purecrypter | 73d448c429921a844a556fb0d5addc6af5bab77842fddb4782cbbd18086995ec

General

Target

77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe
Size

44KB
MD5

54b04c4846fab92642827b0d8fa86474
SHA1

7292d1728cc295f12c0dcb76570f3bc4d63d0a8e
SHA256

77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e
SHA512

ef43bd4fa008f5bad4bd8368801c3bbbaa2cd3b0cdd38d9a8e4b3d4115df389d0b474d83878d9fdb25d7cc43d18d99c20e3fc246429b7609e72bb9ea21f7ef44
SSDEEP

192:wijBJmGQCBff2YnZx9Km4JCSYx8tfMHHoYYwOJ4etAEdKdO58rLGgi47sZXCBeOj:wGaKnZmHG8tUHHojSe3iV9qXBKmAY

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

C2

https://cesarsoriano.pe/wp-content/uploads/Tfykjvlwy.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 4056	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4260	ipconfig.exe
2240	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4244	powershell.exe
4244	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe
Token: SeDebugPrivilege	4244	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2512	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	86
PID 4604 wrote to memory of 2512	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	86
PID 2512 wrote to memory of 4260	2512	cmd.exe	88
PID 2512 wrote to memory of 4260	2512	cmd.exe	88
PID 4604 wrote to memory of 4244	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	89
PID 4604 wrote to memory of 4244	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	89
PID 4604 wrote to memory of 3708	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	94
PID 4604 wrote to memory of 3708	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	94
PID 3708 wrote to memory of 2240	3708	cmd.exe	96
PID 3708 wrote to memory of 2240	3708	cmd.exe	96
PID 4604 wrote to memory of 4056	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	97
PID 4604 wrote to memory of 4056	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	97
PID 4604 wrote to memory of 4056	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	97
PID 4604 wrote to memory of 4056	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	97
PID 4604 wrote to memory of 4056	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	97
PID 4604 wrote to memory of 4056	4604	77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe	97

C:\Users\Admin\AppData\Local\Temp\77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe
"C:\Users\Admin\AppData\Local\Temp\77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\system32\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:2240
- C:\Users\Admin\AppData\Local\Temp\77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe
  C:\Users\Admin\AppData\Local\Temp\77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe
  2⤵
  PID:4056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\77254af9b820ada0d2f0e274b81dd99279a9a88e2f1b309e99c6399d307ada0e.exe.log

Filesize
1KB

MD5
c0927b4be5caf9046812a992778863ca

SHA1
a649a25bca9c4c8798f2fef76938cbeabe740a35

SHA256
722aab6d1ea633f819966594bdccd80680520b8ffe68d6bb370c2d579bc8071e

SHA512
d4028be29140b17916d75370d726c401d26024d66be3bde4ee8c27e79cb9ae664038f08f983f47af4a93cddb48a2b76737922e68bd1ad69f3b226206a07eee70

Download Submit
memory/4056-146-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/4056-151-0x00007FFD9D490000-0x00007FFD9DF51000-memory.dmp

Filesize
10.8MB

Download
memory/4056-150-0x00007FFD9D490000-0x00007FFD9DF51000-memory.dmp

Filesize
10.8MB

Download
memory/4244-140-0x00007FFD9D490000-0x00007FFD9DF51000-memory.dmp

Filesize
10.8MB

Download
memory/4244-142-0x00007FFD9D490000-0x00007FFD9DF51000-memory.dmp

Filesize
10.8MB

Download
memory/4244-143-0x00007FFD9D490000-0x00007FFD9DF51000-memory.dmp

Filesize
10.8MB

Download
memory/4604-141-0x00007FFD9D490000-0x00007FFD9DF51000-memory.dmp

Filesize
10.8MB

Download
memory/4604-135-0x0000021B69670000-0x0000021B69722000-memory.dmp

Filesize
712KB

Download
memory/4604-134-0x0000021B691D0000-0x0000021B69220000-memory.dmp

Filesize
320KB

Download
memory/4604-136-0x0000021B69620000-0x0000021B69642000-memory.dmp

Filesize
136KB

Download
memory/4604-132-0x0000021B4E590000-0x0000021B4E5A0000-memory.dmp

Filesize
64KB

Download
memory/4604-133-0x00007FFD9D490000-0x00007FFD9DF51000-memory.dmp

Filesize
10.8MB

Download
memory/4604-149-0x00007FFD9D490000-0x00007FFD9DF51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads