purecrypter | 1501ed409db46bc33f3f4a13c9d2150308597fb91cff20e04c9df0d5f3dec37d

General

Target

deliver.exe
Size

172KB
MD5

6f97a3f9d8c88ac5ba01fccf033a66aa
SHA1

5152b20ec9d63e9decb5a17ae652ebd105ce0a24
SHA256

1501ed409db46bc33f3f4a13c9d2150308597fb91cff20e04c9df0d5f3dec37d
SHA512

a6c3afda108f973a0a4d424db289726c5ee0a46c88030e9354ffa639e81e03a6c4209dbfef4d0c384e919a7a904d4c15feef8e33057017f6a62843362640bdcb
SSDEEP

1536:pc9URWzKr7PhuuUpV7+5JTiy95UuUCQahsf5mZIWiwwr7QXsouW2ASDDA6rRcC+R:ppWaxa7Dy956S2j4xnsvXtPdSae1

Score

10^/10

purecrypter downloader loader persistence spyware

Malware Config

Extracted

Family

purecrypter

C2

http://163.123.142.210/Twpowpijhqf.dat

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2032-56-0x0000000007360000-0x000000000762C000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

deliver.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\exoduswallett = "\"C:\\Users\\Admin\\AppData\\Roaming\\Exodus\\exoduswallett.exe\""	deliver.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

deliver.exe

description pid process target process

PID 2032 set thread context of 1472 2032 deliver.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1736 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

deliver.exepowershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2032 deliver.exe
Token: SeDebugPrivilege 1736 powershell.exe
Token: SeDebugPrivilege 1472 RegAsm.exe

description	pid	process	target process
PID 2032 set thread context of 1472	2032	deliver.exe	RegAsm.exe

pid	process
1736	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2032	deliver.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1472	RegAsm.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

deliver.exe

description	pid	process	target process
PID 2032 wrote to memory of 1736	2032	deliver.exe	powershell.exe
PID 2032 wrote to memory of 1736	2032	deliver.exe	powershell.exe
PID 2032 wrote to memory of 1736	2032	deliver.exe	powershell.exe
PID 2032 wrote to memory of 1736	2032	deliver.exe	powershell.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe
PID 2032 wrote to memory of 1472	2032	deliver.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\deliver.exe
"C:\Users\Admin\AppData\Local\Temp\deliver.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-73-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1472-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1472-63-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1472-77-0x00000000007E0000-0x0000000000834000-memory.dmp

Filesize
336KB

Download
memory/1472-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1472-75-0x0000000000E10000-0x0000000000EC4000-memory.dmp

Filesize
720KB

Download
memory/1472-71-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1472-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1472-78-0x0000000000F20000-0x0000000000F6C000-memory.dmp

Filesize
304KB

Download
memory/1472-76-0x0000000000950000-0x00000000009A6000-memory.dmp

Filesize
344KB

Download
memory/1472-69-0x0000000000402B26-mapping.dmp

Download
memory/1472-67-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1736-61-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-60-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-59-0x000000006F9F0000-0x000000006FF9B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-57-0x0000000000000000-mapping.dmp

Download
memory/2032-62-0x0000000005670000-0x000000000572C000-memory.dmp

Filesize
752KB

Download
memory/2032-55-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-54-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/2032-56-0x0000000007360000-0x000000000762C000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads