purecrypter | 53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

General

Target

d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
Size

7KB
MD5

b359f4af5c88b1e237db9738415b7682
SHA1

d7fa6d87594ea4d8b5740d54fdc204b08f4e9439
SHA256

53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd
SHA512

6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb
SSDEEP

96:xtEsKVeCVIP7bLp8LAn5c8aY1ej/kKV+J2qzNt:xUVVIP7bLrEOejcKYx

Score

10^/10

purecrypter remcos remotehost downloader loader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.180.49.17:28282

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
rdfghfgjkgoighjc.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-PC1DJ2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1080-56-0x0000000007220000-0x00000000074BE000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

rdfghfgjkgoighjc.exerdfghfgjkgoighjc.exe

pid process

1304 rdfghfgjkgoighjc.exe
1724 rdfghfgjkgoighjc.exe
Loads dropped DLL 1 IoCs

Processes:

d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe

pid process

1632 d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe

pid	process
1304	rdfghfgjkgoighjc.exe
1724	rdfghfgjkgoighjc.exe

pid	process
1632	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exed7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exerdfghfgjkgoighjc.exerdfghfgjkgoighjc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Phecxlkxbf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zwpfblvosjv\\Phecxlkxbf.exe\""	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\rdfghfgjkgoighjc.exe\""	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\rdfghfgjkgoighjc.exe\""	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	rdfghfgjkgoighjc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\rdfghfgjkgoighjc.exe\""	rdfghfgjkgoighjc.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Phecxlkxbf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Zwpfblvosjv\\Phecxlkxbf.exe\""	rdfghfgjkgoighjc.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\	rdfghfgjkgoighjc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\rdfghfgjkgoighjc.exe\""	rdfghfgjkgoighjc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exerdfghfgjkgoighjc.exe

description	pid	process	target process
PID 1080 set thread context of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1304 set thread context of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

648 powershell.exe
1504 powershell.exe

pid	process
648	powershell.exe
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exepowershell.exerdfghfgjkgoighjc.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1304	rdfghfgjkgoighjc.exe
Token: SeDebugPrivilege	1504	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

rdfghfgjkgoighjc.exe

pid process

1724 rdfghfgjkgoighjc.exe

pid	process
1724	rdfghfgjkgoighjc.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exed7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exerdfghfgjkgoighjc.exe

description	pid	process	target process
PID 1080 wrote to memory of 648	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	powershell.exe
PID 1080 wrote to memory of 648	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	powershell.exe
PID 1080 wrote to memory of 648	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	powershell.exe
PID 1080 wrote to memory of 648	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	powershell.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1080 wrote to memory of 1632	1080	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
PID 1632 wrote to memory of 1304	1632	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	rdfghfgjkgoighjc.exe
PID 1632 wrote to memory of 1304	1632	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	rdfghfgjkgoighjc.exe
PID 1632 wrote to memory of 1304	1632	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	rdfghfgjkgoighjc.exe
PID 1632 wrote to memory of 1304	1632	d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1504	1304	rdfghfgjkgoighjc.exe	powershell.exe
PID 1304 wrote to memory of 1504	1304	rdfghfgjkgoighjc.exe	powershell.exe
PID 1304 wrote to memory of 1504	1304	rdfghfgjkgoighjc.exe	powershell.exe
PID 1304 wrote to memory of 1504	1304	rdfghfgjkgoighjc.exe	powershell.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe
PID 1304 wrote to memory of 1724	1304	rdfghfgjkgoighjc.exe	rdfghfgjkgoighjc.exe

C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
"C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:648

C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
C:\Users\Admin\AppData\Local\Temp\d7fa6d87594ea4d8b5740d54fdc204b08f4e9439.exe
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632

C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
"C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
Filesize
7KB

MD5
b359f4af5c88b1e237db9738415b7682

SHA1
d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

SHA256
53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

SHA512
6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

Download Submit
C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
Filesize
7KB

MD5
b359f4af5c88b1e237db9738415b7682

SHA1
d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

SHA256
53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

SHA512
6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

Download Submit
C:\ProgramData\Remcos\rdfghfgjkgoighjc.exe
Filesize
7KB

MD5
b359f4af5c88b1e237db9738415b7682

SHA1
d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

SHA256
53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

SHA512
6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
5fec35fdc621e8534c9e3aabe367c39f

SHA1
83f4512cf0e642441799753180848ef540eda994

SHA256
9231873b893f26e3fcc81f15243db686e6f636e7ec10b22ba4399537bdade3d3

SHA512
86350e46768be488e9aa25bfec8102c68f1f47da5b69361e20001a59a6b629858ced02bf81780d0c6151031eb9e0d658abdacb9a1a4087ac1fabc051a79acf83

Download Submit
C:\Users\Admin\AppData\Roaming\Zwpfblvosjv\Phecxlkxbf.exe
Filesize
7KB

MD5
b359f4af5c88b1e237db9738415b7682

SHA1
d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

SHA256
53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

SHA512
6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

Download Submit
\ProgramData\Remcos\rdfghfgjkgoighjc.exe
Filesize
7KB

MD5
b359f4af5c88b1e237db9738415b7682

SHA1
d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

SHA256
53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

SHA512
6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

Download Submit
memory/648-60-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/648-57-0x0000000000000000-mapping.dmp

Download
memory/648-61-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/648-59-0x000000006F550000-0x000000006FAFB000-memory.dmp

Filesize
5.7MB

Download
memory/1080-54-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/1080-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1080-56-0x0000000007220000-0x00000000074BE000-memory.dmp

Filesize
2.6MB

Download
memory/1080-62-0x0000000004D60000-0x0000000004DE0000-memory.dmp

Filesize
512KB

Download
memory/1304-85-0x00000000001A0000-0x00000000001A8000-memory.dmp

Filesize
32KB

Download
memory/1304-81-0x0000000000000000-mapping.dmp

Download
memory/1504-87-0x0000000000000000-mapping.dmp

Download
memory/1504-90-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/1504-91-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/1504-92-0x000000006F530000-0x000000006FADB000-memory.dmp

Filesize
5.7MB

Download
memory/1632-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-79-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-76-0x0000000000432E48-mapping.dmp

Download
memory/1632-83-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-75-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-70-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-68-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1632-63-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1724-107-0x0000000000432E48-mapping.dmp

Download
memory/1724-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1724-112-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1724-113-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads