purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
95s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/956-66-0x00000000064E0000-0x0000000006880000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

2040 voiceadequovl.exe
956 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

2040 voiceadequovl.exe
2040 voiceadequovl.exe
2040 voiceadequovl.exe
2040 voiceadequovl.exe

pid	process
2040	voiceadequovl.exe
956	voiceadequovl.exe

pid	process
2040	voiceadequovl.exe
2040	voiceadequovl.exe
2040	voiceadequovl.exe
2040	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1284 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 956 voiceadequovl.exe
Token: SeDebugPrivilege 1284 powershell.exe

pid	process
1284	powershell.exe

description	pid	process
Token: SeDebugPrivilege	956	voiceadequovl.exe
Token: SeDebugPrivilege	1284	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1208 wrote to memory of 2040	1208	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1208 wrote to memory of 2040	1208	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1208 wrote to memory of 2040	1208	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1208 wrote to memory of 2040	1208	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 2040 wrote to memory of 956	2040	voiceadequovl.exe	voiceadequovl.exe
PID 2040 wrote to memory of 956	2040	voiceadequovl.exe	voiceadequovl.exe
PID 2040 wrote to memory of 956	2040	voiceadequovl.exe	voiceadequovl.exe
PID 2040 wrote to memory of 956	2040	voiceadequovl.exe	voiceadequovl.exe
PID 956 wrote to memory of 1284	956	voiceadequovl.exe	powershell.exe
PID 956 wrote to memory of 1284	956	voiceadequovl.exe	powershell.exe
PID 956 wrote to memory of 1284	956	voiceadequovl.exe	powershell.exe
PID 956 wrote to memory of 1284	956	voiceadequovl.exe	powershell.exe
PID 956 wrote to memory of 1040	956	voiceadequovl.exe	cmd.exe
PID 956 wrote to memory of 1040	956	voiceadequovl.exe	cmd.exe
PID 956 wrote to memory of 1040	956	voiceadequovl.exe	cmd.exe
PID 956 wrote to memory of 1040	956	voiceadequovl.exe	cmd.exe
PID 1040 wrote to memory of 1824	1040	cmd.exe	powershell.exe
PID 1040 wrote to memory of 1824	1040	cmd.exe	powershell.exe
PID 1040 wrote to memory of 1824	1040	cmd.exe	powershell.exe
PID 1040 wrote to memory of 1824	1040	cmd.exe	powershell.exe
PID 956 wrote to memory of 1640	956	voiceadequovl.exe	voiceadequovl.exe
PID 956 wrote to memory of 1640	956	voiceadequovl.exe	voiceadequovl.exe
PID 956 wrote to memory of 1640	956	voiceadequovl.exe	voiceadequovl.exe
PID 956 wrote to memory of 1640	956	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1824

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1640

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1948

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1120

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1636

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1256

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1632

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:928

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1144

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1252

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:2012

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
310.4MB

MD5
26f4ad33c39f068e534f894ac5eb2cbc

SHA1
9d2fa6d5e4455e909917318097cf1f85a617b35a

SHA256
924ebcd5fd8eeb84617eabbb9a121f577b6585edbb55b311f18b0226f9c7da39

SHA512
8be065c774bd9ce7ea3f41c5fc383d02050c17b0ce73af967014cf733c986d302d2a49d62dd12c651f793ea2694bbc48afb3bfb32cd313cf42d712cbaee2ee17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
302.9MB

MD5
346ad8ef657df6a21b9188a86c9599e1

SHA1
e5039a987a51d63732d7753c90a2d5a90f720577

SHA256
873a069145e239097c1cf96ea92b95e4a6e55df5bf559e01d42b44b94abf259a

SHA512
fb9f938d14827c8fec6dc515889f2d570e200784c7014312d4475186ab72a81647d2f189439734c4562baaf0017d21855450b8a0b4e64e5b43077c3a54ebdb9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
276b7950131c4dccded6ba2593eeae1a

SHA1
0c56f14b2dad14e79c2ded4726859db22cac2397

SHA256
66695703a739839dcd7670bb6089ac7361742c6c535e1a5ab99933d86ac5044b

SHA512
5acb47c76be27d9e3a4b70427181abf43d4d61a48b56c1efbc25cf6e15d8e2284b7ef11b53d1bad4a18bf3112bc9133ec501a2fb1eaa2072d4941ef5547b5e95

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
216.8MB

MD5
2b235b83afff8856aa9784562cf016b7

SHA1
be7f2105dca31ff0d81ccbe127b4471dbf5d89e8

SHA256
1dcc57b8b0adef4e3a3e1069e410ee158622d25a38d65a1ec2c05c38820eb957

SHA512
3437a1ccf58a45d1023c5b92932e884967408c8d1f6a7e51967aa869315d7411277996b525dfb76bf3f4a7f28aafd30cab52d33ca768944d5adce28f5503e3cd

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
223.9MB

MD5
e106b9313fe45a29a22e24c4f43417ab

SHA1
f6535ee002ac22f783a07b253decb523e7a5aa67

SHA256
ec939bf136dff78b308070c55c11dc62b41f8a8392437e2482f100bec641a907

SHA512
f681733db279bd88c9b77681e6103bfee821d58e4154d88f9a38fbd927740d7dd96eef4f7522eb947d06ef7546b084b2d01bff2ea5a9b9bba7674cfe85c27f89

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
57.1MB

MD5
99dcb0fcc4f2e5cf3308fa0fe4aedbc4

SHA1
c4a0ba3ad317d05e0f14c6af9541a24085e7d6a4

SHA256
8f56e0262c59b9f05b7ddaf33bb65a0f23b580c59e50971938b7e345080d3081

SHA512
adb8d9fc5890ebdbcbdde7033ddcece3fb8d6a4d8b824cf9c1dbd608fc1b4fa9cf5520f8ae9f99470f6250b7d40fb26f71e50301d73059a9ba4982356d1b6b0d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
57.2MB

MD5
ccd88573fabad7577d581532ef17dad2

SHA1
5b550430c07bd123063343b19f467b19a5eda2d7

SHA256
53a404fd1e53d96643b4f3eefff2f3c8e28a425e3a48850a10e4df204c165526

SHA512
ef24976f5458780c321b70f42f833d579dc47af07bc0e35e4ac23982903c9edf41d5d81bcd267b81e04e04c31e3d39d7c68148d000792c853dda0f9a432c4800

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
56.8MB

MD5
c92b4e072be6eb7407cb11941255a2ed

SHA1
65f8ee430161573a15e7a73da77b6e0bd7258837

SHA256
8d5c00d5de521d518f33e0fedea9382ac6d6b5c28b966632ec435dacab3ef4c9

SHA512
5c0bc427fe9e142cddcf028f19e0afb712de3b4430d6f9e83a55cfd1a4fd8bb7e905325ba42efbec3aa0fdfb24a4fe6c6296d2fbd6ca81520828ea95569bf4fb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
56.1MB

MD5
427216b782a84987a83952fbb20a3d14

SHA1
12016d9c7e002aa94436a367bd0384ae933a7c6a

SHA256
d2a839f7bd687574e42972c8fa19b041e941737d6e1aba183b30e7ee1014325f

SHA512
9e10ada3f0cbda8662c28433476fe5624066b3c5d62e960d8cb095028663f3f9fb2b3b34c555db4be3400e887c9ade6821a7c10d7024317a599307bbbea1f1d8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
56.9MB

MD5
b5e0fa6fbd6da3d35c578dac47eaedc9

SHA1
c548b72aef6e1594cc831fcef4216090a441a02e

SHA256
1bde924b65cf1d0afd51073aa30d9d3e297c67a2e722b2e8d43ff32c6f787557

SHA512
e6469541a886f12a625c47ceea4daaa603aff019a5d820fde766f2246cb3f5f4dbe195e1bca75f116f4ee3eac09c801f01ab129adcfc39f1d4efcfa964e925ac

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
56.9MB

MD5
098c71f401a32750ef83ecb952b1d5a4

SHA1
89c1abd13f26ec648c71f58cb894feff47728b59

SHA256
8442007ac87911aa87db85e3522e1a82c833fc676a647fc15f3c5b6f538ffa75

SHA512
f2ac0311d530c2038230a7d7add2538132b264a57db3d5675f208b0100b7e8bcf8cfbc98d9062b0ceb297314b2c93c08769c4993a68d7ce33b66e1c898614abe

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
57.0MB

MD5
69538e41293e158e6b6427900476efe1

SHA1
dbef6d04e0e6d4c35968136b0520447f6dabb2e5

SHA256
ff909424ca63fd282ef4dd3a99969e63755b6658670063bf1962ea5deddd6972

SHA512
bd842ce1954577d214788e7f4344830d2e0259a81f9b13ffba0951844c4ade247746e4295b6b055a44f2a759f5d3291355c1b9f60c2cd44e61b419d2a8f2806b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
55.7MB

MD5
938cfc5ba6c322f6d4f1d6c61cfd19ac

SHA1
3fc750baa039d27e906b45f5d2223ef1ab136be5

SHA256
ccdb33f46b1a560b6cee92aa47f32d9a4f572b8689d76cc4af4d82cc8f15502e

SHA512
282cc662c71d2a9e66dcdbb438fffbfea02322cc999ab48bac74231bd40582497705ec70fef8a10cb009553acbd5eed807ee66027ec4e454abc9ce051473f999

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
56.8MB

MD5
c92b4e072be6eb7407cb11941255a2ed

SHA1
65f8ee430161573a15e7a73da77b6e0bd7258837

SHA256
8d5c00d5de521d518f33e0fedea9382ac6d6b5c28b966632ec435dacab3ef4c9

SHA512
5c0bc427fe9e142cddcf028f19e0afb712de3b4430d6f9e83a55cfd1a4fd8bb7e905325ba42efbec3aa0fdfb24a4fe6c6296d2fbd6ca81520828ea95569bf4fb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
56.9MB

MD5
b5e0fa6fbd6da3d35c578dac47eaedc9

SHA1
c548b72aef6e1594cc831fcef4216090a441a02e

SHA256
1bde924b65cf1d0afd51073aa30d9d3e297c67a2e722b2e8d43ff32c6f787557

SHA512
e6469541a886f12a625c47ceea4daaa603aff019a5d820fde766f2246cb3f5f4dbe195e1bca75f116f4ee3eac09c801f01ab129adcfc39f1d4efcfa964e925ac

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
229.4MB

MD5
3e8fbe5ad71682c4eea0108afc79328e

SHA1
fba59ae9157d9b1f25dbb57b1a95e618a5c4b71f

SHA256
25c94e1c182d6810259d7f992ae235bd86403eb4ea1491e3138503d1998cb86e

SHA512
5fee8d16fefdc6ab53cd8dd4377cd08f4c8f306c250f407422d2b50fd1bd6a84206c65266a5d8699a7ac3ca0ca7aaffc90e900ee8dbfbee3632e3384f829e89e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
224.9MB

MD5
238f78aad045107d0f15e7cf8d0f110e

SHA1
3b639a49356495797b4ee37b43fb680f22c30c23

SHA256
f5b31145d37dc1cd131f6f2982e0841b147bc0c86fa07f516fac95f0d96eee53

SHA512
42c4d05c6115d946149439374d0d36a852b7aa10f1021c31c582a658ea045bca680aed0c48662d93ab1e66c136c7c4d908cd6b213b081c4f1ad4e8d900894a6a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
228.9MB

MD5
807044531f36181cdd7e0727261851eb

SHA1
a995284fbd3b53ee6506ff87874f46d45240f1d3

SHA256
48805cd777e8ca1f984be80def6dc05f9d0526cb85c378e8ef415bb8f9101582

SHA512
6380d6b96f5db1f0523967547594e7661ba94d646a453a19dbaeca4c3ea528fc09e275de1075a8a54e9d0940296c02b1b3296869a69f1bc374b6451865dac43f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
225.8MB

MD5
89c537008786d5ba5f95c4724e018246

SHA1
470b09fe5b4a82f8a46f0b22930159dfd7d9cdf8

SHA256
a66e1650ac6dd28e8cffee1767f1ea3b0937051535956b607463aef13026575b

SHA512
8cbfc67fa8b630d3be1d2b88d831523770ed86041141af0b0ba08ddedeee64912b13e4577ed624c6d775de7788da6f085c7d1ba9f551420fe76bee11c72b95e8

Download Submit
memory/956-62-0x0000000000000000-mapping.dmp

Download
memory/956-66-0x00000000064E0000-0x0000000006880000-memory.dmp

Filesize
3.6MB

Download
memory/956-73-0x0000000005430000-0x00000000055A2000-memory.dmp

Filesize
1.4MB

Download
memory/956-65-0x0000000000290000-0x0000000000A04000-memory.dmp

Filesize
7.5MB

Download
memory/1040-72-0x0000000000000000-mapping.dmp

Download
memory/1284-67-0x0000000000000000-mapping.dmp

Download
memory/1284-69-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-70-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-71-0x000000006F6A0000-0x000000006FC4B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-74-0x0000000000000000-mapping.dmp

Download
memory/1824-87-0x000000006F660000-0x000000006FC0B000-memory.dmp

Filesize
5.7MB

Download
memory/1824-88-0x000000006F660000-0x000000006FC0B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-56-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/2040-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads