SeTakeOwnershipPrivilege	1824	wmic.exe
Token: SeLoadDriverPrivilege	1824	wmic.exe
Token: SeSystemProfilePrivilege	1824	wmic.exe
Token: SeSystemtimePrivilege	1824	wmic.exe
Token: SeProfSingleProcessPrivilege	1824	wmic.exe
Token: SeIncBasePriorityPrivilege	1824	wmic.exe
Token: SeCreatePagefilePrivilege	1824	wmic.exe
Token: SeBackupPrivilege	1824	wmic.exe
Token: SeRestorePrivilege	1824	wmic.exe
Token: SeShutdownPrivilege	1824	wmic.exe
Token: SeDebugPrivilege	1824	wmic.exe
Token: SeSystemEnvironmentPrivilege	1824	wmic.exe
Token: SeRemoteShutdownPrivilege	1824	wmic.exe
Token: SeUndockPrivilege	1824	wmic.exe
Token: SeManageVolumePrivilege	1824	wmic.exe
Token: 33	1824	wmic.exe
Token: 34	1824	wmic.exe
Token: 35	1824	wmic.exe
Token: SeIncreaseQuotaPrivilege	1824	wmic.exe
Token: SeSecurityPrivilege	1824	wmic.exe
Token: SeTakeOwnershipPrivilege	1824	wmic.exe
Token: SeLoadDriverPrivilege	1824	wmic.exe
Token: SeSystemProfilePrivilege	1824	wmic.exe
Token: SeSystemtimePrivilege	1824	wmic.exe
Token: SeProfSingleProcessPrivilege	1824	wmic.exe
Token: SeIncBasePriorityPrivilege	1824	wmic.exe
Token: SeCreatePagefilePrivilege	1824	wmic.exe
Token: SeBackupPrivilege	1824	wmic.exe
Token: SeRestorePrivilege	1824	wmic.exe
Token: SeShutdownPrivilege	1824	wmic.exe
Token: SeDebugPrivilege	1824	wmic.exe
Token: SeSystemEnvironmentPrivilege	1824	wmic.exe
Token: SeRemoteShutdownPrivilege	1824	wmic.exe
Token: SeUndockPrivilege	1824	wmic.exe
Token: SeManageVolumePrivilege	1824	wmic.exe
Token: 33	1824	wmic.exe
Token: 34	1824	wmic.exe
Token: 35	1824	wmic.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 980 wrote to memory of 2028	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2028 wrote to memory of 1752	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 1752	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 1752	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 1752	2028	voiceadequovl.exe	29
PID 1752 wrote to memory of 1056	1752	voiceadequovl.exe	30
PID 1752 wrote to memory of 1056	1752	voiceadequovl.exe	30
PID 1752 wrote to memory of 1056	1752	voiceadequovl.exe	30
PID 1752 wrote to memory of 1056	1752	voiceadequovl.exe	30
PID 1752 wrote to memory of 880	1752	voiceadequovl.exe	32
PID 1752 wrote to memory of 880	1752	voiceadequovl.exe	32
PID 1752 wrote to memory of 880	1752	voiceadequovl.exe	32
PID 1752 wrote to memory of 880	1752	voiceadequovl.exe	32
PID 880 wrote to memory of 1548	880	cmd.exe	34
PID 880 wrote to memory of 1548	880	cmd.exe	34
PID 880 wrote to memory of 1548	880	cmd.exe	34
PID 880 wrote to memory of 1548	880	cmd.exe	34
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1752 wrote to memory of 1616	1752	voiceadequovl.exe	35
PID 1616 wrote to memory of 1824	1616	voiceadequovl.exe	36
PID 1616 wrote to memory of 1824	1616	voiceadequovl.exe	36
PID 1616 wrote to memory of 1824	1616	voiceadequovl.exe	36
PID 1616 wrote to memory of 1824	1616	voiceadequovl.exe	36
PID 1616 wrote to memory of 1964	1616	voiceadequovl.exe	39
PID 1616 wrote to memory of 1964	1616	voiceadequovl.exe	39
PID 1616 wrote to memory of 1964	1616	voiceadequovl.exe	39
PID 1616 wrote to memory of 1964	1616	voiceadequovl.exe	39
PID 1964 wrote to memory of 1712	1964	cmd.exe	41
PID 1964 wrote to memory of 1712	1964	cmd.exe	41
PID 1964 wrote to memory of 1712	1964	cmd.exe	41
PID 1964 wrote to memory of 1712	1964	cmd.exe	41
PID 1616 wrote to memory of 2004	1616	voiceadequovl.exe	42
PID 1616 wrote to memory of 2004	1616	voiceadequovl.exe	42
PID 1616 wrote to memory of 2004	1616	voiceadequovl.exe	42
PID 1616 wrote to memory of 2004	1616	voiceadequovl.exe	42
PID 2004 wrote to memory of 1364	2004	cmd.exe	44
PID 2004 wrote to memory of 1364	2004	cmd.exe	44
PID 2004 wrote to memory of 1364	2004	cmd.exe	44
PID 2004 wrote to memory of 1364	2004	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:1364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cc1f3ca48a90a45d09ca6d64da3ee160

SHA1
bf2eb1a830bd830ae4a83ed3df2662342c4faf90

SHA256
d39797cd724022506123c334525a29cda727deb5e512be2815834aa4e3ae2509

SHA512
14ea7c60259ebeeea0b5670edf15f7de1c6415feeb0bce6ab86775b0d15d9b35c67206c69b7eae63d8f7442faa47d37a666caf60ceebb1b28d6eb3235ac344d4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
354.0MB

MD5
0589744e604dab45cffdf069f9dddfde

SHA1
6accbe590a5ed0bf2533df97e454660d1d5bc6ab

SHA256
9f4189ebb408e1b8000c1708176c5af80bbc2cd958d5e6b66968390973f5903a

SHA512
d6bb588ca4fc07ffa8fb8a7bb975958c3484e2a86b2f999243674e66dd94cc89281c60eca1918aa42a6f9f32508c483aad16af6112054c44c288c0d470dbad40

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
360.0MB

MD5
af5700b9d67adf5b23c173a43e047eaa

SHA1
bda403b54a84b931603d2f4acd45fb0f307badf7

SHA256
efedadf5dddacb6eb4e4d31100213f9fea3a6ca959c4854778381235dafb359a

SHA512
f187b3bfbdcbe77a54d3b80f7141f0fbacfb35d06eb8d0e3bc39695ded83e02d220f67685e4c06d572fa617e8d92247ee45aad38cfffd16050a8ebe5e9402bea

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
191.4MB

MD5
e0cbbf3cef6a47c4c4d004eb986a4589

SHA1
7a220e8a2c2e0261e97178fc25c2b8bf97bda574

SHA256
9916db0ceac052be2a84763eae443e4d67cff4d138c51e9dcfaae69e92a2304c

SHA512
e7a56b15029f4735522c095648d084aa9fe2ece783b1043f1003946f705f67077c6a58e55d518cd5b4488e8491d63be1b0661000802511f7fa16f02608b4af29

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
356.9MB

MD5
59b596bf09f3ae0a0a79834d4cc5277b

SHA1
d21bd330e29bff58e29515b36d88728e8e855eb4

SHA256
54b216b3d8e336b04664f77db9faf5b62d5e15b49b94583b4e971f4e220b2f11

SHA512
4c1fc8606f4074f84b4d3161aab76ee481ab363d07523489699a8d8333ba16ae3a26d0680c7430a12f4febfe0143b36f7be8f0638109354fdb693b654bf1bd56

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
355.8MB

MD5
c08c12cc0ea770f1242723ed94f8de1e

SHA1
678e1b6cf8b521c3fcd6fb3ac59d562299bb9d63

SHA256
6512e71dd3ebe2a92a6578ff90c126b27872fbc23313f7ee8c8b21624f646720

SHA512
1f43a9118249833766ff697023795010acb5e406f0a11a0b8a20c8144c706092d8b155c37a52d5285e6d411345531d29045724b9b1eedd9441472ea5e5ebd222

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
349.4MB

MD5
019e6ce55e3522204e1c3ab4dc65add8

SHA1
4f366e1341df8f2e2e1083c848c7cc9a6ec06920

SHA256
03d99fa1dc2fe81d09ef92450e0fcbb55aef86f7bba0b34b95eee7c314275e17

SHA512
fccaafc225781e88567d42f99bd40acd1dc6a911fcbb3bbf9ea2fee70c6d7f96c540a419d34d31c43c4e2d61aa7a4fb13afac11bdfdc89eb67c011aa87106a0d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
358.2MB

MD5
615a0b521ef5882a3089da98f8420dea

SHA1
9bf4dee8f990674cfcf2bc693113ba47ddf4f66a

SHA256
b80d81e9b1e41e0257b357ff475b26e3b3eb642954112e43631b941d5e1be896

SHA512
bc52f3edd5b070b20c5d68c202d58dff0a877ff5d7f82fc8bf37b21d4aa2c6281eb6dfed2995b560bcbeb0b8c54b6400d2108b3534b9502235f085ba05549cd8

Download Submit
memory/1056-70-0x000000006F750000-0x000000006FCFB000-memory.dmp

Filesize
5.7MB

Download
memory/1056-71-0x000000006F750000-0x000000006FCFB000-memory.dmp

Filesize
5.7MB

Download
memory/1056-69-0x000000006F750000-0x000000006FCFB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-95-0x000000006F1A0000-0x000000006F74B000-memory.dmp

Filesize
5.7MB

Download
memory/1548-83-0x000000006F1A0000-0x000000006F74B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-94-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1616-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1752-66-0x0000000006460000-0x0000000006800000-memory.dmp

Filesize
3.6MB

Download
memory/1752-73-0x0000000005330000-0x00000000054A2000-memory.dmp

Filesize
1.4MB

Download
memory/1752-65-0x0000000001200000-0x0000000001974000-memory.dmp

Filesize
7.5MB

Download
memory/2028-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download