purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1492-66-0x0000000006580000-0x0000000006920000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1460 voiceadequovl.exe
1492 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1460 voiceadequovl.exe
1460 voiceadequovl.exe
1460 voiceadequovl.exe
1460 voiceadequovl.exe

pid	process
1460	voiceadequovl.exe
1492	voiceadequovl.exe

pid	process
1460	voiceadequovl.exe
1460	voiceadequovl.exe
1460	voiceadequovl.exe
1460	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

268 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1492 voiceadequovl.exe
Token: SeDebugPrivilege 268 powershell.exe

pid	process
268	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1492	voiceadequovl.exe
Token: SeDebugPrivilege	268	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 1320 wrote to memory of 1460	1320	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1320 wrote to memory of 1460	1320	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1320 wrote to memory of 1460	1320	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1320 wrote to memory of 1460	1320	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1460 wrote to memory of 1492	1460	voiceadequovl.exe	voiceadequovl.exe
PID 1460 wrote to memory of 1492	1460	voiceadequovl.exe	voiceadequovl.exe
PID 1460 wrote to memory of 1492	1460	voiceadequovl.exe	voiceadequovl.exe
PID 1460 wrote to memory of 1492	1460	voiceadequovl.exe	voiceadequovl.exe
PID 1492 wrote to memory of 268	1492	voiceadequovl.exe	powershell.exe
PID 1492 wrote to memory of 268	1492	voiceadequovl.exe	powershell.exe
PID 1492 wrote to memory of 268	1492	voiceadequovl.exe	powershell.exe
PID 1492 wrote to memory of 268	1492	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
292.6MB

MD5
152b67db52e1734f7182cb25f5f67316

SHA1
13f124e1ab10015a776c44aa335d1efabd161da3

SHA256
9bfd7f8e7e3553fa9cccda1c59d594095bb977cd9dc25bfdd1674324a7e917a2

SHA512
08bb123a8a5c9e7c8b72753f1060067464da6a4271aa6ca90dbb5c9dfa70b276eaea2d5ed930c174e7cf1001eca1d8e3aed43366e46a0114de23690c57733f35

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.9MB

MD5
9587d5f90b198f5eb9f7db12fc9448cf

SHA1
6f115d5be96019ef1423daa77a29ac4392ccf14e

SHA256
44a30329ed9a454d18976abd0c2e813ca068c0a773cc6f1bf47292d80108ee79

SHA512
d6288b1f95887c17354c3380ecdb9a38680947fb31213fa8b7f42cdab439449248dbf115a2672702f510fc7182607994e8ffe75f635332ef41173a1127d970bc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
232.7MB

MD5
b8f9f014b42dec059245d4de32fbab6e

SHA1
062837cebb10fdcabbff369f3bf6205f79e6f4fc

SHA256
6cd328ac8269eb480f97edc47fb74870d1b17240761345fa783c5a182c1cc371

SHA512
7eb1e50574fb4f164bced152dac8534c93aef00a49ef80563f2649a25af3eb10f847fc00bc1b7b2a045892ae23bc44ca0948f72065b9b95895ef4cffeb6a58db

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
277.3MB

MD5
557c84293379b33b883cb7a45799bc20

SHA1
1e252e1127ecc944431c2e79cb66ce86a9216f1d

SHA256
118924174c3871323e439208c6fb5b7ecdd459197b6308e8111a0d0ba36f1456

SHA512
32aa2853b986cecc14591dff870accf208a0e960f931af87a96ad1d3746860dc92029de4f422cd337f16a0e154109e245e90d662aeae5f07eca9d6e10da06fe6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
276.6MB

MD5
ba36946246e5618fc99b49477599439d

SHA1
effc9a85dade565b8d4ac2e1b5d11de19d9140e3

SHA256
2df105ebd946abad75fb13d15c1f52f1abca17a7fa59aab58fa499bbe7aefc5c

SHA512
9d3f7fb603b9846739ac33e4bca55d678142348cb140f0aaa95ca481f9fb1afc0ffe4e0c58578c243e81b4bc001d6b38383a79ccbf54c6abfb393ad9c104c1c9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
285.4MB

MD5
3c69f22e76a79ecb1c5db708aac86504

SHA1
7960ec010b0505b2eacc513842a5630d4c644976

SHA256
9e366e2c00e10ff2ee984adc4b0acd3bc009dd831e707808d312622d28363ed8

SHA512
5c874d8cf22df1a96d6a03f9761d45f7addbb583563697c9951fe35df5a350a8ef248906f065efb801d6252af8c831656325e778e2d5faca20d7826c638ae0cb

Download Submit
memory/268-69-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/268-71-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/268-70-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/268-67-0x0000000000000000-mapping.dmp

Download
memory/1460-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1460-54-0x0000000000000000-mapping.dmp

Download
memory/1492-62-0x0000000000000000-mapping.dmp

Download
memory/1492-66-0x0000000006580000-0x0000000006920000-memory.dmp

Filesize
3.6MB

Download
memory/1492-65-0x00000000011E0000-0x0000000001954000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads