purecrypter | d0b7c72da05449ada1b7a75b481989922f634b33e5bc1648b837698853abb8f5

General

Target

tmp.exe
Size

41KB
MD5

9fc2e4d640bbce8bc3fa4a6f0f01984d
SHA1

52c52532478b1f07e9c74dcd3923a0f23d24406a
SHA256

d0b7c72da05449ada1b7a75b481989922f634b33e5bc1648b837698853abb8f5
SHA512

533bbbeafb0714a5781056d416b61446f7c2075b0d2e5286a96c00393d4499e95dd48853615b4918aba8b95aa0c0e7849a12a521a0f7d202661b39c9e385c4c4
SSDEEP

768:Af/0u9flwYtttWtYtYBtYtxqGGGGGGGGHGGGGGGGGGGGGGGGGGGGGGGGGGGGGUut:E3uGGGGGGGGHGGGGGGGGGGGGGGGGGGG

Score

10^/10

purecrypter xmrig downloader loader miner persistence

Malware Config

Extracted

Family

purecrypter

C2

http://163.123.142.210/Cjhgcjqheh.png

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2012-55-0x000000001C4C0000-0x000000001C95E000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/952-82-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-84-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-86-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-87-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-88-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-90-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-92-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-93-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-94-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-96-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-97-0x000000014036EAC4-mapping.dmp	xmrig
behavioral1/memory/952-99-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/952-108-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/680-122-0x000000014036EAC4-mapping.dmp	xmrig
behavioral1/memory/680-126-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\setup-update = "\"C:\\Users\\Admin\\AppData\\Roaming\\Winscp\\setup-update.exe\""	tmp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exeMSBuild.exe

description	pid	process	target process
PID 2012 set thread context of 604	2012	tmp.exe	MSBuild.exe
PID 604 set thread context of 952	604	MSBuild.exe	explorer.exe
PID 604 set thread context of 680	604	MSBuild.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1552 powershell.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

464
464

pid	process
1552	powershell.exe

pid	process
464
464

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

tmp.exepowershell.exeexplorer.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2012	tmp.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeLockMemoryPrivilege	952	explorer.exe
Token: SeLockMemoryPrivilege	952	explorer.exe
Token: SeLockMemoryPrivilege	680	explorer.exe
Token: SeLockMemoryPrivilege	680	explorer.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
952	explorer.exe
952	explorer.exe
952	explorer.exe
680	explorer.exe
680	explorer.exe
952	explorer.exe
680	explorer.exe
952	explorer.exe
680	explorer.exe
952	explorer.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

explorer.exeexplorer.exe

pid	process
952	explorer.exe
952	explorer.exe
952	explorer.exe
680	explorer.exe
680	explorer.exe
952	explorer.exe
680	explorer.exe
952	explorer.exe
680	explorer.exe
952	explorer.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

tmp.exeMSBuild.exe

description	pid	process	target process
PID 2012 wrote to memory of 1552	2012	tmp.exe	powershell.exe
PID 2012 wrote to memory of 1552	2012	tmp.exe	powershell.exe
PID 2012 wrote to memory of 1552	2012	tmp.exe	powershell.exe
PID 2012 wrote to memory of 604	2012	tmp.exe	MSBuild.exe
PID 2012 wrote to memory of 604	2012	tmp.exe	MSBuild.exe
PID 2012 wrote to memory of 604	2012	tmp.exe	MSBuild.exe
PID 2012 wrote to memory of 604	2012	tmp.exe	MSBuild.exe
PID 2012 wrote to memory of 604	2012	tmp.exe	MSBuild.exe
PID 2012 wrote to memory of 604	2012	tmp.exe	MSBuild.exe
PID 2012 wrote to memory of 604	2012	tmp.exe	MSBuild.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 952	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe
PID 604 wrote to memory of 680	604	MSBuild.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\explorer.exe
C:\Windows\explorer.exe ehkyzugfc0 6E3sjfZq2rJQaxvLPmXgsGVibFQB1SRFKAJE4g4hvkD3AiVEpf0dgV55vmPVy2HdRPFNj0nba36ZsJAOfcDutlp1uGZD43OinuOsbkrvwsELbcnOwh7z7jTxIxb/8cy9pfSG0diraCsvnytCTdEeT2GKBHsz+86dcPKDL/hWxI5SqjNqMnP2x9Wrll200viFmS5UKRFkzR22xALyEeu9XJQjjuuTyIYvPP4Ev/EE6yU1WvjnM9Sp2EXSRvQOYzWqX5FTSWHt7WGDYd4eL5Zpmre3cqlQsh6wxVtgXUX0aTX41VTxhqK+4nVvT0XXJYih0vuBCgBnmZooDqrF9PUyXXi/imO83AsfsaMeX5t25sVYNxmiIeTvwj02JZ6V2Hi1
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:952

C:\Windows\explorer.exe
C:\Windows\explorer.exe ehkyzugfc1 6E3sjfZq2rJQaxvLPmXgsJfOyO5DeIKfxGySQHgm1U7SutxdkMUte0IoBcJrwJZR0JxHqq095RdT+1DrfkD2jNApqjcsYyYz/1ffpuXHBMqjauSs2KIzU5jLOKjbNK+Q9aB1MGJaD//u7GHhN5AQFkGNzNZuljbiXjHHftKkwRn0qi9m9L/lrO0mLRvAp4XmpbPCO87NhuLYY+Cnh97Y4yDbiLkUTQmllBLN2kLj5+/iUVOmSRW7K9LvKlQfqGYis+oNYv8jbdSIWTDzRoAjZXcDWJKEZ+qjJ7iMWlp6rShaiUJNh3rtZIbqok5yk6z25MkctmIVhPI10JDyd+35GYmOp0vRfeEAkFtbRaAknpU95kmdqNbBb6GM6x+O2/1G
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/604-67-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/604-76-0x0000000000790000-0x0000000000796000-memory.dmp

Filesize
24KB

Download
memory/604-72-0x0000000140000000-mapping.dmp

Download
memory/604-71-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/604-70-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/604-68-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/680-126-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/680-122-0x000000014036EAC4-mapping.dmp

Download
memory/952-93-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-97-0x000000014036EAC4-mapping.dmp

Download
memory/952-128-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/952-127-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/952-108-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-102-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/952-99-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-96-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-94-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-92-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-90-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-88-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-77-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-78-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-80-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-82-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-84-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-86-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/952-87-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1552-56-0x0000000000000000-mapping.dmp

Download
memory/1552-64-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1552-65-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1552-57-0x000007FEFB5F1000-0x000007FEFB5F3000-memory.dmp

Filesize
8KB

Download
memory/1552-59-0x000007FEEC0C0000-0x000007FEECAE3000-memory.dmp

Filesize
10.1MB

Download
memory/1552-60-0x000007FEEB560000-0x000007FEEC0BD000-memory.dmp

Filesize
11.4MB

Download
memory/1552-63-0x000000000294B000-0x000000000296A000-memory.dmp

Filesize
124KB

Download
memory/1552-62-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1552-61-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/2012-54-0x000000013FA10000-0x000000013FA1E000-memory.dmp

Filesize
56KB

Download
memory/2012-66-0x000000001B960000-0x000000001BBE2000-memory.dmp

Filesize
2.5MB

Download
memory/2012-55-0x000000001C4C0000-0x000000001C95E000-memory.dmp

Filesize
4.6MB

Download
memory/2012-58-0x000000001AF07000-0x000000001AF26000-memory.dmp

Filesize
124KB

Download
memory/2012-74-0x000000001AF07000-0x000000001AF26000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads