purecrypter | 03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb

General

Target

21605edd439a91f69b7c2584413ae3f5.exe
Size

2.7MB
MD5

21605edd439a91f69b7c2584413ae3f5
SHA1

76353ff45df865cee24b8802c2332c8f07590df6
SHA256

03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb
SHA512

df4248687d7a92389a3aab90dd0ccc8ea7236e8b71555bd835c33816a6e27b9a147d10fe693b57a693698c0d7c3fdbd99a3587cbfba08929c0d0fc4f34efb128
SSDEEP

49152:Q61jlIn2e7zgWTSOa7Q4hVBP35NxVg1DHeTz0CTssEORTdQRYdN+1rHzE42i9:Q6FynB7JTSOWBBNxVg1zen0CLEOhdQTl

Score

10^/10

purecrypter downloader loader

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1788-55-0x0000000004AC0000-0x0000000004D70000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe21605edd439a91f69b7c2584413ae3f5.exe

pid	process
940	powershell.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

21605edd439a91f69b7c2584413ae3f5.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1788 21605edd439a91f69b7c2584413ae3f5.exe
Token: SeDebugPrivilege 940 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1788	21605edd439a91f69b7c2584413ae3f5.exe
Token: SeDebugPrivilege	940	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

21605edd439a91f69b7c2584413ae3f5.exe

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
"C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:268

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
2⤵
PID:1764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-57-0x0000000000000000-mapping.dmp

Download
memory/940-59-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/940-60-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/940-61-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-54-0x00000000001E0000-0x0000000000492000-memory.dmp

Filesize
2.7MB

Download
memory/1788-55-0x0000000004AC0000-0x0000000004D70000-memory.dmp

Filesize
2.7MB

Download
memory/1788-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1788-62-0x00000000050C0000-0x0000000005140000-memory.dmp

Filesize
512KB

Download

description	pid	process	target process
PID 1788 wrote to memory of 940	1788	21605edd439a91f69b7c2584413ae3f5.exe	powershell.exe
PID 1788 wrote to memory of 940	1788	21605edd439a91f69b7c2584413ae3f5.exe	powershell.exe
PID 1788 wrote to memory of 940	1788	21605edd439a91f69b7c2584413ae3f5.exe	powershell.exe
PID 1788 wrote to memory of 940	1788	21605edd439a91f69b7c2584413ae3f5.exe	powershell.exe
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1760	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1760	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1760	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe
PID 1788 wrote to memory of 1760	1788	21605edd439a91f69b7c2584413ae3f5.exe	21605edd439a91f69b7c2584413ae3f5.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads