purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1756-66-0x0000000006480000-0x0000000006820000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1892 voiceadequovl.exe
1756 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1892 voiceadequovl.exe
1892 voiceadequovl.exe
1892 voiceadequovl.exe
1892 voiceadequovl.exe

pid	process
1892	voiceadequovl.exe
1756	voiceadequovl.exe

pid	process
1892	voiceadequovl.exe
1892	voiceadequovl.exe
1892	voiceadequovl.exe
1892	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

960 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1756 voiceadequovl.exe
Token: SeDebugPrivilege 960 powershell.exe

pid	process
960	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1756	voiceadequovl.exe
Token: SeDebugPrivilege	960	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 980 wrote to memory of 1892	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 980 wrote to memory of 1892	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 980 wrote to memory of 1892	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 980 wrote to memory of 1892	980	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1892 wrote to memory of 1756	1892	voiceadequovl.exe	voiceadequovl.exe
PID 1892 wrote to memory of 1756	1892	voiceadequovl.exe	voiceadequovl.exe
PID 1892 wrote to memory of 1756	1892	voiceadequovl.exe	voiceadequovl.exe
PID 1892 wrote to memory of 1756	1892	voiceadequovl.exe	voiceadequovl.exe
PID 1756 wrote to memory of 960	1756	voiceadequovl.exe	powershell.exe
PID 1756 wrote to memory of 960	1756	voiceadequovl.exe	powershell.exe
PID 1756 wrote to memory of 960	1756	voiceadequovl.exe	powershell.exe
PID 1756 wrote to memory of 960	1756	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
338.7MB

MD5
6a0d904a205459077d39c5bf3038aba0

SHA1
bf1879e098f9018cca14a3210ec622c2571ad4a3

SHA256
19a42d214c1982e9346b26b67313a0a083e7a1e02f4703280e2c528047235b5c

SHA512
15ca486905b31c91db9a5d78bdaa6995932e79186910cde4299aa640e2a88106e7dbd3dfbc5c100b2aacd040001695a090bf3c6c74cbbf81c5625702455d984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
329.4MB

MD5
f999261e174d13277db703e359f80d67

SHA1
7bd11344cfec1b9762103b702b9ef55b58674723

SHA256
41f1b6c6c12811803ab2c6607f30c4812caa20cba51ac43edaba96726764d4ff

SHA512
af3e7605ed33bff9a074a462e4458cf2dfdf531be67c53fd2f50fc54472764d994193b82e3038a035cb4e7cf2e7a2de782318f76219b52e69ce7b0ebe3317478

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
188.4MB

MD5
f034a447d357493862eb12cff816aef3

SHA1
cabb8a17a88132da6c2908984e53159535caa83a

SHA256
b5247872b639c926b9c457866f28aa4063e19c657f7ffe594f70de0e1db2a387

SHA512
17d16e11d9ce31e04e1cab25c97e574a5738b924e97b48376d0380688397d4d3820d791c4c5f1d206bdd90602633ca4a1761b545f97c1c9233108ca6668d936e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
187.2MB

MD5
53728c336cae7e85706e5098f7c70aad

SHA1
6eda8bf64c86a73d188a53358bb8c458398dc13e

SHA256
4c549b594cf185d939779c2571b96ed5c70017b522bda47cfc688ca130ac1ac3

SHA512
941cedc0b3ce5092a4a5c322ad6315ba190b05ef19d0b72c770a0551647def8aab67ce873becf3820e05d85cfcabd2a22ccf2b7ad87bdc9d6aecdd9e2d64f20a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
189.8MB

MD5
b8ff210c018d0dc3f64d5011367a6b83

SHA1
a055c96b5b9c380cb02efb60f176e8d7cc50b275

SHA256
bfbc788c2537b54ec9243c417068d02ad03e8d564c09bf88ac19a946a5203066

SHA512
a886f5a3a1a905970e359bca065639d0723399eb2d54efd7bbd91c1dfec07df944d6437440166b4ca19e1b9b8acfba001cf592b71d7aae366a944a4ce133b72d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
170.3MB

MD5
705bffe48cd6dc31f90f50a43ec82e7b

SHA1
e83b2bc3630d1321a04b9db38d00aa52a9793843

SHA256
c9519575032ffa3627f59b51b2e0f31ed41633382d4734329fc4043a697bcc4d

SHA512
f994597a06b0c354e03122f898dd7a008cda04f29e206e70ff3c0808dca6bf0001f02e235ff1ef25019c5db32c828a8302c8f825543d428b5e15a74fd9b914ce

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
190.2MB

MD5
a2f6c09603ee94cbe4648641d948ddd9

SHA1
c8d336d1d4725a3ac7867d64fdf7630148be2d31

SHA256
0113fa6f92f33ac979c3bbf638c6396491a689308aa398ab16e7d5355aa3bbed

SHA512
d2f7cd99a8e87d9f25df13557604186356b9ce1d6bcffe0212242d037e9adfa84c8f9b990e20f9826a2e7bb3a727f704d26b825ae7c955f6c86321402d95de68

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
188.2MB

MD5
35fb0b11ab0e899f9409fae5dfeff968

SHA1
ef69fa13063f72fe0e1aa02790e43a3731531ef8

SHA256
4b7e1716180a9ef34abb581fd5c8532d0a8aa370a451e37273eec5636723347b

SHA512
3d994ec4cb51709d613571110b45976ffbef392b8830af052a9b6953546073c9ae0863590ca66298eb0c51f1efd9103c85b590738923f5ea19802203dbbb6537

Download Submit
memory/960-67-0x0000000000000000-mapping.dmp

Download
memory/960-69-0x000000006F750000-0x000000006FCFB000-memory.dmp

Filesize
5.7MB

Download
memory/960-70-0x000000006F750000-0x000000006FCFB000-memory.dmp

Filesize
5.7MB

Download
memory/960-71-0x000000006F750000-0x000000006FCFB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-62-0x0000000000000000-mapping.dmp

Download
memory/1756-65-0x0000000000CE0000-0x0000000001454000-memory.dmp

Filesize
7.5MB

Download
memory/1756-66-0x0000000006480000-0x0000000006820000-memory.dmp

Filesize
3.6MB

Download
memory/1892-54-0x0000000000000000-mapping.dmp

Download
memory/1892-56-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads