purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
100s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 00:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1068-66-0x0000000006450000-0x00000000067F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1360	voiceadequovl.exe
1068	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1360	voiceadequovl.exe
1360	voiceadequovl.exe
1360	voiceadequovl.exe
1360	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
836	powershell.exe
1068	voiceadequovl.exe
1068	voiceadequovl.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	voiceadequovl.exe
Token: SeDebugPrivilege	836	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1360	1468	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1468 wrote to memory of 1360	1468	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1468 wrote to memory of 1360	1468	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1468 wrote to memory of 1360	1468	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1360 wrote to memory of 1068	1360	voiceadequovl.exe	29
PID 1360 wrote to memory of 1068	1360	voiceadequovl.exe	29
PID 1360 wrote to memory of 1068	1360	voiceadequovl.exe	29
PID 1360 wrote to memory of 1068	1360	voiceadequovl.exe	29
PID 1068 wrote to memory of 836	1068	voiceadequovl.exe	30
PID 1068 wrote to memory of 836	1068	voiceadequovl.exe	30
PID 1068 wrote to memory of 836	1068	voiceadequovl.exe	30
PID 1068 wrote to memory of 836	1068	voiceadequovl.exe	30
PID 1068 wrote to memory of 544	1068	voiceadequovl.exe	32
PID 1068 wrote to memory of 544	1068	voiceadequovl.exe	32
PID 1068 wrote to memory of 544	1068	voiceadequovl.exe	32
PID 1068 wrote to memory of 544	1068	voiceadequovl.exe	32
PID 544 wrote to memory of 872	544	cmd.exe	34
PID 544 wrote to memory of 872	544	cmd.exe	34
PID 544 wrote to memory of 872	544	cmd.exe	34
PID 544 wrote to memory of 872	544	cmd.exe	34
PID 1068 wrote to memory of 300	1068	voiceadequovl.exe	35
PID 1068 wrote to memory of 300	1068	voiceadequovl.exe	35
PID 1068 wrote to memory of 300	1068	voiceadequovl.exe	35
PID 1068 wrote to memory of 300	1068	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:872
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:300
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:276
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1956
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1648
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:616
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:240
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1808
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1612
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1368
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
228.9MB

MD5
5bc1ef8cd7e6eb6e33cfbf1a72b4fdc0

SHA1
39318e98d93beb70beb9c8e4e7cac6c5c7875b22

SHA256
cedec2df6c22de6ba102fe85a4a9e32af6d9b74f56905ab0b0840ac1752824c0

SHA512
a69943bbe3125e96e285be68fcfbca8dcf41f5888a635e95f35c6fbb741a2e298d8940d39658b6eee0c746cef4b253a9493d0880becd1316071ce4fc5d4cb32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
360.8MB

MD5
9cbfa81f5fd993f46c50cb3f3d2a9d91

SHA1
ca3bd3a1f9f8b3a12e164d03da5641a3af84ed89

SHA256
70a6ee76998d20cc505c982a4940a6d0e6f9253ee4ce0ab2d2b1e157a9b75cb1

SHA512
9bc06ba2510af1e12616d3da6b230d65513c2a79d2454ac9eabc821a9c2ca2f63cd43289e808f7932aa0367a20b60f10dc7f5f85e9ff0e1a48b2005311a37bb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
69acfe429fdc4ab01f555de2dd7966a6

SHA1
0b49d3cce5890651d2640d201221c8b296693911

SHA256
793f09dd5213d06d0f314c2e16b6f23e2509704bd1c097143be49cc913c452be

SHA512
9bb1ab994dfc3036ad42efcb6c3d254630332585ce25e6207548f01edaaca677001e1d0144e11470413445f35da454eea64d5108564c00c6fcf875c8ef3bffc0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
274.9MB

MD5
7a3db1f64943d50ef6f499418f5161cd

SHA1
40c5c8cc3c71609e5c924f51194b8fdf11df7663

SHA256
bd152716800dbbda9208135483ad75bcb071ee25301acf6e214ab4c6b82ea78a

SHA512
0b75420f3b131bb4df86fcc26a178f177135aa12d6c671c7f129029186b074614c7d8a4a2f086b509c988d5f575a5b266a528d31f71447132a7be28fc4400e6c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.7MB

MD5
4863233eb5ca2bbc8ea3a137a79dab1a

SHA1
cbbc29555b57a5dd1acdd613851a81c4ad8d8d92

SHA256
7935aceebc5ae739abf9225d25ca3571f3747fafbf5e1833f1388b1a3d5b5929

SHA512
fcf0b25bc6b5f8acf54810906936b56a002802c337292840057b437fd4eb625797beaa8b11c66baf771bb906ebafd0be94cc503651528398b1356ee16dc7a085

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
57.6MB

MD5
e738e607c2ad7424ed03a325507b23b1

SHA1
4815986fc9522282ec682b2eb7f12df3bd5c4c7b

SHA256
20b776e9386779aadac10974aaa15784e58f4433659bdfc2ed4b1f7223b190cc

SHA512
7ecb44510649892698f573ab52982041793153c37a46c8aff9be543255a503125f25906bf0601df0a46efed30ae5126d9d0cfd4f7c0bb7d241ff35a61eb6cde0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
44.9MB

MD5
b61d12ccf793f60aa22de29e353003bc

SHA1
9c6a9c73bd33d3cfe1dd0712e13728cd6a3c1340

SHA256
84682b85e5db468bf6318231698ddd160cde29018ee6f2a379eed74194d1d209

SHA512
c841a325f904065b1bbb81aa408b5b88688c4dc4d9772d103b7e17b159b4810936efd7902fd397303dbc161d2afc6d79b1cfc749301b7b43ec08aea47a178f8f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
55.3MB

MD5
c5a17458c54d4c86696d749a150a8026

SHA1
31276bda5ae97f09f1b5eafefddc942bfb5bb463

SHA256
14f3f66c43deffede31bdb214e06517c19a48be2711143815428d45fd81fe5b2

SHA512
70e129426b1b04e791137a87b88393a7f8e4d794d39511c57573c26eba39d9e79a4d14f40d2f704f2d602d3a982e943f308c6d46090c44164d01896d02226f37

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
57.1MB

MD5
99dcb0fcc4f2e5cf3308fa0fe4aedbc4

SHA1
c4a0ba3ad317d05e0f14c6af9541a24085e7d6a4

SHA256
8f56e0262c59b9f05b7ddaf33bb65a0f23b580c59e50971938b7e345080d3081

SHA512
adb8d9fc5890ebdbcbdde7033ddcece3fb8d6a4d8b824cf9c1dbd608fc1b4fa9cf5520f8ae9f99470f6250b7d40fb26f71e50301d73059a9ba4982356d1b6b0d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
57.0MB

MD5
69538e41293e158e6b6427900476efe1

SHA1
dbef6d04e0e6d4c35968136b0520447f6dabb2e5

SHA256
ff909424ca63fd282ef4dd3a99969e63755b6658670063bf1962ea5deddd6972

SHA512
bd842ce1954577d214788e7f4344830d2e0259a81f9b13ffba0951844c4ade247746e4295b6b055a44f2a759f5d3291355c1b9f60c2cd44e61b419d2a8f2806b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
57.0MB

MD5
69538e41293e158e6b6427900476efe1

SHA1
dbef6d04e0e6d4c35968136b0520447f6dabb2e5

SHA256
ff909424ca63fd282ef4dd3a99969e63755b6658670063bf1962ea5deddd6972

SHA512
bd842ce1954577d214788e7f4344830d2e0259a81f9b13ffba0951844c4ade247746e4295b6b055a44f2a759f5d3291355c1b9f60c2cd44e61b419d2a8f2806b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
57.0MB

MD5
69538e41293e158e6b6427900476efe1

SHA1
dbef6d04e0e6d4c35968136b0520447f6dabb2e5

SHA256
ff909424ca63fd282ef4dd3a99969e63755b6658670063bf1962ea5deddd6972

SHA512
bd842ce1954577d214788e7f4344830d2e0259a81f9b13ffba0951844c4ade247746e4295b6b055a44f2a759f5d3291355c1b9f60c2cd44e61b419d2a8f2806b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
56.2MB

MD5
45e6dca8656584f8351e85614fe75110

SHA1
f9973d1c2169c0e86b26dffa8503786878c8eb6e

SHA256
b78dbf9e695a7a229782f2a3e8332716424090097cd3d69f75574d73afc43bb8

SHA512
58baaf89b5a33edfc231bbc40f6e08bd089ff98d1ad63e13ea391738e5071e1b5b1d09e95fb79cba5d51ac79ef29796fd7e0f2d52b81b46aebf8e93451380bb2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
56.8MB

MD5
c92b4e072be6eb7407cb11941255a2ed

SHA1
65f8ee430161573a15e7a73da77b6e0bd7258837

SHA256
8d5c00d5de521d518f33e0fedea9382ac6d6b5c28b966632ec435dacab3ef4c9

SHA512
5c0bc427fe9e142cddcf028f19e0afb712de3b4430d6f9e83a55cfd1a4fd8bb7e905325ba42efbec3aa0fdfb24a4fe6c6296d2fbd6ca81520828ea95569bf4fb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
56.3MB

MD5
a766277c44e8c5a67566b5f06eb56c81

SHA1
a91d0f04da57668539073b14d6c9a84914c99741

SHA256
a05e4adec1439dd5f42ae1359894f88e5279fa88272afe64fa51c068fb972be3

SHA512
ad732b0ec4fd17410e4d83dabc9ae0765dd03dbbeb3194284402dce555bf44453d5750302baddfabd90b812c246f7ec415fc7244ae444fc1a4cb53fc22dc2428

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
275.4MB

MD5
c9c456efeca9a0d29c611e45453fba9c

SHA1
362963becc4b18fb18e4b1a1d5d2d2b77e5fe8b6

SHA256
6779e7822dc068e60c8de456eba3863b32c36c1e00624cc867c11b6f7904b24e

SHA512
f17f0c6d1015c428d117c79ac6d47824f649f13e83e0df385ff1db0ed031880d540790edaa2b4dd7c6c2a878a0ee70c5ff23e0fb8ecc89a9e55993d160747ae2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
279.5MB

MD5
ec43ff9379a37b73f519202c757b0c60

SHA1
b407bf761b6b8a671aece026f6b450f603cc1dfc

SHA256
c59f813424944b00b2bdbd3990ec08d6af12cf36378c061daaa4b7c2a653a535

SHA512
509ba82594e1228d0968ea7f706dccac4e84077c27b2a67548885a5503f03285af2ad0d3509038e0b136943e3302c71d694b43ea6832ddaca8da28324b06cbe4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
267.7MB

MD5
f1586a11c7318f1f9b3724d200c5648f

SHA1
1f9abb9389266187ae4c12156f81934a51656567

SHA256
6c67b6b3e144fdf53543382bb2ba23cdba63e6b4552792d686537f8e75270b96

SHA512
22798211f1dfb7c93124ec845b00dce0897a913eceffc91f9fc0d0b240da934e9e40dc4dcfd18bd1d209183d5de950739f4df4d6b8069ad477073f807bf3a498

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
279.9MB

MD5
9ce081cc07f7d8e1bb8f3a2987a350a3

SHA1
43115729b3972377fc51de559a7dc03767f6bd19

SHA256
35b730051020b03d9b0b6680185680b8b89a21c8119c6bac89f07d08a7e8b76f

SHA512
32f7d6e331e80fef9c6cac21577b213df49623ddc3b248e93b1754afea7f3e4786c83221d4c70b599975389a6b9b02673a8bb944a096f6359e5be019972c833e

Download Submit
memory/836-71-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/836-70-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/836-69-0x000000006FB40000-0x00000000700EB000-memory.dmp

Filesize
5.7MB

Download
memory/872-87-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/872-88-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/1068-74-0x0000000005420000-0x0000000005592000-memory.dmp

Filesize
1.4MB

Download
memory/1068-66-0x0000000006450000-0x00000000067F0000-memory.dmp

Filesize
3.6MB

Download
memory/1068-65-0x00000000000C0000-0x0000000000834000-memory.dmp

Filesize
7.5MB

Download
memory/1360-56-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download