purecrypter | 03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-02-2023 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21605edd439a91f69b7c2584413ae3f5.exe
Size

2.7MB
MD5

21605edd439a91f69b7c2584413ae3f5
SHA1

76353ff45df865cee24b8802c2332c8f07590df6
SHA256

03541b2cf3bf022eda584b9ead6b6edeb7a47e8ccaa99b2415ee56694c9868cb
SHA512

df4248687d7a92389a3aab90dd0ccc8ea7236e8b71555bd835c33816a6e27b9a147d10fe693b57a693698c0d7c3fdbd99a3587cbfba08929c0d0fc4f34efb128
SSDEEP

49152:Q61jlIn2e7zgWTSOa7Q4hVBP35NxVg1DHeTz0CTssEORTdQRYdN+1rHzE42i9:Q6FynB7JTSOWBBNxVg1zen0CLEOhdQTl

Score

10^/10

purecrypter downloader loader

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1788-55-0x0000000004AC0000-0x0000000004D70000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
940	powershell.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe
1788	21605edd439a91f69b7c2584413ae3f5.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	21605edd439a91f69b7c2584413ae3f5.exe
Token: SeDebugPrivilege	940	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 940	1788	21605edd439a91f69b7c2584413ae3f5.exe	27
PID 1788 wrote to memory of 940	1788	21605edd439a91f69b7c2584413ae3f5.exe	27
PID 1788 wrote to memory of 940	1788	21605edd439a91f69b7c2584413ae3f5.exe	27
PID 1788 wrote to memory of 940	1788	21605edd439a91f69b7c2584413ae3f5.exe	27
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	29
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	29
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	29
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	29
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	29
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	29
PID 1788 wrote to memory of 1988	1788	21605edd439a91f69b7c2584413ae3f5.exe	29
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	30
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	30
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	30
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	30
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	30
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	30
PID 1788 wrote to memory of 1972	1788	21605edd439a91f69b7c2584413ae3f5.exe	30
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	31
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	31
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	31
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	31
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	31
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	31
PID 1788 wrote to memory of 1656	1788	21605edd439a91f69b7c2584413ae3f5.exe	31
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	32
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	32
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	32
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	32
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	32
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	32
PID 1788 wrote to memory of 1776	1788	21605edd439a91f69b7c2584413ae3f5.exe	32
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	33
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	33
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	33
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	33
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	33
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	33
PID 1788 wrote to memory of 1892	1788	21605edd439a91f69b7c2584413ae3f5.exe	33
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	34
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	34
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	34
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	34
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	34
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	34
PID 1788 wrote to memory of 1712	1788	21605edd439a91f69b7c2584413ae3f5.exe	34
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	35
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	35
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	35
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	35
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	35
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	35
PID 1788 wrote to memory of 1720	1788	21605edd439a91f69b7c2584413ae3f5.exe	35
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	36
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	36
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	36
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	36
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	36
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	36
PID 1788 wrote to memory of 268	1788	21605edd439a91f69b7c2584413ae3f5.exe	36
PID 1788 wrote to memory of 1760	1788	21605edd439a91f69b7c2584413ae3f5.exe	37
PID 1788 wrote to memory of 1760	1788	21605edd439a91f69b7c2584413ae3f5.exe	37
PID 1788 wrote to memory of 1760	1788	21605edd439a91f69b7c2584413ae3f5.exe	37
PID 1788 wrote to memory of 1760	1788	21605edd439a91f69b7c2584413ae3f5.exe	37

C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
"C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:1892
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:1712
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  C:\Users\Admin\AppData\Local\Temp\21605edd439a91f69b7c2584413ae3f5.exe
  2⤵
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/940-59-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/940-60-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/940-61-0x000000006F560000-0x000000006FB0B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-54-0x00000000001E0000-0x0000000000492000-memory.dmp

Filesize
2.7MB

Download
memory/1788-55-0x0000000004AC0000-0x0000000004D70000-memory.dmp

Filesize
2.7MB

Download
memory/1788-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1788-62-0x00000000050C0000-0x0000000005140000-memory.dmp

Filesize
512KB

Download