Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-02-2023 01:24
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20220812-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Extracted
aurora
45.9.74.11:8081
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/568-66-0x00000000063A0000-0x0000000006740000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 2 IoCs
pid Process 1332 voiceadequovl.exe 568 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
pid Process 1332 voiceadequovl.exe 1332 voiceadequovl.exe 1332 voiceadequovl.exe 1332 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 568 voiceadequovl.exe Token: SeDebugPrivilege 1528 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2000 wrote to memory of 1332 2000 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 2000 wrote to memory of 1332 2000 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 2000 wrote to memory of 1332 2000 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 2000 wrote to memory of 1332 2000 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1332 wrote to memory of 568 1332 voiceadequovl.exe 29 PID 1332 wrote to memory of 568 1332 voiceadequovl.exe 29 PID 1332 wrote to memory of 568 1332 voiceadequovl.exe 29 PID 1332 wrote to memory of 568 1332 voiceadequovl.exe 29 PID 568 wrote to memory of 1528 568 voiceadequovl.exe 30 PID 568 wrote to memory of 1528 568 voiceadequovl.exe 30 PID 568 wrote to memory of 1528 568 voiceadequovl.exe 30 PID 568 wrote to memory of 1528 568 voiceadequovl.exe 30 PID 568 wrote to memory of 1196 568 voiceadequovl.exe 32 PID 568 wrote to memory of 1196 568 voiceadequovl.exe 32 PID 568 wrote to memory of 1196 568 voiceadequovl.exe 32 PID 568 wrote to memory of 1196 568 voiceadequovl.exe 32 PID 568 wrote to memory of 1508 568 voiceadequovl.exe 34 PID 568 wrote to memory of 1508 568 voiceadequovl.exe 34 PID 568 wrote to memory of 1508 568 voiceadequovl.exe 34 PID 568 wrote to memory of 1508 568 voiceadequovl.exe 34 PID 568 wrote to memory of 1508 568 voiceadequovl.exe 34 PID 1196 wrote to memory of 828 1196 cmd.exe 35 PID 1196 wrote to memory of 828 1196 cmd.exe 35 PID 1196 wrote to memory of 828 1196 cmd.exe 35 PID 1196 wrote to memory of 828 1196 cmd.exe 35 PID 568 wrote to memory of 1508 568 voiceadequovl.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵PID:828
-
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵PID:1508
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵PID:1520
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:1484
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
347.2MB
MD52b781a3d49a75d9eae52c400e36ca606
SHA11919c11128e6d14683176d5d363d1fc8747832f5
SHA256139e352d6188dac23b1594e310f722e298981348d2e5cd968e85c61392a10613
SHA51200ea1ed0e2bd1bf543a2e9f37e38cdd002765fa428de63f5fa4947cac2bdbfe9261fbecc6302f5b313c229d284d5bf4c38609f43848427a408f913d2f9c2bede
-
Filesize
342.4MB
MD56d47c4449e02e14a61d155bd57a7e6c5
SHA1186adaf34a57bf29d82d68e84c615c4b321c641b
SHA256e202b3cdde178675f1fcf20f10d8974f9b294bbc51c40464cd692313c5d581bd
SHA5123d39f6247ee0e9ef45669a3e760ba8086ac3538602c3005cb95a5c7a11afb9551d98a026d1f0006057ca5d853dfaa9512d41744203201bf9001a7e4ad0bd1cf3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5d72de40d1a1af7e1fdba120582055b4d
SHA1c662bd2095ffd4984b58ead5fd6199b96afc311b
SHA256b801502e7aae40607e6e653ff88108781264a5cf808f0b33b2b7b0cfdb3de8c3
SHA5125e8a730e4e21f8e647b598b7e9a060c877040d55a307e6db80ee676ecc17a1c60195e28700d435c930b69d5f776aa4a35b8be477e1da6df790463ba18a3d5eab
-
Filesize
273.2MB
MD5c3eaf3caac95ebc87ee6708ea17c411d
SHA1ac8decff774f3489ae8c27e2acac6498336d79a8
SHA25616ac38d728e99d06a398e40931ce7a3b212ec88cd55f84833a991ddc44d6f1d7
SHA5120bb8bd7005f4c1f0a8706e452f9398d255a118f5458d2aab6e5478509985fe42fb1e42dcdbba3985d1db82c39f9d363e5709a8e96574895eb3a22f0ff1c581f4
-
Filesize
275.6MB
MD553255d0dd268a0456ff21bdd6004158f
SHA1b6553ceee5684d6dea93cc2c326314aa78612eeb
SHA256e8e012c90787d912d6152acad4c8e147406742373dd07ab33971bb7245fdf3f1
SHA512228d57ac44c136bd7bb7fe22c4e5789d02d2b6af0462ed93454f0edeb82525a0709edb69b943a6800bf4e10ae9a785e7d350fa3b3d2b08ba8680d30c7f5b6f60
-
Filesize
16.2MB
MD5045157880e903baac697a68e7aa00495
SHA10b60ea73a644370a39669d05ffb77ad1026aa10b
SHA256f2e611b27e3afacd0b352ade9cd4e4ab07a47846921d0890804ca6917ca24faf
SHA5124e69b3c6a26e11f07c22c1e6bb3cb5dc968001eae7544604556b86ff80512b430eeb25d4a4848853ff4953c47a121dcf059ac56408788a5cfcf962fd0798ce29
-
Filesize
256.5MB
MD565b0f3b14e60f806c623786ca80fbbe4
SHA1f590e946ac69fe28f791d9e8d0dccf2cc248e92d
SHA256d1790c927f9d872e18ac0151e68edf414e0e76c402c3ee83fd0e008f5f11ae88
SHA512f2a3afc014d7ea0c2f82963e2b571b025b4e39dc06ccffe9c87bc34188b5e30d1f561705d48339c9a09d0dcbf3add011d07e42d8c72564819403a9d0a40033bb
-
Filesize
244.5MB
MD5eafc41943fb0a66da905b2fa0b225b00
SHA18aae205eb4142dcdb8b1e833d143365126a8884c
SHA25671bb2282652eb057f7f8bf8c0dd518e455459b0c79515b59b5511dd582fd8968
SHA512b5aef72263aad323356b276f2ad89fda64cacc5af91ebfb925e01e13d80cffc5f7402241c5a3dd87d22360b66b89fa93a09f4d8c037ca9c0014987c943bea20d
-
Filesize
272.9MB
MD51edc30a4cf652c6210e869377acbb278
SHA12940ba63df74729934d74cc4cd25b03ecb4fcb5f
SHA256ce080253b16ecba821bd6c30928b9dc86ef837b3bab71a160308734ba0339000
SHA512a52abd1dcde5403706e9568900fff4c810c34b4fdd86a91dff1dc784b727466ac5836d4c8ab7e84953700c72b5b8c7ab74f177c29ed92e22f2130af47d2c4626
-
Filesize
266.8MB
MD5a235d3694b35b2e33d6e3764ea74c890
SHA11187900fa2a5f6574f0e0d6bec3b82952716e59d
SHA2564db6f1d3462c21f320839448195115bb809b42bc000feb3d5fef3543900c30aa
SHA512637de7a67e85f3992234408eeb56bfaa79d597e7c9315604bf630ba92b10045e8a81f87863b356ec0c9f1574905e870d1ac5e12bb39f607f34644ff404d0f655