purecrypter | 3d30d701fb087416627321c60ab02f143718aefbb3ea7e2689b6fb658ab78ab6

Resubmissions

04-02-2023 21:43

230204-1lbwcseg47 10

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-02-2023 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VSCodeUserSetup-x64-1.74.3/VSCodeUserSetup-x64-1.74.3.exe
Size

680.7MB
MD5

07e845f93ca6fcbd10bad391aa94eaa0
SHA1

340a9c9c85644f973302a694686eb8cba8ab1876
SHA256

369ad6d01ffbd5af4a4da72d648afb41af0b694bbb05a39be0f4314daddce219
SHA512

44d5ff91002d37cb994b736cf350cbb61fde7ae618a4404950921f49f3f9488341212229cff0b411b20d800f99b7cfa612684ccf4543b613ab41f3ee81bd8aeb
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4tp4:VSSzMGS26x1MUTM+/Fha

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1612-66-0x0000000006450000-0x00000000067F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1712 voiceadequovl.exe
1612 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1712 voiceadequovl.exe
1712 voiceadequovl.exe
1712 voiceadequovl.exe
1712 voiceadequovl.exe

pid	process
1712	voiceadequovl.exe
1612	voiceadequovl.exe

pid	process
1712	voiceadequovl.exe
1712	voiceadequovl.exe
1712	voiceadequovl.exe
1712	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

VSCodeUserSetup-x64-1.74.3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	VSCodeUserSetup-x64-1.74.3.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	VSCodeUserSetup-x64-1.74.3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1796 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1612 voiceadequovl.exe
Token: SeDebugPrivilege 1796 powershell.exe

pid	process
1796	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1612	voiceadequovl.exe
Token: SeDebugPrivilege	1796	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

VSCodeUserSetup-x64-1.74.3.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 1372 wrote to memory of 1712	1372	VSCodeUserSetup-x64-1.74.3.exe	voiceadequovl.exe
PID 1372 wrote to memory of 1712	1372	VSCodeUserSetup-x64-1.74.3.exe	voiceadequovl.exe
PID 1372 wrote to memory of 1712	1372	VSCodeUserSetup-x64-1.74.3.exe	voiceadequovl.exe
PID 1372 wrote to memory of 1712	1372	VSCodeUserSetup-x64-1.74.3.exe	voiceadequovl.exe
PID 1712 wrote to memory of 1612	1712	voiceadequovl.exe	voiceadequovl.exe
PID 1712 wrote to memory of 1612	1712	voiceadequovl.exe	voiceadequovl.exe
PID 1712 wrote to memory of 1612	1712	voiceadequovl.exe	voiceadequovl.exe
PID 1712 wrote to memory of 1612	1712	voiceadequovl.exe	voiceadequovl.exe
PID 1612 wrote to memory of 1796	1612	voiceadequovl.exe	powershell.exe
PID 1612 wrote to memory of 1796	1612	voiceadequovl.exe	powershell.exe
PID 1612 wrote to memory of 1796	1612	voiceadequovl.exe	powershell.exe
PID 1612 wrote to memory of 1796	1612	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\VSCodeUserSetup-x64-1.74.3\VSCodeUserSetup-x64-1.74.3.exe
"C:\Users\Admin\AppData\Local\Temp\VSCodeUserSetup-x64-1.74.3\VSCodeUserSetup-x64-1.74.3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
236.9MB

MD5
3c508eca597bc1209466dce72afc2fbd

SHA1
32bb6b7d4f4cbe8145d7f7cb7b578153a85fad7f

SHA256
1a0a02a9e7051732843c300da2c31070d400060e8868a3b07c38a61e07904dea

SHA512
150802ec0ee5839562c8de21ad9ad8c35138fd730fefb3ebfbf2d1e7475bff084d721db74596b468419b5340a4f7297d92f7d5dbc41d0da199e4055baa5a7cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
239.0MB

MD5
4f49742532a0bb78ce2877d5d63a8b4a

SHA1
68e0a501168343647a024d0e12cfc894c5bbb80f

SHA256
9dbe9a9e51373866ed5f10b4508c3a4a6c054e1b2eb061fc112d6cf8715f28c6

SHA512
1f4a2748fe3a68ff3cccefd5781580a57bdc1fdec7ab391f1809cb7d39a2fe47997b45fe4963f1e512a9bcbe0322644ff17027ad5143d422b9974228d6fd54bf

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
284.1MB

MD5
8f95687c7276e0f4f7dc27a5e6fce19f

SHA1
305df226954bf1d142838c5e2559188d8328346b

SHA256
f67c4fefe26eefb201e4af33685c5adc3115130ca0ca224ebe49b52786f56e1b

SHA512
d9400deed7317654ca29d1eef4678967b4734f738e4ca90e22e2c635d935d40d5ba00bbbec7e1f371018decf148d1dfac523de657f12f381abee675246b22810

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
260.1MB

MD5
ec1fcac91b797dcfd85d95a8f9e82416

SHA1
1e35f7f52b71362fcf5eac45795983e85074a3ac

SHA256
3786d7eb169bec735d48e582c79c2e4cb3f058cca40b086f838522937d5ac812

SHA512
5e581f0d514e5f8f1c34a21974e4c6e152ef827968268d021a749282c4fce2e3685466bcf7c2026a7d09ad50d9f2fc0e5f5d98986e063a46931d26a06e7e0863

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
274.7MB

MD5
db32f2d9d34da9dbc2ff03c80906d511

SHA1
de6c47607861be52ddcc34d2d262ccc241b964d2

SHA256
7c081a1f8c99c9ea5f368a8e30c43c27caf2637ef90ce54359285aff0b2706a3

SHA512
83923d9c434e67ab02f617efe1f26de4c7a81319136e91557e677ce05781577e198ed889dc977e8efa570d40b334bdf94e6f997a8f5711856aea93d33b81f696

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
259.2MB

MD5
9f1700be5319ae7be6852dec17da1da1

SHA1
15d818206965c8945f86c3b39a79c67fb9fabe18

SHA256
509bb4ad5afac46d14a082b39e57f383f0799a0b8076c9448a5b847dcba6da62

SHA512
eaea0ffba7935b4251bdc92d9a2e3ec34e33e7dc0baa1b0ae7894c46348b829f504f76549b29fb1e8e29a69f1336332efbcd06afe823fdda52346d12f90cea08

Download Submit
memory/1612-62-0x0000000000000000-mapping.dmp

Download
memory/1612-65-0x0000000000390000-0x0000000000B04000-memory.dmp

Filesize
7.5MB

Download
memory/1612-66-0x0000000006450000-0x00000000067F0000-memory.dmp

Filesize
3.6MB

Download
memory/1712-54-0x0000000000000000-mapping.dmp

Download
memory/1712-56-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1796-67-0x0000000000000000-mapping.dmp

Download
memory/1796-69-0x000000006FC90000-0x000000007023B000-memory.dmp

Filesize
5.7MB

Download
memory/1796-70-0x000000006FC90000-0x000000007023B000-memory.dmp

Filesize
5.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads