purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1096-66-0x00000000064B0000-0x0000000006850000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1892 voiceadequovl.exe
1096 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1892 voiceadequovl.exe
1892 voiceadequovl.exe
1892 voiceadequovl.exe
1892 voiceadequovl.exe

pid	process
1892	voiceadequovl.exe
1096	voiceadequovl.exe

pid	process
1892	voiceadequovl.exe
1892	voiceadequovl.exe
1892	voiceadequovl.exe
1892	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2020 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1096 voiceadequovl.exe
Token: SeDebugPrivilege 2020 powershell.exe

pid	process
2020	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1096	voiceadequovl.exe
Token: SeDebugPrivilege	2020	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 2004 wrote to memory of 1892	2004	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2004 wrote to memory of 1892	2004	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2004 wrote to memory of 1892	2004	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2004 wrote to memory of 1892	2004	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1892 wrote to memory of 1096	1892	voiceadequovl.exe	voiceadequovl.exe
PID 1892 wrote to memory of 1096	1892	voiceadequovl.exe	voiceadequovl.exe
PID 1892 wrote to memory of 1096	1892	voiceadequovl.exe	voiceadequovl.exe
PID 1892 wrote to memory of 1096	1892	voiceadequovl.exe	voiceadequovl.exe
PID 1096 wrote to memory of 2020	1096	voiceadequovl.exe	powershell.exe
PID 1096 wrote to memory of 2020	1096	voiceadequovl.exe	powershell.exe
PID 1096 wrote to memory of 2020	1096	voiceadequovl.exe	powershell.exe
PID 1096 wrote to memory of 2020	1096	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
193.6MB

MD5
93f1cca12b2ca08126a6de2507e1c065

SHA1
c04e41a6bcb115b0518431923682ad7f97362ed3

SHA256
eac4d3e10140a4218c81a2aab3e707b11c99a2b08e3d18afd9c62f8e4e401477

SHA512
c74f4c8023e6331e319e1dd21d4081a5f095db74ee0b10fdb26d182fe4ad14b9a3e7c43847705836097f7cf508bc779da43da6c06be0ad258867feedadeb45fa

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
209.4MB

MD5
65c452da02e26cfeed86ac327977fd3a

SHA1
915ce145590c731cf6559842d499f40c52523996

SHA256
57b768643626bb339aa8f0f0e12e247a44d61568eafed822e4c91a6fc252f44f

SHA512
b833d307974f7b8476f29b4b89711d943adbac900b554d2ca55fc6c8b59e8b69fc58ddbd3946e834e2073d06588d4b28bbcfd4ebc37baa5d34e6ecaab41d8580

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
209.1MB

MD5
c82338d51e78ff457a057dafad446a04

SHA1
1555196a7f4b35425627fe6541c9dc510d1fc27d

SHA256
65a2cb554e7e43ac1bb5ee08c8fc055195ab774ed0fba01d69763649994e48f4

SHA512
faabe8c169dba4fb7e5c85f1b67d6d7fefd055c5d6c2214831b50dd1ee11faf1d9b0b3e2be01b04ef47aae48c83681441b29f22271a40949b71afa5ba14b19a6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
163.0MB

MD5
3f21e870640140bddad2bab8dd113511

SHA1
09f4878f3cb5265af093bf5d21f4b732dc6ec89e

SHA256
de04edbefbf80b59802a18ccd66e42559843beb42d9524fbafab367250a5905b

SHA512
7d3ed012871cb27093c571d120963c2e5a81cd8c0837d001d83c3b90bd0dad71d9a65e621537fd925a2a6cc47769d18e4040ef27b17fdf47a12e062d95d4c07d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
232.2MB

MD5
2f639f3f7db187ea4ba840210fc08fba

SHA1
de165dea392355a6c633c8d4806c8ee12529971a

SHA256
b86a4d72d5d270f81ecc8d79bca8b36d21957bec7f113db6e4c2dba6b4585e79

SHA512
e20fe4346cbccef00374dc4f2c4c34d38932caecfe56df74ee113835529351da07660f814b6e6abfd4e19f0aa67cae27537ec841816b78813a2c4b72c47f0153

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
233.4MB

MD5
dd0b0f5b091a7a037c025e5dc9b8a0e7

SHA1
1f523995e692914a42a29169a5c4c7afac564f9f

SHA256
6febc2b3139495eee5565c1967cc95783988cf8c0241c170c998db0f8b2e3cc0

SHA512
3778821ce4a28a3a4d351b84026ccedad342e3cf626e2a240c99658de91afadbe6f31f3534bf11707710b9dd3555c84c395679885828a47680e1fd6cca1b8d95

Download Submit
memory/1096-62-0x0000000000000000-mapping.dmp

Download
memory/1096-65-0x00000000002A0000-0x0000000000A14000-memory.dmp

Filesize
7.5MB

Download
memory/1096-66-0x00000000064B0000-0x0000000006850000-memory.dmp

Filesize
3.6MB

Download
memory/1892-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/1892-54-0x0000000000000000-mapping.dmp

Download
memory/2020-67-0x0000000000000000-mapping.dmp

Download
memory/2020-69-0x000000006F900000-0x000000006FEAB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads