purecrypter | b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-02-2023 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
Size

3.3MB
MD5

031e2e05add303f0e8adbca3be022151
SHA1

719acfd7047f5a2003ed1386b97ed5e2868d09d2
SHA256

b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f
SHA512

86b5466b716bddceb1b6ef482f1683f248e8120100d8e529178a21d4542337d3b4c9362bb4fbbf90c2759d8413f3e2ca2112a20e32dccd44bce07bb9c3388536
SSDEEP

49152:By408wwmrOYMMJNBzgz15u+djZSHc2E2Y8csb6Aged9XJUOHUr+RmE:ayoDz+15VzSHc2EJ8cc3xtoKU

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/980-55-0x0000000004A30000-0x0000000004D64000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sdbhybed = "\"C:\\Users\\Admin\\AppData\\Roaming\\Jqgnazw\\Sdbhybed.exe\""	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1496	powershell.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
Token: SeDebugPrivilege	1496	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
960	AcroRd32.exe
960	AcroRd32.exe
960	AcroRd32.exe
960	AcroRd32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1496	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	28
PID 980 wrote to memory of 1496	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	28
PID 980 wrote to memory of 1496	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	28
PID 980 wrote to memory of 1496	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	28
PID 980 wrote to memory of 960	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	30
PID 980 wrote to memory of 960	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	30
PID 980 wrote to memory of 960	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	30
PID 980 wrote to memory of 960	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	30
PID 980 wrote to memory of 1412	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	31
PID 980 wrote to memory of 1412	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	31
PID 980 wrote to memory of 1412	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	31
PID 980 wrote to memory of 1412	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	31
PID 980 wrote to memory of 1880	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	32
PID 980 wrote to memory of 1880	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	32
PID 980 wrote to memory of 1880	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	32
PID 980 wrote to memory of 1880	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	32
PID 980 wrote to memory of 1204	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	33
PID 980 wrote to memory of 1204	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	33
PID 980 wrote to memory of 1204	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	33
PID 980 wrote to memory of 1204	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	33
PID 980 wrote to memory of 436	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	34
PID 980 wrote to memory of 436	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	34
PID 980 wrote to memory of 436	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	34
PID 980 wrote to memory of 436	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	34
PID 980 wrote to memory of 288	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	35
PID 980 wrote to memory of 288	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	35
PID 980 wrote to memory of 288	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	35
PID 980 wrote to memory of 288	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	35
PID 980 wrote to memory of 840	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	36
PID 980 wrote to memory of 840	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	36
PID 980 wrote to memory of 840	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	36
PID 980 wrote to memory of 840	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	36
PID 980 wrote to memory of 1696	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	37
PID 980 wrote to memory of 1696	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	37
PID 980 wrote to memory of 1696	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	37
PID 980 wrote to memory of 1696	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	37
PID 980 wrote to memory of 1456	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	38
PID 980 wrote to memory of 1456	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	38
PID 980 wrote to memory of 1456	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	38
PID 980 wrote to memory of 1456	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	38
PID 980 wrote to memory of 1980	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	39
PID 980 wrote to memory of 1980	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	39
PID 980 wrote to memory of 1980	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	39
PID 980 wrote to memory of 1980	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	39
PID 980 wrote to memory of 1048	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	40
PID 980 wrote to memory of 1048	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	40
PID 980 wrote to memory of 1048	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	40
PID 980 wrote to memory of 1048	980	b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe	40

C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
"C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Ifdtktlacord_certificate_of_insurance.pdf"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:960
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:1204
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:436
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:288
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:840
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:1456
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:1980
- C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  C:\Users\Admin\AppData\Local\Temp\b5012f4ee136a3d2bc2cb89dc749cedc8d65dded53d2a7418342ad578db3ef6f.exe
  2⤵
  PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Ifdtktlacord_certificate_of_insurance.pdf

Filesize
102KB

MD5
261fa374ef694300b6bb6aa3d27ccb34

SHA1
cc931c06a52082b031d03ea8c517f69d3bdf0e13

SHA256
5921d7a39219dac7bb469d80c4d3932e457a5a17249155c389c1ef47d9d8e452

SHA512
807914c336c784668291b82a36e747b2945afd15e5bec77864f9aa61efbd3f65f63901e655cf43c1f84f15fed60422adc8c3f425d1dfdff4d6541fb8f9ec2001

Download Submit
memory/960-66-0x0000000002C50000-0x0000000002CC6000-memory.dmp

Filesize
472KB

Download
memory/980-54-0x0000000000320000-0x0000000000666000-memory.dmp

Filesize
3.3MB

Download
memory/980-55-0x0000000004A30000-0x0000000004D64000-memory.dmp

Filesize
3.2MB

Download
memory/980-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/980-65-0x0000000005560000-0x000000000565E000-memory.dmp

Filesize
1016KB

Download
memory/1496-59-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download
memory/1496-60-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download
memory/1496-61-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download