purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/844-66-0x0000000006530000-0x00000000068D0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1552 voiceadequovl.exe
844 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1552 voiceadequovl.exe
1552 voiceadequovl.exe
1552 voiceadequovl.exe
1552 voiceadequovl.exe

pid	process
1552	voiceadequovl.exe
844	voiceadequovl.exe

pid	process
1552	voiceadequovl.exe
1552	voiceadequovl.exe
1552	voiceadequovl.exe
1552	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1680 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 844 voiceadequovl.exe
Token: SeDebugPrivilege 1680 powershell.exe

pid	process
1680	powershell.exe

description	pid	process
Token: SeDebugPrivilege	844	voiceadequovl.exe
Token: SeDebugPrivilege	1680	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 1532 wrote to memory of 1552	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1532 wrote to memory of 1552	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1532 wrote to memory of 1552	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1532 wrote to memory of 1552	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1552 wrote to memory of 844	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 844	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 844	1552	voiceadequovl.exe	voiceadequovl.exe
PID 1552 wrote to memory of 844	1552	voiceadequovl.exe	voiceadequovl.exe
PID 844 wrote to memory of 1680	844	voiceadequovl.exe	powershell.exe
PID 844 wrote to memory of 1680	844	voiceadequovl.exe	powershell.exe
PID 844 wrote to memory of 1680	844	voiceadequovl.exe	powershell.exe
PID 844 wrote to memory of 1680	844	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1680

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
251.8MB

MD5
ece62bae4fc118462e6f82b3a7454fde

SHA1
bf7da91071602b7632e7ef2b664f94c1c6e0ec0e

SHA256
2f3cd85ed496b59f013f9e691ace8add5851d3c1cacad6233de1d38491b30e31

SHA512
7dde289877b3aecd51edcfc60eccd1c7d1266ae9509da51978efd66a62226bfdd8efb8d49b30d310a661b0f9c596d2b4097a13c76984a3cf50ef2755f5a3dcef

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
266.8MB

MD5
a235d3694b35b2e33d6e3764ea74c890

SHA1
1187900fa2a5f6574f0e0d6bec3b82952716e59d

SHA256
4db6f1d3462c21f320839448195115bb809b42bc000feb3d5fef3543900c30aa

SHA512
637de7a67e85f3992234408eeb56bfaa79d597e7c9315604bf630ba92b10045e8a81f87863b356ec0c9f1574905e870d1ac5e12bb39f607f34644ff404d0f655

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
238.6MB

MD5
97a03ab62061c1bf8f80a65981d89a4f

SHA1
6a27188c8038dfb4429957def2a0fb07c39d9063

SHA256
b85922e6b3c2e9a2c59767569d431aac9c659ee3cc0580e583ce8ecab36997d3

SHA512
1af70933d4475777180aab780a5a57235481d6d2a3c5f4cee9a7d24d4c2646901d11ba9dd0964b4eae628d8a88f119065cf42c3dfdf3fce8ed450798513d0fc1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
257.9MB

MD5
7e6761e36cb8e1b19175e8c141d2309c

SHA1
a4e23382419aa28f7706b305c50d4ebe935f8a78

SHA256
3eaaba6d6a2fda46021c67dd775636cdae9c3b702125fd2eaf0f39764591ae1b

SHA512
cb6905588fb69d2e72a071697ce17e7e801f12a460e3732d9d2266dd3fea0e5bfdef85ce12cf95ebe1804ce23f436d002ff5412083946c02960e1242cebb7677

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
274.0MB

MD5
39cd086efb1fc5f7896be01f0c63f454

SHA1
52b7e9b212ad78359e7c188abc4ba6219952b3dc

SHA256
25c588ef8fac9937461ae92625867efe8feb22fb39e2d0d7d52239261429ec75

SHA512
b79ce1e33428131364f5091a6febd44bde6b5ef5a2ccb4163c07608c047bade5c99417f3486c88c9fd4809c4fc9107b18b07fb0bc58ded5206cde67e9474c688

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
278.3MB

MD5
940b38cc03e34c42b9439568100a1230

SHA1
3734889fbb4618e889b36d1c03baedcf48289cb6

SHA256
51e20faeab95ceff58d6a02d011aba9477da17b2a581b72d8d68b3d22fa99694

SHA512
1ffeaa7f88186b3585b02d7c9567e8ca586b99e85e381668884d0e41a38c4faf07a9c21687a64a546563ca7b35f966d3acf3fdfae866bdf889fe631d90357709

Download Submit
memory/844-62-0x0000000000000000-mapping.dmp

Download
memory/844-65-0x0000000000C60000-0x00000000013D4000-memory.dmp

Filesize
7.5MB

Download
memory/844-66-0x0000000006530000-0x00000000068D0000-memory.dmp

Filesize
3.6MB

Download
memory/1552-54-0x0000000000000000-mapping.dmp

Download
memory/1552-56-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1680-67-0x0000000000000000-mapping.dmp

Download
memory/1680-69-0x000000006F170000-0x000000006F71B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-70-0x000000006F170000-0x000000006F71B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads