purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/268-66-0x0000000006420000-0x00000000067C0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1272	voiceadequovl.exe
268	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1272	voiceadequovl.exe
1272	voiceadequovl.exe
1272	voiceadequovl.exe
1272	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
580	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	268	voiceadequovl.exe
Token: SeDebugPrivilege	580	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 1272	828	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 828 wrote to memory of 1272	828	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 828 wrote to memory of 1272	828	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 828 wrote to memory of 1272	828	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1272 wrote to memory of 268	1272	voiceadequovl.exe	29
PID 1272 wrote to memory of 268	1272	voiceadequovl.exe	29
PID 1272 wrote to memory of 268	1272	voiceadequovl.exe	29
PID 1272 wrote to memory of 268	1272	voiceadequovl.exe	29
PID 268 wrote to memory of 580	268	voiceadequovl.exe	30
PID 268 wrote to memory of 580	268	voiceadequovl.exe	30
PID 268 wrote to memory of 580	268	voiceadequovl.exe	30
PID 268 wrote to memory of 580	268	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:580
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.0MB

MD5
d9b638d8871fdd7212f34b2c281f4394

SHA1
572cb1bf459e57618cabdcef0545bb864e68dca9

SHA256
0da5cc14c8250268a0060f217ce9c7ffa314695d6d84e26cc8b2cf2156026c88

SHA512
5b01a7c74c4866f0b72383499bc3cdad4fad22f6f2840ace5cbea2c62c8d32a68ee231fcabbb08c58e00c6aec037f46d92aa28c67ca908b6150d42188008fa80

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
249.0MB

MD5
fa8b37c6e614144415dc3432ba090c67

SHA1
0316aceb26f41747f1881b00581845ea64d2a92e

SHA256
b5c37ec74ac4170fc5ff17865e77eb6b228d0973d755c556afc1c041f76bb8c7

SHA512
bdc85c4644e1a1ebe23f59d783a9d15cfa6d5cd92b6a7eb7e13c4a7ca2485460a71b970f994f38939b491432497d3810d86070e4bed5f567201fe864dfe68264

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
236.2MB

MD5
8bd3467aad6a4bba9f4783d606432098

SHA1
27140800b3d1112b917269db84fba36ebd400aef

SHA256
7c8cc996f221393fd657faa3f989023bc32a43ebc0d5735851498766de8ee344

SHA512
b98841daf1e762ec022f66c9a1a0d2efb93ae43e4116ee2449c11b7bad1a672e46b2b3c109cb0259a3c0b5c54ccdbea4eec1401f8d802db12fa04c1a6815b59d

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
267.8MB

MD5
cd9dab716dbfb42ff0fd56cf00a8685b

SHA1
8324cf61b960c22774d248cfa08b22ac608c09db

SHA256
5642fbb4fbc44e9044ce851ba2cea82cc2eddbed40cfbde6711374c8b7b33883

SHA512
89ea86a8319f7c9f0dfc1b6dac325e10760adb7789ccbfc59a7863c5c148caf1029dc4c460dc11fa759241777cf304e4ff70695e5ac8df7e447a9da8f7d83533

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.4MB

MD5
665af750b8e4eb7db156123e022127a0

SHA1
ec16dd361a0dedd7cdb9858b4a402d45690a1b56

SHA256
3748aa0d19c75702ec76ffdbb57559d53405b21b2f41f8c455fd52b01940a145

SHA512
ae8df8d36ce239e4ca07a6ae1e3aff07b21cc8c5b390116cc6f303b8919552915513f5cc8be29f089bb0074c8319f49c336c2cd5f389db006363dc66a337080f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.2MB

MD5
5c6a394691fd95e73491169ce6a9f48a

SHA1
6050cbc79fb7c9761a4b171bf6ce9c450a71be40

SHA256
3a0f45a90edfe1720acf13831b16cb39e634d1c43ba195220311bc048617c092

SHA512
a11b734d4ca02f99af75bb3b1e527499a861913d3cca33cdc35c9a989b851e040a689b230f6650b54490963bbfd38c285431159d29672117bbd8fff8c612cf77

Download Submit
memory/268-65-0x00000000001F0000-0x0000000000964000-memory.dmp

Filesize
7.5MB

Download
memory/268-66-0x0000000006420000-0x00000000067C0000-memory.dmp

Filesize
3.6MB

Download
memory/580-69-0x00000000700D0000-0x000000007067B000-memory.dmp

Filesize
5.7MB

Download
memory/580-70-0x00000000700D0000-0x000000007067B000-memory.dmp

Filesize
5.7MB

Download
memory/580-71-0x00000000700D0000-0x000000007067B000-memory.dmp

Filesize
5.7MB

Download
memory/1272-56-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing