Analysis
-
max time kernel
138s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-02-2023 19:35
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20220812-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-66-0x00000000064B0000-0x0000000006850000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 2 IoCs
Processes:
voiceadequovl.exevoiceadequovl.exepid process 1892 voiceadequovl.exe 1096 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
Processes:
voiceadequovl.exepid process 1892 voiceadequovl.exe 1892 voiceadequovl.exe 1892 voiceadequovl.exe 1892 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 2020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
voiceadequovl.exepowershell.exedescription pid process Token: SeDebugPrivilege 1096 voiceadequovl.exe Token: SeDebugPrivilege 2020 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exedescription pid process target process PID 2004 wrote to memory of 1892 2004 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe voiceadequovl.exe PID 2004 wrote to memory of 1892 2004 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe voiceadequovl.exe PID 2004 wrote to memory of 1892 2004 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe voiceadequovl.exe PID 2004 wrote to memory of 1892 2004 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe voiceadequovl.exe PID 1892 wrote to memory of 1096 1892 voiceadequovl.exe voiceadequovl.exe PID 1892 wrote to memory of 1096 1892 voiceadequovl.exe voiceadequovl.exe PID 1892 wrote to memory of 1096 1892 voiceadequovl.exe voiceadequovl.exe PID 1892 wrote to memory of 1096 1892 voiceadequovl.exe voiceadequovl.exe PID 1096 wrote to memory of 2020 1096 voiceadequovl.exe powershell.exe PID 1096 wrote to memory of 2020 1096 voiceadequovl.exe powershell.exe PID 1096 wrote to memory of 2020 1096 voiceadequovl.exe powershell.exe PID 1096 wrote to memory of 2020 1096 voiceadequovl.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeFilesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeFilesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
193.6MB
MD593f1cca12b2ca08126a6de2507e1c065
SHA1c04e41a6bcb115b0518431923682ad7f97362ed3
SHA256eac4d3e10140a4218c81a2aab3e707b11c99a2b08e3d18afd9c62f8e4e401477
SHA512c74f4c8023e6331e319e1dd21d4081a5f095db74ee0b10fdb26d182fe4ad14b9a3e7c43847705836097f7cf508bc779da43da6c06be0ad258867feedadeb45fa
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
209.4MB
MD565c452da02e26cfeed86ac327977fd3a
SHA1915ce145590c731cf6559842d499f40c52523996
SHA25657b768643626bb339aa8f0f0e12e247a44d61568eafed822e4c91a6fc252f44f
SHA512b833d307974f7b8476f29b4b89711d943adbac900b554d2ca55fc6c8b59e8b69fc58ddbd3946e834e2073d06588d4b28bbcfd4ebc37baa5d34e6ecaab41d8580
-
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
209.1MB
MD5c82338d51e78ff457a057dafad446a04
SHA11555196a7f4b35425627fe6541c9dc510d1fc27d
SHA25665a2cb554e7e43ac1bb5ee08c8fc055195ab774ed0fba01d69763649994e48f4
SHA512faabe8c169dba4fb7e5c85f1b67d6d7fefd055c5d6c2214831b50dd1ee11faf1d9b0b3e2be01b04ef47aae48c83681441b29f22271a40949b71afa5ba14b19a6
-
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
163.0MB
MD53f21e870640140bddad2bab8dd113511
SHA109f4878f3cb5265af093bf5d21f4b732dc6ec89e
SHA256de04edbefbf80b59802a18ccd66e42559843beb42d9524fbafab367250a5905b
SHA5127d3ed012871cb27093c571d120963c2e5a81cd8c0837d001d83c3b90bd0dad71d9a65e621537fd925a2a6cc47769d18e4040ef27b17fdf47a12e062d95d4c07d
-
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
232.2MB
MD52f639f3f7db187ea4ba840210fc08fba
SHA1de165dea392355a6c633c8d4806c8ee12529971a
SHA256b86a4d72d5d270f81ecc8d79bca8b36d21957bec7f113db6e4c2dba6b4585e79
SHA512e20fe4346cbccef00374dc4f2c4c34d38932caecfe56df74ee113835529351da07660f814b6e6abfd4e19f0aa67cae27537ec841816b78813a2c4b72c47f0153
-
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
233.4MB
MD5dd0b0f5b091a7a037c025e5dc9b8a0e7
SHA11f523995e692914a42a29169a5c4c7afac564f9f
SHA2566febc2b3139495eee5565c1967cc95783988cf8c0241c170c998db0f8b2e3cc0
SHA5123778821ce4a28a3a4d351b84026ccedad342e3cf626e2a240c99658de91afadbe6f31f3534bf11707710b9dd3555c84c395679885828a47680e1fd6cca1b8d95
-
memory/1096-62-0x0000000000000000-mapping.dmp
-
memory/1096-65-0x00000000002A0000-0x0000000000A14000-memory.dmpFilesize
7.5MB
-
memory/1096-66-0x00000000064B0000-0x0000000006850000-memory.dmpFilesize
3.6MB
-
memory/1892-56-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/1892-54-0x0000000000000000-mapping.dmp
-
memory/2020-67-0x0000000000000000-mapping.dmp
-
memory/2020-69-0x000000006F900000-0x000000006FEAB000-memory.dmpFilesize
5.7MB