purecrypter | c86bf5719eb23f11675b17c37e43e0c0a76af143ff1e2dce815037ef8ecb9a42

General

Target

blender-3.4.1-windows-x64.exe
Size

683.8MB
MD5

aedf8960317a0effcd89c5d816137067
SHA1

4e074a8e180a9d3248f5fceadf28ea4f7146b33e
SHA256

eeaaa0e20ba43f13e0b62862979abe7f50bb558a812fc4aa729e946fdbe54e98
SHA512

f1e7d861e01ebcc69cad9cceee712885ef1739a84923787bfe7d9e5e9e108b2721b2a1e916e4a33fa947ac84ed6010c1d32fdf0091b3a9ca7f34738a6be6981a
SSDEEP

3072:mcqqdOyJocZB0O7i4Cg3DILI48p8ERDuwBbEUA:T/dOyJovrg3/ppDuwBYU

Score

10^/10

purecrypter downloader evasion loader persistence trojan

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1156-56-0x0000000007110000-0x00000000073EA000-memory.dmp	family_purecrypter

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

blender-3.4.1-windows-x64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Tqhtsdgnsm\\Vcelkcpar.exe\","	blender-3.4.1-windows-x64.exe

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

InstallUtil.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	InstallUtil.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 eth0.me
Suspicious use of SetThreadContext 1 IoCs

Processes:

blender-3.4.1-windows-x64.exe

description pid process target process

PID 1156 set thread context of 820 1156 blender-3.4.1-windows-x64.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

320 powershell.exe

flow	ioc
7	eth0.me

description	pid	process	target process
PID 1156 set thread context of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe

pid	process
320	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

blender-3.4.1-windows-x64.exepowershell.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1156	blender-3.4.1-windows-x64.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	820	InstallUtil.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

blender-3.4.1-windows-x64.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 680	1156	blender-3.4.1-windows-x64.exe	cmd.exe
PID 1156 wrote to memory of 680	1156	blender-3.4.1-windows-x64.exe	cmd.exe
PID 1156 wrote to memory of 680	1156	blender-3.4.1-windows-x64.exe	cmd.exe
PID 1156 wrote to memory of 680	1156	blender-3.4.1-windows-x64.exe	cmd.exe
PID 680 wrote to memory of 320	680	cmd.exe	powershell.exe
PID 680 wrote to memory of 320	680	cmd.exe	powershell.exe
PID 680 wrote to memory of 320	680	cmd.exe	powershell.exe
PID 680 wrote to memory of 320	680	cmd.exe	powershell.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
2⤵
- UAC bypass
- Suspicious use of AdjustPrivilegeToken
PID:820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

2

T1112

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-58-0x0000000000000000-mapping.dmp

Download
memory/320-61-0x000000006E380000-0x000000006E92B000-memory.dmp

Filesize
5.7MB

Download
memory/320-60-0x000000006E380000-0x000000006E92B000-memory.dmp

Filesize
5.7MB

Download
memory/680-57-0x0000000000000000-mapping.dmp

Download
memory/820-64-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-63-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-66-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-67-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-69-0x00000000004DBD9E-mapping.dmp

Download
memory/820-68-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-71-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-73-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1156-56-0x0000000007110000-0x00000000073EA000-memory.dmp

Filesize
2.9MB

Download
memory/1156-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1156-62-0x0000000005C10000-0x0000000005CC6000-memory.dmp

Filesize
728KB

Download
memory/1156-54-0x00000000009C0000-0x00000000009DE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads