purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
148s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 00:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/972-66-0x0000000006490000-0x0000000006830000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
2032	voiceadequovl.exe
972	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2032	voiceadequovl.exe
2032	voiceadequovl.exe
2032	voiceadequovl.exe
2032	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1772	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	voiceadequovl.exe
Token: SeDebugPrivilege	1772	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2032	2044	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 2044 wrote to memory of 2032	2044	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 2044 wrote to memory of 2032	2044	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 2044 wrote to memory of 2032	2044	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 2032 wrote to memory of 972	2032	voiceadequovl.exe	28
PID 2032 wrote to memory of 972	2032	voiceadequovl.exe	28
PID 2032 wrote to memory of 972	2032	voiceadequovl.exe	28
PID 2032 wrote to memory of 972	2032	voiceadequovl.exe	28
PID 972 wrote to memory of 1772	972	voiceadequovl.exe	29
PID 972 wrote to memory of 1772	972	voiceadequovl.exe	29
PID 972 wrote to memory of 1772	972	voiceadequovl.exe	29
PID 972 wrote to memory of 1772	972	voiceadequovl.exe	29

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      PID:1724
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1824
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d24a90cfb47881e0b0f628a7c4e26ff4

SHA1
58e1e795b78995026c32be6c52ac4ebdada95c39

SHA256
3b7f4a479ca3ca4e4f8e926cd812d6ebeffcc4aa0a58d94dc960163fbeac22e2

SHA512
c4eb406082eeec39c0947543b70a44860e9507bc053209e5812af2c053ce97e91aec90841b5eff1c64fd73e06450e739d03435625aef2bd4e9263fbb3d8f077d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
209.8MB

MD5
4c4a72e4645f164ec12567e391456ac0

SHA1
40af128e25d50b9edefafa262d5a11a20a11a691

SHA256
32f184ac83d20b050f78cb034f226109361dbb4cc8b20d6e9af26ca9029b6742

SHA512
993370612fbc8e2da49c57cefe250b9610f390780e1b7880c619c397c51e98f9dac592bdc80e95451309fb78f0cb47ad4911adb34abc09e56c9d290ecb44014f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
227.3MB

MD5
38dc3eaa849cddf3acd7828a96409ff2

SHA1
695e682e8f0cfb49d800c1e4bab568c24a331e61

SHA256
f32cd6e1b3308e5901ece39b638030a3b2e30a284c0ae91c9b4542b5805901cb

SHA512
23fa269e460c6a06327bf4e4300fa018789988c3929e601cd10c783d8d9a31a2c3e994aeebc8354a3a5fa9167bda2220ca87439f00d1e0e106192e2166e467c2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
208.8MB

MD5
e7537ddd62b75d68319ca1dfe6b9bf11

SHA1
2cb4a21af1c267fe6d4dba9f69fc98607e87f83b

SHA256
507f603503438e5272cddaf5086586246ab5040dae7e51c47fabcae5a67aec82

SHA512
07d70f19aabb03751d0699309a166d38491d1d4fd57c02ea66f30866ef3139365f11b65b1d93370ed8ebfd2dc8bf78e659cf84575b5a9a52ad35c94e25850c74

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
219.2MB

MD5
a23fe31e576e469008b04648d42e4009

SHA1
7de0c7d3bc13f68e4f2c904427ad4990ae3c7818

SHA256
8aa506989e13bf51fedeaf5f846a0f48ff93878b886e70fe6e4775e9948fe9ce

SHA512
673928ac23fce030db52c1024f0d8444cda86f5b4fd6506e47232f96379c627a03ebd96b5a53144baab21e40505de995951396fdbc86d1a9bf8293fa5a918570

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
230.4MB

MD5
b98375249aafc2f649253f67d5304ca1

SHA1
64d26b24f6a79237fef153c9dc1ac504972d2776

SHA256
0413614b157cb87a45d12c9a63fe16806124324c6a5171ca2d2f886cd62e192e

SHA512
8558edeb13e9ab48376905c964cc3b4732e86c2a62dbf0bd43ceb0c6c52784ad5d8ebc461a0e7d174c60a40bbc235e37edef46f30b354973281f2ab2f68088a6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
228.1MB

MD5
5f0b2ef10c688b4c4c4a711e75c5230e

SHA1
c7905dcce2078b3695be57b4974e74be835c6687

SHA256
47a47d1d8baf7f6375ac218ee8916466d441b9eb21da4aab8ec232bb7153191c

SHA512
25d9b5b6243c435cc75b68dcab170c411bd02bb5555eff4f9d2bcfc78690ec3c587124ce4c39ed25b830f4041f4bc3ba9720f4e28e84432600e230cfd1dc493a

Download Submit
memory/972-73-0x0000000005370000-0x00000000054E2000-memory.dmp

Filesize
1.4MB

Download
memory/972-65-0x0000000000A70000-0x00000000011E4000-memory.dmp

Filesize
7.5MB

Download
memory/972-66-0x0000000006490000-0x0000000006830000-memory.dmp

Filesize
3.6MB

Download
memory/1072-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-86-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-83-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1072-75-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1772-69-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1772-71-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1772-70-0x000000006FA40000-0x000000006FFEB000-memory.dmp

Filesize
5.7MB

Download
memory/1824-82-0x000000006F790000-0x000000006FD3B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-56-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download