purecrypter | d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944

General

Target

Setup.exe
Size

2.5MB
MD5

49884eec4a8dcafe6d2993865154cdf4
SHA1

8b801c2d83b7602d350734bc3de5de7b9df73436
SHA256

d060ee3029a154a6fba6ed666ee5fafb2c8ee019dcfde0819f8aa24392b6e944
SHA512

052a2b2706168351060dbd8c725be3cdd4659ee79ea78daaa61674218145ea2e016e8e0100f27aadd0b79ebb46e51d2eca4bc103ca2a4723c50ac7063c745af0
SSDEEP

49152:V2+9WCvHTdprm74MntR2XTw5lKX0Zu04iXgIHuxCt8DccbasI:V2p2Td9mVtR2XTol80Zu04iXgHI8DM

Score

10^/10

purecrypter downloader loader

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1292-56-0x0000000005070000-0x00000000052E2000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Setup.exe

pid process

1292 Setup.exe
1292 Setup.exe
1292 Setup.exe
1292 Setup.exe
1292 Setup.exe
1292 Setup.exe
1292 Setup.exe
1292 Setup.exe
1292 Setup.exe
1292 Setup.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Setup.exe

description pid process

Token: SeDebugPrivilege 1292 Setup.exe

pid	process
1292	Setup.exe
1292	Setup.exe
1292	Setup.exe
1292	Setup.exe
1292	Setup.exe
1292	Setup.exe
1292	Setup.exe
1292	Setup.exe
1292	Setup.exe
1292	Setup.exe

description	pid	process
Token: SeDebugPrivilege	1292	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exe

description	pid	process	target process
PID 1292 wrote to memory of 1528	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1528	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1528	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1528	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1528	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1528	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1528	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1336	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1336	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1336	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1336	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1336	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1336	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1336	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1360	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1360	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1360	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1360	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1360	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1360	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1360	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1960	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1960	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1960	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1960	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1960	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1960	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1960	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1972	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1972	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1972	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1972	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1972	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1972	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1972	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 984	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 984	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 984	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 984	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 984	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 984	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 984	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 940	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 940	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 940	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 940	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 940	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 940	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 940	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1080	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1080	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1080	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1080	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1080	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1080	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1080	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1084	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1084	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1084	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1084	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1084	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1084	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1084	1292	Setup.exe	Setup.exe
PID 1292 wrote to memory of 1088	1292	Setup.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1080

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
2⤵
PID:1088

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1292-55-0x0000000000060000-0x00000000002EA000-memory.dmp

Filesize
2.5MB

Download
memory/1292-56-0x0000000005070000-0x00000000052E2000-memory.dmp

Filesize
2.4MB

Download
memory/1292-57-0x00000000026C0000-0x000000000270C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads