purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/2032-66-0x0000000006A90000-0x0000000006E30000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
604	voiceadequovl.exe
2032	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
604	voiceadequovl.exe
604	voiceadequovl.exe
604	voiceadequovl.exe
604	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	voiceadequovl.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 604	1652	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1652 wrote to memory of 604	1652	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1652 wrote to memory of 604	1652	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1652 wrote to memory of 604	1652	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 604 wrote to memory of 2032	604	voiceadequovl.exe	29
PID 604 wrote to memory of 2032	604	voiceadequovl.exe	29
PID 604 wrote to memory of 2032	604	voiceadequovl.exe	29
PID 604 wrote to memory of 2032	604	voiceadequovl.exe	29
PID 2032 wrote to memory of 1768	2032	voiceadequovl.exe	30
PID 2032 wrote to memory of 1768	2032	voiceadequovl.exe	30
PID 2032 wrote to memory of 1768	2032	voiceadequovl.exe	30
PID 2032 wrote to memory of 1768	2032	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      PID:1768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
252.4MB

MD5
4be145a738c13dce830ad9a8f9dd9863

SHA1
275661a0339ad5559df8b6255499aca41bd7c402

SHA256
b0747f33f05ea978c2375b5f99117b874f6d63545155107de6c0c21508e5f929

SHA512
91ed9b933fea19c4981164ff3b1fad2b6abfb670823b640e17916f7816eaa141937ae8677570eafca41a0ae1ee0c7135687acf69e0541a147486baa06d26ff81

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.2MB

MD5
8968fbd2ead02dd325159bb6b66b0196

SHA1
d64c4d4e25fc74d6ee623c9c5ad2df5fc09c8ef2

SHA256
7c67f2b2644b955dbaa72cfa51323268af25ff901e92fe6df9fcf0db75f28374

SHA512
49de72722f466d9f6fc58dd71784fa2583277fc646da3ed866d99dfb8b04ea4d97140d1ce98c465170d67a5f6686688aa4b09adb34d020eb592ea9a72aa88df3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
273.8MB

MD5
18f6beaa5bfeb760d5c5716300751924

SHA1
b8c3014de161359a78b10cabd42c20fb51555c9a

SHA256
f989698a8c16ad6c5c4387085e9136fe3c701f30f423e0bbfb6035cdbbeac833

SHA512
3c207d6aca0496c8aefadb8de815f46cbcc0e7ddf2bc33b91e80500a22a09bec7f7c092b68ea349a3141d27eaab7ec49e44373d0834b84bd63888cb17d5c0965

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
267.8MB

MD5
abdae31ac0240af30d3c101e62daee82

SHA1
21c345077234abe6d2f32b4d7852916eeef29377

SHA256
81fff720c7113dcbe9c0e40c1413003be9ba269bf4c8852c1c7969feab2f09fe

SHA512
01c195c18e4a009e356fccd6bdeece587585d7a25b7453f31fceaf3a7d83e4d8fefd6477d4521c7fb4638499bf189c328ed3ef3ff6b0e3ecba53660dd66900e6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
269.9MB

MD5
3f584a06d1ec8706c2518027b64cba69

SHA1
361f039aedb9275170fb5b6d2eefcfa8fd8a8d87

SHA256
15c908dee270fe35db4c849100ed1230e31de22381ccb3edb6bdba7efeaaaa60

SHA512
4d5690daec9d2ea613ed027dd01bdc5818d7bd4a69a20ecde55a6025154a626a622bb7f247f6122254f6566979e6f56fd1ba468f1a4d3880958546efcdee99e5

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
236.9MB

MD5
783bef7c5ad10efff077a22df6870721

SHA1
b0a155236ad8c224bcf64e5d2c8544426903033c

SHA256
6848797c911c61531a68c6e2d8920baaa12071d4634482ac5567f47fc7691bbe

SHA512
27b4ea243a49845f14e7d8d53aac806de5f1ad59aced5ebeef4bc547a9d25b54e0bf704f95cef5a7c303bc08778af455c441b5e66313e981bd95ed7f907e4f54

Download Submit
memory/604-56-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/2032-65-0x0000000000900000-0x0000000001074000-memory.dmp

Filesize
7.5MB

Download
memory/2032-66-0x0000000006A90000-0x0000000006E30000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing