Analysis
-
max time kernel
135s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-02-2023 01:10
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20220812-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
Processes:
resource yara_rule behavioral1/memory/844-66-0x0000000006530000-0x00000000068D0000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 2 IoCs
Processes:
voiceadequovl.exevoiceadequovl.exepid process 1552 voiceadequovl.exe 844 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
Processes:
voiceadequovl.exepid process 1552 voiceadequovl.exe 1552 voiceadequovl.exe 1552 voiceadequovl.exe 1552 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1680 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
voiceadequovl.exepowershell.exedescription pid process Token: SeDebugPrivilege 844 voiceadequovl.exe Token: SeDebugPrivilege 1680 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exedescription pid process target process PID 1532 wrote to memory of 1552 1532 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe voiceadequovl.exe PID 1532 wrote to memory of 1552 1532 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe voiceadequovl.exe PID 1532 wrote to memory of 1552 1532 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe voiceadequovl.exe PID 1532 wrote to memory of 1552 1532 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe voiceadequovl.exe PID 1552 wrote to memory of 844 1552 voiceadequovl.exe voiceadequovl.exe PID 1552 wrote to memory of 844 1552 voiceadequovl.exe voiceadequovl.exe PID 1552 wrote to memory of 844 1552 voiceadequovl.exe voiceadequovl.exe PID 1552 wrote to memory of 844 1552 voiceadequovl.exe voiceadequovl.exe PID 844 wrote to memory of 1680 844 voiceadequovl.exe powershell.exe PID 844 wrote to memory of 1680 844 voiceadequovl.exe powershell.exe PID 844 wrote to memory of 1680 844 voiceadequovl.exe powershell.exe PID 844 wrote to memory of 1680 844 voiceadequovl.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeFilesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeFilesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
251.8MB
MD5ece62bae4fc118462e6f82b3a7454fde
SHA1bf7da91071602b7632e7ef2b664f94c1c6e0ec0e
SHA2562f3cd85ed496b59f013f9e691ace8add5851d3c1cacad6233de1d38491b30e31
SHA5127dde289877b3aecd51edcfc60eccd1c7d1266ae9509da51978efd66a62226bfdd8efb8d49b30d310a661b0f9c596d2b4097a13c76984a3cf50ef2755f5a3dcef
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
266.8MB
MD5a235d3694b35b2e33d6e3764ea74c890
SHA11187900fa2a5f6574f0e0d6bec3b82952716e59d
SHA2564db6f1d3462c21f320839448195115bb809b42bc000feb3d5fef3543900c30aa
SHA512637de7a67e85f3992234408eeb56bfaa79d597e7c9315604bf630ba92b10045e8a81f87863b356ec0c9f1574905e870d1ac5e12bb39f607f34644ff404d0f655
-
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
238.6MB
MD597a03ab62061c1bf8f80a65981d89a4f
SHA16a27188c8038dfb4429957def2a0fb07c39d9063
SHA256b85922e6b3c2e9a2c59767569d431aac9c659ee3cc0580e583ce8ecab36997d3
SHA5121af70933d4475777180aab780a5a57235481d6d2a3c5f4cee9a7d24d4c2646901d11ba9dd0964b4eae628d8a88f119065cf42c3dfdf3fce8ed450798513d0fc1
-
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
257.9MB
MD57e6761e36cb8e1b19175e8c141d2309c
SHA1a4e23382419aa28f7706b305c50d4ebe935f8a78
SHA2563eaaba6d6a2fda46021c67dd775636cdae9c3b702125fd2eaf0f39764591ae1b
SHA512cb6905588fb69d2e72a071697ce17e7e801f12a460e3732d9d2266dd3fea0e5bfdef85ce12cf95ebe1804ce23f436d002ff5412083946c02960e1242cebb7677
-
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
274.0MB
MD539cd086efb1fc5f7896be01f0c63f454
SHA152b7e9b212ad78359e7c188abc4ba6219952b3dc
SHA25625c588ef8fac9937461ae92625867efe8feb22fb39e2d0d7d52239261429ec75
SHA512b79ce1e33428131364f5091a6febd44bde6b5ef5a2ccb4163c07608c047bade5c99417f3486c88c9fd4809c4fc9107b18b07fb0bc58ded5206cde67e9474c688
-
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeFilesize
278.3MB
MD5940b38cc03e34c42b9439568100a1230
SHA13734889fbb4618e889b36d1c03baedcf48289cb6
SHA25651e20faeab95ceff58d6a02d011aba9477da17b2a581b72d8d68b3d22fa99694
SHA5121ffeaa7f88186b3585b02d7c9567e8ca586b99e85e381668884d0e41a38c4faf07a9c21687a64a546563ca7b35f966d3acf3fdfae866bdf889fe631d90357709
-
memory/844-62-0x0000000000000000-mapping.dmp
-
memory/844-65-0x0000000000C60000-0x00000000013D4000-memory.dmpFilesize
7.5MB
-
memory/844-66-0x0000000006530000-0x00000000068D0000-memory.dmpFilesize
3.6MB
-
memory/1552-54-0x0000000000000000-mapping.dmp
-
memory/1552-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB
-
memory/1680-67-0x0000000000000000-mapping.dmp
-
memory/1680-69-0x000000006F170000-0x000000006F71B000-memory.dmpFilesize
5.7MB
-
memory/1680-70-0x000000006F170000-0x000000006F71B000-memory.dmpFilesize
5.7MB