purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
148s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1988-66-0x00000000065B0000-0x0000000006950000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1652	voiceadequovl.exe
1988	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1652	voiceadequovl.exe
1652	voiceadequovl.exe
1652	voiceadequovl.exe
1652	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1964	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	voiceadequovl.exe
Token: SeDebugPrivilege	1964	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 752 wrote to memory of 1652	752	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1652 wrote to memory of 1988	1652	voiceadequovl.exe	28
PID 1652 wrote to memory of 1988	1652	voiceadequovl.exe	28
PID 1652 wrote to memory of 1988	1652	voiceadequovl.exe	28
PID 1652 wrote to memory of 1988	1652	voiceadequovl.exe	28
PID 1988 wrote to memory of 1964	1988	voiceadequovl.exe	29
PID 1988 wrote to memory of 1964	1988	voiceadequovl.exe	29
PID 1988 wrote to memory of 1964	1988	voiceadequovl.exe	29
PID 1988 wrote to memory of 1964	1988	voiceadequovl.exe	29
PID 1988 wrote to memory of 1516	1988	voiceadequovl.exe	31
PID 1988 wrote to memory of 1516	1988	voiceadequovl.exe	31
PID 1988 wrote to memory of 1516	1988	voiceadequovl.exe	31
PID 1988 wrote to memory of 1516	1988	voiceadequovl.exe	31

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      PID:1516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1152
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ccab7a97cd62a5c76cb7a27d6d6f1cac

SHA1
c7c803036efff3aea7dd980e25b1b03699a97ec6

SHA256
a0cd46fb9d046a3812948faaef7a544976a3187d445f89d241360fa43ec35c59

SHA512
c4f6c86e93828764159a19813abf43fe800a784e7d514963e9d334a50fec3fd167db177ce5a11fd46b8fd3004e902b3fb197bbf93624eb3850bb26f58b78f2a7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
222.4MB

MD5
a386079b4cfe854fb69271c1156ba2ad

SHA1
17ee2c1582e8d6a99f21e75d85a080d6129a25ab

SHA256
eb1357d6ee1c14656e9eff7e5d15790cca186c8640e3d5d22deb3b32673b82be

SHA512
265fa0428fa27bc6194f54992fe3d42f6cd02d8f2fdba8426c5e329b34e98867b48c36d9100f3bd638306c47a1630cffb71d441ed9671c09ba9b019b4df622fc

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
222.9MB

MD5
dfe974d575aba3aec6c867d8ce6596b3

SHA1
d75e3dafc4d4525456f6b13b36b3c171b49e73b5

SHA256
21916f7fbd8fc9deba104aefe177b4b4cf890a6ba1da6f9e00863d89c672ca58

SHA512
f9967b2333467d429eee02e3cd04401d67025f71616b7409b68314eefc977083e3448eb19d1525eabec458e142c0d0589c50b0f073e42b4ae122eeec1a9a0d91

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
220.7MB

MD5
4fd44663f64a5f1f52f809ad6256be6c

SHA1
2936c551ae9d092b4c1eeb69ae033dfcc38990d7

SHA256
04e1e051a5302e694f8f4bd98834c4d4482af7b03f5df11ba43911c6e47c10ad

SHA512
97a4ec8d650d296ed7ddcf914ac329efbf60a8188c3dcf810fd509474fc042b1535510f80824b82acf2cacc55cd8b36f05e6111db29ef067f922ca74613865e3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
214.6MB

MD5
80c6ef14c42ad0321e8097d09e9f6163

SHA1
0b5e207a33c7b7fa3be59c71ffa5e640b9b979b7

SHA256
fbcaa01c4aab330de55a5530dc08e244ba10f4ad9a5e0cf558d22ada897bf977

SHA512
ae2c6e1a849a901c7843248d10924b929576768775e09df3c4ebf33ea13cce7a5227d4c819b714e517760d66b2736478201013f2b41326218af7876b9e6123fd

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
223.9MB

MD5
1213eb2c0055cf378b8b5e7e2ad0085a

SHA1
932911f41bc9ff1ac7797bd9e3fcb9ca7c6ec562

SHA256
9138279ee9584e9cee7b5b2fcc494453a3f62de5ea93d9f85956f9fceae98e5e

SHA512
03d7913a74685d2fd99016145167350328cbed0e123d26b58c6b2baf94a70d04725577dce6e893c2301231d21800fc2920086550e772fb27211816aef1161192

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
205.1MB

MD5
212cbaee2aabf2be38985d0aaef3ce28

SHA1
b3c2ba060b42041ed6eb0e191f941216cd0b2cfc

SHA256
3051ae86551fc8e0ab7798c947cfe3c000de93af6ef35471b0d25b3b46ee22e1

SHA512
99f413f4e90a8c96e8fbef20ffdc59339499fbb48dd3984c2f2d5b5ad8d666d9c785173b5dd0f82fdbde8127e3bf8b5f65981ebe605afbff56f38e9490163429

Download Submit
memory/1152-80-0x000000006FCA0000-0x000000007024B000-memory.dmp

Filesize
5.7MB

Download
memory/1652-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1920-81-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1920-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1964-70-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-71-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-69-0x000000006FF50000-0x00000000704FB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-66-0x00000000065B0000-0x0000000006950000-memory.dmp

Filesize
3.6MB

Download
memory/1988-73-0x00000000055E0000-0x0000000005752000-memory.dmp

Filesize
1.4MB

Download
memory/1988-65-0x0000000001100000-0x0000000001874000-memory.dmp

Filesize
7.5MB

Download