aurora | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
68s
max time network
73s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

aurora purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

aurora

45.9.74.11:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/276-66-0x00000000063E0000-0x0000000006780000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
840	voiceadequovl.exe
276	voiceadequovl.exe
1676	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
840	voiceadequovl.exe
840	voiceadequovl.exe
840	voiceadequovl.exe
840	voiceadequovl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 276 set thread context of 1676	276	voiceadequovl.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1516	powershell.exe
564	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	276	voiceadequovl.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeIncreaseQuotaPrivilege	1100	wmic.exe
Token: SeSecurityPrivilege	1100	wmic.exe
Token: SeTakeOwnershipPrivilege	1100	wmic.exe
Token: SeLoadDriverPrivilege	1100	wmic.exe
Token: SeSystemProfilePrivilege	1100	wmic.exe
Token: SeSystemtimePrivilege	1100	wmic.exe
Token: SeProfSingleProcessPrivilege	1100	wmic.exe
Token: SeIncBasePriorityPrivilege	1100	wmic.exe
Token: SeCreatePagefilePrivilege	1100	wmic.exe
Token: SeBackupPrivilege	1100	wmic.exe
Token: SeRestorePrivilege	1100	wmic.exe
Token: SeShutdownPrivilege	1100	wmic.exe
Token: SeDebugPrivilege	1100	wmic.exe
Token: SeSystemEnvironmentPrivilege	1100	wmic.exe
Token: SeRemoteShutdownPrivilege	1100	wmic.exe
Token: SeUndockPrivilege	1100	wmic.exe
Token: SeManageVolumePrivilege	1100	wmic.exe
Token: 33	1100	wmic.exe
Token: 34	1100	wmic.exe
Token: 35	1100	wmic.exe
Token: SeIncreaseQuotaPrivilege	1100	wmic.exe
Token: SeSecurityPrivilege	1100	wmic.exe
Token: SeTakeOwnershipPrivilege	1100	wmic.exe
Token: SeLoadDriverPrivilege	1100	wmic.exe
Token: SeSystemProfilePrivilege	1100	wmic.exe
Token: SeSystemtimePrivilege	1100	wmic.exe
Token: SeProfSingleProcessPrivilege	1100	wmic.exe
Token: SeIncBasePriorityPrivilege	1100	wmic.exe
Token: SeCreatePagefilePrivilege	1100	wmic.exe
Token: SeBackupPrivilege	1100	wmic.exe
Token: SeRestorePrivilege	1100	wmic.exe
Token: SeShutdownPrivilege	1100	wmic.exe
Token: SeDebugPrivilege	1100	wmic.exe
Token: SeSystemEnvironmentPrivilege	1100	wmic.exe
Token: SeRemoteShutdownPrivilege	1100	wmic.exe
Token: SeUndockPrivilege	1100	wmic.exe
Token: SeManageVolumePrivilege	1100	wmic.exe
Token: 33	1100	wmic.exe
Token: 34	1100	wmic.exe
Token: 35	1100	wmic.exe
Token: SeIncreaseQuotaPrivilege	1340	WMIC.exe
Token: SeSecurityPrivilege	1340	WMIC.exe
Token: SeTakeOwnershipPrivilege	1340	WMIC.exe
Token: SeLoadDriverPrivilege	1340	WMIC.exe
Token: SeSystemProfilePrivilege	1340	WMIC.exe
Token: SeSystemtimePrivilege	1340	WMIC.exe
Token: SeProfSingleProcessPrivilege	1340	WMIC.exe
Token: SeIncBasePriorityPrivilege	1340	WMIC.exe
Token: SeCreatePagefilePrivilege	1340	WMIC.exe
Token: SeBackupPrivilege	1340	WMIC.exe
Token: SeRestorePrivilege	1340	WMIC.exe
Token: SeShutdownPrivilege	1340	WMIC.exe
Token: SeDebugPrivilege	1340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1340	WMIC.exe
Token: SeRemoteShutdownPrivilege	1340	WMIC.exe
Token: SeUndockPrivilege	1340	WMIC.exe
Token: SeManageVolumePrivilege	1340	WMIC.exe
Token: 33	1340	WMIC.exe
Token: 34	1340	WMIC.exe
Token: 35	1340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1340	WMIC.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 840	860	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 860 wrote to memory of 840	860	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 860 wrote to memory of 840	860	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 860 wrote to memory of 840	860	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 840 wrote to memory of 276	840	voiceadequovl.exe	28
PID 840 wrote to memory of 276	840	voiceadequovl.exe	28
PID 840 wrote to memory of 276	840	voiceadequovl.exe	28
PID 840 wrote to memory of 276	840	voiceadequovl.exe	28
PID 276 wrote to memory of 1516	276	voiceadequovl.exe	30
PID 276 wrote to memory of 1516	276	voiceadequovl.exe	30
PID 276 wrote to memory of 1516	276	voiceadequovl.exe	30
PID 276 wrote to memory of 1516	276	voiceadequovl.exe	30
PID 276 wrote to memory of 1012	276	voiceadequovl.exe	31
PID 276 wrote to memory of 1012	276	voiceadequovl.exe	31
PID 276 wrote to memory of 1012	276	voiceadequovl.exe	31
PID 276 wrote to memory of 1012	276	voiceadequovl.exe	31
PID 1012 wrote to memory of 564	1012	cmd.exe	33
PID 1012 wrote to memory of 564	1012	cmd.exe	33
PID 1012 wrote to memory of 564	1012	cmd.exe	33
PID 1012 wrote to memory of 564	1012	cmd.exe	33
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 276 wrote to memory of 1676	276	voiceadequovl.exe	34
PID 1676 wrote to memory of 1100	1676	voiceadequovl.exe	36
PID 1676 wrote to memory of 1100	1676	voiceadequovl.exe	36
PID 1676 wrote to memory of 1100	1676	voiceadequovl.exe	36
PID 1676 wrote to memory of 1100	1676	voiceadequovl.exe	36
PID 1676 wrote to memory of 1632	1676	voiceadequovl.exe	39
PID 1676 wrote to memory of 1632	1676	voiceadequovl.exe	39
PID 1676 wrote to memory of 1632	1676	voiceadequovl.exe	39
PID 1676 wrote to memory of 1632	1676	voiceadequovl.exe	39
PID 1632 wrote to memory of 1340	1632	cmd.exe	40
PID 1632 wrote to memory of 1340	1632	cmd.exe	40
PID 1632 wrote to memory of 1340	1632	cmd.exe	40
PID 1632 wrote to memory of 1340	1632	cmd.exe	40
PID 1676 wrote to memory of 1744	1676	voiceadequovl.exe	41
PID 1676 wrote to memory of 1744	1676	voiceadequovl.exe	41
PID 1676 wrote to memory of 1744	1676	voiceadequovl.exe	41
PID 1676 wrote to memory of 1744	1676	voiceadequovl.exe	41
PID 1744 wrote to memory of 872	1744	cmd.exe	43
PID 1744 wrote to memory of 872	1744	cmd.exe	43
PID 1744 wrote to memory of 872	1744	cmd.exe	43
PID 1744 wrote to memory of 872	1744	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:276
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "wmic cpu get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get name
        6⤵
        
        PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
217.4MB

MD5
199eb6947e63125e72f3861b06f6c58b

SHA1
729effef0ce56ca0e5bed1dc546cd7ec473aa8f0

SHA256
de8b9281b731b824ca072b0d3594b4d399b207563d9a3a556336439507029095

SHA512
8d9269b3e3681ef0de77721904212bd701135a9900aa2307ef3caeee41afb62e7f5d38e9f7d24d272bec9ef6164e1b3ffcc817582888677d1b642db5a8a0af6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
202.6MB

MD5
7bfe67bdd2e19278aac743d48a9d490f

SHA1
b599003016541fcb14fff8806f96d1a1d1e8f5ff

SHA256
f70d9790310123c63f315ff17d8abea763198763b44efe9564226de673f91d96

SHA512
1047207a1b76af6f549894791a437158ead2047565ad32496019f176507349d509b20905664fab0cf30fcc27415260a8f8d829323959fb29458dbb35de0636a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c9e95b82778a406da539770b9844b5b8

SHA1
8ce26d06d6b7b5d1eab5697182b873a69d671a00

SHA256
38154ae24c1712776c359ba64407ef747305a4aaa6d8f5730af96831c2a7fd54

SHA512
e631629b44545acbe3e336c5095b149e249ab5a7e34e5b762146727cb89d9849170eac7687d3053aff676c597d89ee3abf15ccde3f98f02387a9558fde3a3464

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
204.6MB

MD5
2d7c3b2f03f46e83d6cb32421e7e2be0

SHA1
0e30533413bf4f235bb32f931c8560818483e17d

SHA256
95ded91f3a43d79f3d151fd8df5d5e36d9b1847ce27714fdb24abdc743c1b106

SHA512
c65ecfcc962122ee94a6afc4fdafb374ccb49ee571d3670694edbf045ff8f8b495a56aa3a609efbb9c75c7527f0687a9e9cb2e67d8841d7ab51949ee7eb0863b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
208.8MB

MD5
f5879abfadd060d8caabc3a158f70540

SHA1
e326e70e265db1b1eef1b9fc1fa8ff577877eebc

SHA256
914dfa77e9ee58454cab5adc48142fbd4b384f44399b10bbd687b392e0f399b4

SHA512
215ac52521976cae98fbb50d23520ab2fe21c5f5bbc381e97cde3d6d9b26bed6cb1864640944a91fa0143a25f4d2518a82ab848e153cc04f2906525be13bc7c8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
148.4MB

MD5
e6316303219e281343685f1643f8a653

SHA1
fb7c692afe8928264732e238a538f832018f198c

SHA256
0f28fb602e7fee95e69322c48cab96c473aea00a879a9e55214af77d4aa5bdf0

SHA512
afd18b9ede2555281e371c89d12390f1c8a730cbc29932e75e18c9c171b6a5731eb9c0d1db83c3d6c86cd42c2da9a666e81cd47c9f8419a069ca55c0762438fc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
207.4MB

MD5
ad3b7071fe2095f7e4ca0dc0c0b8faa1

SHA1
306dd50a0fbd1652afa3d3bf3d71b26c1859026a

SHA256
83fe92bdcf03942e14f99e342c5b9afd1fd93a15799d8ed5677a3d3b2d50fc4a

SHA512
d4ee312c71ed5d3a33a55666d7e6ffbcbf3a4c372097b7eb89ae89cbd3e0b0198e20ae1349c2345a6542f7ca2835697fe6d2473f2a6ed6001971cd5d8b2c7ac8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
204.0MB

MD5
c033cb6da9044f4154da3bcb3387103a

SHA1
a417a88f53e352ece8ef7c0d40b348d7cd784171

SHA256
ef190b960f0ce33ff0ca055efbf400f603c82bb85c5174f1e9cab9fa7d9d6336

SHA512
d8037700d5db9759f46aaa18f0c78ba71ac8d49df36d86adb2ed3026ba0d3dbd45e9659e112b78bc664dde760ab8b07fd89fe6fd66f48bdb4ca2cdcb85d5be04

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
208.8MB

MD5
e7537ddd62b75d68319ca1dfe6b9bf11

SHA1
2cb4a21af1c267fe6d4dba9f69fc98607e87f83b

SHA256
507f603503438e5272cddaf5086586246ab5040dae7e51c47fabcae5a67aec82

SHA512
07d70f19aabb03751d0699309a166d38491d1d4fd57c02ea66f30866ef3139365f11b65b1d93370ed8ebfd2dc8bf78e659cf84575b5a9a52ad35c94e25850c74

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
203.4MB

MD5
4f3b117e33b565f92f03c7e2199c9e1c

SHA1
a2fe077be04913630f2e11624144175540ba1b9d

SHA256
cf8693be97868d6841436f4ee50e81d2d3a66203a81416c9b9a069bb39054340

SHA512
00c2e1038225acf180e65728e851fe04b5cb3cf55c5c76b833a9b97ebb9c4fda3c8e8c385fa861e81b967b630d383b0bdd958edf177b256d15f0f0fdb7738553

Download Submit
memory/276-76-0x00000000052B0000-0x0000000005422000-memory.dmp

Filesize
1.4MB

Download
memory/276-66-0x00000000063E0000-0x0000000006780000-memory.dmp

Filesize
3.6MB

Download
memory/276-65-0x0000000001050000-0x00000000017C4000-memory.dmp

Filesize
7.5MB

Download
memory/564-94-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/564-89-0x000000006F2C0000-0x000000006F86B000-memory.dmp

Filesize
5.7MB

Download
memory/840-56-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1516-70-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-71-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/1516-69-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/1676-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-87-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-95-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-101-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download