purecrypter | e159f861102f4da97e02be9ffefd72254bb9b2a92bf7d16ea6ef8c53800b17de

General

Target

740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
Size

3.9MB
MD5

ecb41ffa4f12fbe99b2a53141ec9f240
SHA1

68c7c9a49c519319aba55bf686f2388ee782208d
SHA256

740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2
SHA512

1b4f1b2225663e986be31d3aabe1491d443eb192e9b34e0aec6c7146a01bd0d350b3f417fa68a41ee3645a367175de59ebf66165cd718e4f1529f7fa3c6b6e89
SSDEEP

98304:x8vnvI2bIjGMWwAQ1cdLr3AG3cLMgs7T9/7AwCYyLb+P:Ung2QGMIxLEGMLMlx/7Zcv+P

Score

10^/10

purecrypter downloader loader persistence spyware stealer

Malware Config

Extracted

Family

purecrypter

C2

https://atomm.com.br/.well-known/acme-challenge/bo/Xmwlki.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
1820	bebra.exe
1136	sisterservice.exe
1528	aheaddecov.exe

Loads dropped DLL 2 IoCs

pid	Process
872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	sisterservice.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	sisterservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	aheaddecov.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 1820	872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	27
PID 872 wrote to memory of 1820	872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	27
PID 872 wrote to memory of 1820	872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	27
PID 872 wrote to memory of 1820	872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	27
PID 1820 wrote to memory of 1824	1820	bebra.exe	28
PID 1820 wrote to memory of 1824	1820	bebra.exe	28
PID 1820 wrote to memory of 1824	1820	bebra.exe	28
PID 1824 wrote to memory of 1720	1824	cmd.exe	30
PID 1824 wrote to memory of 1720	1824	cmd.exe	30
PID 1824 wrote to memory of 1720	1824	cmd.exe	30
PID 872 wrote to memory of 1136	872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	31
PID 872 wrote to memory of 1136	872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	31
PID 872 wrote to memory of 1136	872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	31
PID 872 wrote to memory of 1136	872	740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe	31
PID 1136 wrote to memory of 1528	1136	sisterservice.exe	32
PID 1136 wrote to memory of 1528	1136	sisterservice.exe	32
PID 1136 wrote to memory of 1528	1136	sisterservice.exe	32
PID 1136 wrote to memory of 1528	1136	sisterservice.exe	32

C:\Users\Admin\AppData\Local\Temp\740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
"C:\Users\Admin\AppData\Local\Temp\740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1824
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:1720
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe

Filesize
429.2MB

MD5
360cf1b802c90daa515330c1a9e89518

SHA1
183a21881ce1618f77862dff05240d19d604bbdc

SHA256
8db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5

SHA512
bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe

Filesize
429.2MB

MD5
360cf1b802c90daa515330c1a9e89518

SHA1
183a21881ce1618f77862dff05240d19d604bbdc

SHA256
8db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5

SHA512
bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe

Filesize
3.4MB

MD5
9db7f8ba57214489f97c8c785b4c727c

SHA1
968df2ab397063fcf6eb7720fa5ca24744230bc7

SHA256
c9487cb734eaca9afb87d6f71614bdfca5f3f5e70568971391d53e369badf149

SHA512
0fd530aeb633465bdffd134e4614ce9b3bbedd66537ce5edaeed93c2be00973029bd5f95c1a2733b192a2e9d18241af1cf9b5903a627af6012c8da22a40516c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe

Filesize
3.4MB

MD5
9db7f8ba57214489f97c8c785b4c727c

SHA1
968df2ab397063fcf6eb7720fa5ca24744230bc7

SHA256
c9487cb734eaca9afb87d6f71614bdfca5f3f5e70568971391d53e369badf149

SHA512
0fd530aeb633465bdffd134e4614ce9b3bbedd66537ce5edaeed93c2be00973029bd5f95c1a2733b192a2e9d18241af1cf9b5903a627af6012c8da22a40516c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe

Filesize
695KB

MD5
3c2aa77bd20b3ffb687f11e7c5bbea79

SHA1
6a9570c0c4b5e0fd6c5dd851f65cebc703bc580d

SHA256
7b477658201bcd770c3a07b1854c8d7fbb2c5535bb238954bda931f599455c31

SHA512
afc5ed38a82fee7fc72d4b6c1b87fac348d9409b7ca94b9cc0ad197b7fd55ed491a912377352fd5e0416344116d316cc123f7a043c52c7d6d98bd3917c1b6422

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe

Filesize
3.4MB

MD5
9db7f8ba57214489f97c8c785b4c727c

SHA1
968df2ab397063fcf6eb7720fa5ca24744230bc7

SHA256
c9487cb734eaca9afb87d6f71614bdfca5f3f5e70568971391d53e369badf149

SHA512
0fd530aeb633465bdffd134e4614ce9b3bbedd66537ce5edaeed93c2be00973029bd5f95c1a2733b192a2e9d18241af1cf9b5903a627af6012c8da22a40516c9

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe

Filesize
695KB

MD5
3c2aa77bd20b3ffb687f11e7c5bbea79

SHA1
6a9570c0c4b5e0fd6c5dd851f65cebc703bc580d

SHA256
7b477658201bcd770c3a07b1854c8d7fbb2c5535bb238954bda931f599455c31

SHA512
afc5ed38a82fee7fc72d4b6c1b87fac348d9409b7ca94b9cc0ad197b7fd55ed491a912377352fd5e0416344116d316cc123f7a043c52c7d6d98bd3917c1b6422

Download Submit
memory/872-54-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

Filesize
8KB

Download
memory/1528-90-0x0000000000380000-0x0000000000388000-memory.dmp

Filesize
32KB

Download
memory/1820-68-0x0000000000120000-0x000000000017C000-memory.dmp

Filesize
368KB

Download
memory/1820-72-0x000007FEFC9B0000-0x000007FEFC9BF000-memory.dmp

Filesize
60KB

Download
memory/1820-74-0x000007FEFCF90000-0x000007FEFCFAF000-memory.dmp

Filesize
124KB

Download
memory/1820-75-0x000007FEFC4A0000-0x000007FEFC4C2000-memory.dmp

Filesize
136KB

Download
memory/1820-76-0x000007FEFC4D0000-0x000007FEFC51E000-memory.dmp

Filesize
312KB

Download
memory/1820-77-0x000007FEFD4C0000-0x000007FEFD59B000-memory.dmp

Filesize
876KB

Download
memory/1820-78-0x000007FEFBF90000-0x000007FEFBFDC000-memory.dmp

Filesize
304KB

Download
memory/1820-79-0x000007FEFC350000-0x000007FEFC367000-memory.dmp

Filesize
92KB

Download
memory/1820-73-0x000007FEFBE10000-0x000007FEFBE2E000-memory.dmp

Filesize
120KB

Download
memory/1820-82-0x00000000009D0000-0x00000000011D3000-memory.dmp

Filesize
8.0MB

Download
memory/1820-83-0x0000000000120000-0x000000000017C000-memory.dmp

Filesize
368KB

Download
memory/1820-71-0x000007FEFE990000-0x000007FEFEABD000-memory.dmp

Filesize
1.2MB

Download
memory/1820-70-0x000007FEFCD20000-0x000007FEFCE87000-memory.dmp

Filesize
1.4MB

Download
memory/1820-69-0x000007FEFD380000-0x000007FEFD41F000-memory.dmp

Filesize
636KB

Download
memory/1820-66-0x0000000076BF0000-0x0000000076D0F000-memory.dmp

Filesize
1.1MB

Download
memory/1820-67-0x00000000009D0000-0x00000000011D3000-memory.dmp

Filesize
8.0MB

Download
memory/1820-65-0x000007FEFCBE0000-0x000007FEFCC4C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing