purecrypter | f1c9f70b73a3b62f0426336303fdaa110110600dfc56893dbd000837b58f41d0

General

Target

194388494000_pdf.exe
Size

10.0MB
MD5

694463cf1660b3ae188120328a1b93f8
SHA1

90389ff9d5817b730e2d358d9fbc71b4a2942670
SHA256

f1c9f70b73a3b62f0426336303fdaa110110600dfc56893dbd000837b58f41d0
SHA512

c219164e256ae715823c96e47bbc00b682aeeecd80a17c150e52e0329639135cd59ca5ceab5f84406c808b81f9ece291eefd0cdecb02baa1de517ca48d876307
SSDEEP

96:2GpKgeeUuHIMSz9FVLojDU7Rk0QCh8pbkPIjyxNezNtp:E8ToMqNLojD2xapQPIjo43

Score

10^/10

purecrypter downloader loader

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2024-56-0x0000000005B00000-0x0000000005C02000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Suspicious use of SetThreadContext 1 IoCs

Processes:

194388494000_pdf.exe

description pid process target process

PID 2024 set thread context of 1292 2024 194388494000_pdf.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2020 powershell.exe
1456 powershell.exe

description	pid	process	target process
PID 2024 set thread context of 1292	2024	194388494000_pdf.exe	RegAsm.exe

pid	process
2020	powershell.exe
1456	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

194388494000_pdf.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2024	194388494000_pdf.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1292	RegAsm.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

194388494000_pdf.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 2020	2024	194388494000_pdf.exe	powershell.exe
PID 2024 wrote to memory of 2020	2024	194388494000_pdf.exe	powershell.exe
PID 2024 wrote to memory of 2020	2024	194388494000_pdf.exe	powershell.exe
PID 2024 wrote to memory of 2020	2024	194388494000_pdf.exe	powershell.exe
PID 2024 wrote to memory of 1488	2024	194388494000_pdf.exe	cmd.exe
PID 2024 wrote to memory of 1488	2024	194388494000_pdf.exe	cmd.exe
PID 2024 wrote to memory of 1488	2024	194388494000_pdf.exe	cmd.exe
PID 2024 wrote to memory of 1488	2024	194388494000_pdf.exe	cmd.exe
PID 1488 wrote to memory of 1456	1488	cmd.exe	powershell.exe
PID 1488 wrote to memory of 1456	1488	cmd.exe	powershell.exe
PID 1488 wrote to memory of 1456	1488	cmd.exe	powershell.exe
PID 1488 wrote to memory of 1456	1488	cmd.exe	powershell.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe
PID 2024 wrote to memory of 1292	2024	194388494000_pdf.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\194388494000_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\194388494000_pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
f789dc880c766c189e84640e020c4eb6

SHA1
fc0f40b09131b359e08f8edc75379333dd21de68

SHA256
2cc2b515b585c3ef73244249cdedacfdd4ee644462230a2d900ce8beab5f81e0

SHA512
f0237a560d50c7ad02c6bd345bc9e05e71e606a8201b75c00098d61feb4cef2750f77ff5f25186aa6a5f3629f0ffe6e3c3742925719d67f1dd73c97905c70412

Download Submit
memory/1292-72-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1292-71-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1292-78-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1292-74-0x00000000004BD22E-mapping.dmp

Download
memory/1292-73-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1292-69-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1292-68-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1292-76-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1456-80-0x000000006E6E0000-0x000000006EC8B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-67-0x000000006E6E0000-0x000000006EC8B000-memory.dmp

Filesize
5.7MB

Download
memory/1456-64-0x0000000000000000-mapping.dmp

Download
memory/1488-63-0x0000000000000000-mapping.dmp

Download
memory/2020-62-0x000000006E710000-0x000000006ECBB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-61-0x000000006E710000-0x000000006ECBB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-60-0x000000006E710000-0x000000006ECBB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-58-0x0000000000000000-mapping.dmp

Download
memory/2024-56-0x0000000005B00000-0x0000000005C02000-memory.dmp

Filesize
1.0MB

Download
memory/2024-54-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/2024-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/2024-57-0x0000000005D40000-0x0000000005DD2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads