purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1320-66-0x0000000006430000-0x00000000067D0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1848	voiceadequovl.exe
1320	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1848	voiceadequovl.exe
1848	voiceadequovl.exe
1848	voiceadequovl.exe
1848	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1980	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	voiceadequovl.exe
Token: SeDebugPrivilege	1980	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 1848	1552	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1552 wrote to memory of 1848	1552	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1552 wrote to memory of 1848	1552	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1552 wrote to memory of 1848	1552	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1848 wrote to memory of 1320	1848	voiceadequovl.exe	29
PID 1848 wrote to memory of 1320	1848	voiceadequovl.exe	29
PID 1848 wrote to memory of 1320	1848	voiceadequovl.exe	29
PID 1848 wrote to memory of 1320	1848	voiceadequovl.exe	29
PID 1320 wrote to memory of 1980	1320	voiceadequovl.exe	30
PID 1320 wrote to memory of 1980	1320	voiceadequovl.exe	30
PID 1320 wrote to memory of 1980	1320	voiceadequovl.exe	30
PID 1320 wrote to memory of 1980	1320	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
236.2MB

MD5
32c28254d76079c5dec11ec3b9dca053

SHA1
33dbd6253ee62cda49f8366688b36c0232a480ae

SHA256
6f1b82b8091d4c027356a21b4271a9dbe7fde5653183936e0a137e70b34e8df7

SHA512
085e4fe1991ae36f34b455521e4f5e68e7f1968bf890bd3907f7ba6c9616d4a532373bccbd615cbd9833e069e5b46199d3ff3e7736f488a9b8b6e5e74e09e2f4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
201.6MB

MD5
4bf3ba781043ec15e0c5a5298b2668d0

SHA1
6febccc29e0d56b4ad6e30fe50b0ad44770c01dc

SHA256
c44f33bb3ca6a0245b3727a2d2ffde87adb8b1fe2982cbd8f27eb404fe7c5f81

SHA512
dfa7ffc5d7530feaf0a1a19b289bd4bce5d4496cbf4da8fac348b2ed827124829894d5c4c5fc09e9acc36547a6d25fc25ef067b8d2f785b0ff0c9d20aebcfa01

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
239.6MB

MD5
7acf0418de36d8657a000b633d6884cd

SHA1
e88b16d1f58ea72f6f843396d658cc128c6a434d

SHA256
ecffaeee1ac04e90960eed88f3b5ca36f7965386650a15fdbbb3d0f954933eaa

SHA512
25c2efbb5499b2e1d216a40435508233d0978e94a05e04aa5b3436290d43a969851debc19bf72ae21426d8f588d49569bc51248eb3ddae23726803592156a886

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
239.3MB

MD5
883dd57a2d0f53cbde9299cac770e83d

SHA1
250dd82a45484d5e9c57bdf1c3803ad501173a11

SHA256
b6e8e44fbfebf0b3db0e759d9919197efb4d651acedb50fc25b8eed7a97f546c

SHA512
80e87d39065964ac7015c2c91bdca1c45973d4d052abf62e3f1f3ca3587e022b301433093526e3000a626bd71c474bc5a0990e8bb4c26c10273a2b50872c9ba9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
238.9MB

MD5
901fb61acff0754d29f83c527029dbf6

SHA1
638a0ae0f138377f39ad8672377d3ff468636350

SHA256
c5d41f581dfe2fca8c62457d910de48fa91f2bfafc89d353027891e96ee86091

SHA512
c6780fd67e55666ef9354964d64f81cbc03198714e06f819a20df30168903a716f11aecf2bebee5e6eb63c56a6d56189d942ff1716a9fce3df940c2e4d0ce7b9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
239.1MB

MD5
0847610739a8afb1802e087c7144a93f

SHA1
3a71e7b497bb17666617d3c40a2de6b2ef216e7f

SHA256
fe68e51044eb78d517992d635eb0aadbd1c5940b61e63d5386d4b2cc1e26efc7

SHA512
03190be981d0078a0c90137827eab041b7d9d1431fa51bc6907b30c52c570dd31d4c2c07c0bdcb449e80907ac92d6bdbf8b6fc6d567ac1e717c86b498d3533cf

Download Submit
memory/1320-65-0x0000000000CC0000-0x0000000001434000-memory.dmp

Filesize
7.5MB

Download
memory/1320-66-0x0000000006430000-0x00000000067D0000-memory.dmp

Filesize
3.6MB

Download
memory/1848-56-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1980-69-0x000000006FC50000-0x00000000701FB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-70-0x000000006FC50000-0x00000000701FB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing