purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1320-66-0x0000000006390000-0x0000000006730000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
2040	voiceadequovl.exe
1320	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2040	voiceadequovl.exe
2040	voiceadequovl.exe
2040	voiceadequovl.exe
2040	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
924	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	voiceadequovl.exe
Token: SeDebugPrivilege	924	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2040	1956	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1956 wrote to memory of 2040	1956	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1956 wrote to memory of 2040	1956	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1956 wrote to memory of 2040	1956	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2040 wrote to memory of 1320	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 1320	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 1320	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 1320	2040	voiceadequovl.exe	29
PID 1320 wrote to memory of 924	1320	voiceadequovl.exe	30
PID 1320 wrote to memory of 924	1320	voiceadequovl.exe	30
PID 1320 wrote to memory of 924	1320	voiceadequovl.exe	30
PID 1320 wrote to memory of 924	1320	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
235.6MB

MD5
33017dc784aec22733484de201613b7a

SHA1
0a6aa85e4272e7f62dfe47099db0ecf5ac43124c

SHA256
74b53ae08630a3d3fe62769f0fcb17903d0b41bc36116f1eaaefa617502b46c4

SHA512
fa3ffeb92c9ead3b3f0d56174109bb85cc3ea82ac5c9d337928f002fc4b888cd25b78f650d0628c8ba5ed8426de0a8044ebabcb7f408dae671726510afd814ce

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
223.1MB

MD5
c20ec5f0d7d6a7bf4957567d7a6c72a3

SHA1
a16d7efc21ef8a97e80bceda4e773b07c39e844c

SHA256
d7495b39844eb42e0a0c08cea39c9603a556be662558d01e09dba4096066fd13

SHA512
f61972706c37edcd50f78aadf7eb73928f40732aac9e3541426c6d425ec189b855a7826ca2235a6f08eb0e80ab172bc43c81ee7585766b5c31848d7f0646858d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
241.2MB

MD5
5f31df8079b714acc766c83d863d8a34

SHA1
d306d281562b66a808654d6f91900fa88c873c16

SHA256
a4a66ba889ce007a1bbf0eea908d9d18a883be5bcfe488c51e7e095761860abe

SHA512
3b3a83f974bba333e850bce426932dbdb35c0239b3bda636feb9da946d45b6562a2deca8aeeb7bed1ddf77b6d5cb5f1105d26ebdd0ce41da80036f300d7f8554

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
238.6MB

MD5
97a03ab62061c1bf8f80a65981d89a4f

SHA1
6a27188c8038dfb4429957def2a0fb07c39d9063

SHA256
b85922e6b3c2e9a2c59767569d431aac9c659ee3cc0580e583ce8ecab36997d3

SHA512
1af70933d4475777180aab780a5a57235481d6d2a3c5f4cee9a7d24d4c2646901d11ba9dd0964b4eae628d8a88f119065cf42c3dfdf3fce8ed450798513d0fc1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
200.0MB

MD5
3e3916cf91374e564e962e027030458b

SHA1
a809bd9025bfec904d193beff61dda0548edf4b3

SHA256
225084856311c4ac729b5c7367d9763ff6008b6c3f6b94aa043d1219e2715277

SHA512
02514d93c8f42b61583bae429476d49e00fb3712de9f236be94dee8565197c536bccb24735bf15742eb80d38f66a5527e52332290432c2903691e1d3bc486c40

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
235.9MB

MD5
9ba8168430a3141b4a81b56194b97366

SHA1
703e9d097dacfb667586d28e8b59c4418c8300ce

SHA256
e05c10103c51552b9840b29cf58a6ae2c4c0f66921ddf26bfdad54312af85954

SHA512
d62c09ba36ce220dab4f730b5aab86f90e1bea40916570d40c52142f4793a38fe4e504f7c4bd30d7d9cbee165ed39d67a19ef11469ab12fdf4a0396d3458a4ee

Download Submit
memory/924-69-0x0000000070210000-0x00000000707BB000-memory.dmp

Filesize
5.7MB

Download
memory/924-70-0x0000000070210000-0x00000000707BB000-memory.dmp

Filesize
5.7MB

Download
memory/1320-65-0x0000000001130000-0x00000000018A4000-memory.dmp

Filesize
7.5MB

Download
memory/1320-66-0x0000000006390000-0x0000000006730000-memory.dmp

Filesize
3.6MB

Download
memory/2040-56-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing