purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/780-66-0x00000000065C0000-0x0000000006960000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1884	voiceadequovl.exe
780	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1884	voiceadequovl.exe
1884	voiceadequovl.exe
1884	voiceadequovl.exe
1884	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1592	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	voiceadequovl.exe
Token: SeDebugPrivilege	1592	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1884	952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 952 wrote to memory of 1884	952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 952 wrote to memory of 1884	952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 952 wrote to memory of 1884	952	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1884 wrote to memory of 780	1884	voiceadequovl.exe	29
PID 1884 wrote to memory of 780	1884	voiceadequovl.exe	29
PID 1884 wrote to memory of 780	1884	voiceadequovl.exe	29
PID 1884 wrote to memory of 780	1884	voiceadequovl.exe	29
PID 780 wrote to memory of 1592	780	voiceadequovl.exe	30
PID 780 wrote to memory of 1592	780	voiceadequovl.exe	30
PID 780 wrote to memory of 1592	780	voiceadequovl.exe	30
PID 780 wrote to memory of 1592	780	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
126.6MB

MD5
f1b8e12197adf9993c74dd2cff114c9e

SHA1
a45aca5a356682c9001a3830ec3b993977ef134b

SHA256
9341ea9a9ad66511372efbb70d2d77a340c7693a43c0e59252a24fba50370a3c

SHA512
dbe538568959af6a9a94783416590d7fab942e6933e1ba32ac4f5f79cac6f0d505579014e4c71a387d47fbdd11b51d8b2b66aeb95c4ab429dba7665452b09b4c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
134.2MB

MD5
b6972dd85f6a4abd16d9e40bf20eb91c

SHA1
9440ab24366f4164bd3d9a8d044b7edb40f7e05b

SHA256
27e84e819deff106ca4134aa2818e92d2904638b0a6c1553cdcf7752411430b9

SHA512
fc61f457217dbf3972c1fee25d8d10d7018c032ba14d785827b10153e242204d740aba4cc293575ba95c9a73fd090a7d68889fa35e98d8ba2b09421af4726ee9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
140.1MB

MD5
106d9fdba8cef1e9f43a9a550ed5193b

SHA1
b8f22949d4886aaad9171525e433139eb977234a

SHA256
ec0704253703992a3a1c59abf620f6bf0469a2b78df33abdbf6a7b719694b3e9

SHA512
5b311acc8000a8e77e52b56f5d5878298d0585eae2917b0bd6a8677ba775ee61743e30c3b6acb32c4042584f2dbe7d272ac0cf971a63f0eb4e1e2e03c45f6172

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
141.1MB

MD5
61d1b2da42323ff223b6370832190c35

SHA1
14523d22d11062e456465d8ddfa8cd9ba0d8f5fa

SHA256
d841ce31fc7c53e17e2e43c96681cbbcbfd0d8a6182c8f4010b725045c483281

SHA512
114fa880b1cef1b4c61e4fc6f400948549b512062057018a6ed8ab627a538b3e7a0e27f3733c2d450619c4509c0723554dbf5d2f49850fcee0472c1447987e92

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
141.6MB

MD5
9f7a8c9dbb4aa0c6160db8beae073c91

SHA1
0840049f0f6e21d0cab897a8a9ee299b90d188e2

SHA256
c278b7f1979686050b16d53070e1adb821b8cf8bc99628b89b57cb3f9fd522b3

SHA512
519978498df0ef2934a1a469ecabb377fe6acdb5db376d14e21378ace505742fc0751ddda204f5ede1bd358ee3958a29ede37390a106668db236c13f9b2c97d0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
136.4MB

MD5
13f1b1bb235b7a433d5841409a303082

SHA1
96eb66b0ce86993932cfb06081816c080b66364c

SHA256
a809a8c9e3fc13b71eb3d6c712531d328fb04786f6f568c165ba9adf9d7a9ef9

SHA512
ed0d34fdf295bf4a0973eec6df22961c9abde1192194d3ff6eab2385f6af584dc15d8901ccd92e92a2892409b2848b321cd85aebba130741092becbc9c54e99f

Download Submit
memory/780-65-0x0000000000300000-0x0000000000A74000-memory.dmp

Filesize
7.5MB

Download
memory/780-66-0x00000000065C0000-0x0000000006960000-memory.dmp

Filesize
3.6MB

Download
memory/1592-69-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-70-0x000000006F470000-0x000000006FA1B000-memory.dmp

Filesize
5.7MB

Download
memory/1884-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing