purecrypter | c86bf5719eb23f11675b17c37e43e0c0a76af143ff1e2dce815037ef8ecb9a42

General

Target

blender-3.4.1-windows-x64.exe
Size

683.8MB
MD5

aedf8960317a0effcd89c5d816137067
SHA1

4e074a8e180a9d3248f5fceadf28ea4f7146b33e
SHA256

eeaaa0e20ba43f13e0b62862979abe7f50bb558a812fc4aa729e946fdbe54e98
SHA512

f1e7d861e01ebcc69cad9cceee712885ef1739a84923787bfe7d9e5e9e108b2721b2a1e916e4a33fa947ac84ed6010c1d32fdf0091b3a9ca7f34738a6be6981a
SSDEEP

3072:mcqqdOyJocZB0O7i4Cg3DILI48p8ERDuwBbEUA:T/dOyJovrg3/ppDuwBYU

Score

10^/10

purecrypter downloader evasion loader persistence trojan

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1156-56-0x0000000007110000-0x00000000073EA000-memory.dmp	family_purecrypter

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Tqhtsdgnsm\\Vcelkcpar.exe\","	blender-3.4.1-windows-x64.exe

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	InstallUtil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	eth0.me

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1156 set thread context of 820	1156	blender-3.4.1-windows-x64.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
320	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1156	blender-3.4.1-windows-x64.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	820	InstallUtil.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 680	1156	blender-3.4.1-windows-x64.exe	27
PID 1156 wrote to memory of 680	1156	blender-3.4.1-windows-x64.exe	27
PID 1156 wrote to memory of 680	1156	blender-3.4.1-windows-x64.exe	27
PID 1156 wrote to memory of 680	1156	blender-3.4.1-windows-x64.exe	27
PID 680 wrote to memory of 320	680	cmd.exe	29
PID 680 wrote to memory of 320	680	cmd.exe	29
PID 680 wrote to memory of 320	680	cmd.exe	29
PID 680 wrote to memory of 320	680	cmd.exe	29
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30
PID 1156 wrote to memory of 820	1156	blender-3.4.1-windows-x64.exe	30

C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\blender-3.4.1-windows-x64.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2⤵
  - UAC bypass
  - Suspicious use of AdjustPrivilegeToken
  PID:820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-61-0x000000006E380000-0x000000006E92B000-memory.dmp

Filesize
5.7MB

Download
memory/320-60-0x000000006E380000-0x000000006E92B000-memory.dmp

Filesize
5.7MB

Download
memory/820-64-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-63-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-66-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-67-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-68-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-71-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/820-73-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1156-56-0x0000000007110000-0x00000000073EA000-memory.dmp

Filesize
2.9MB

Download
memory/1156-55-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1156-62-0x0000000005C10000-0x0000000005CC6000-memory.dmp

Filesize
728KB

Download
memory/1156-54-0x00000000009C0000-0x00000000009DE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads