purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/2032-66-0x00000000064C0000-0x0000000006860000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
2040	voiceadequovl.exe
2032	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2040	voiceadequovl.exe
2040	voiceadequovl.exe
2040	voiceadequovl.exe
2040	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1104	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	voiceadequovl.exe
Token: SeDebugPrivilege	1104	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2040	2020	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2020 wrote to memory of 2040	2020	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2020 wrote to memory of 2040	2020	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2020 wrote to memory of 2040	2020	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2040 wrote to memory of 2032	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 2032	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 2032	2040	voiceadequovl.exe	29
PID 2040 wrote to memory of 2032	2040	voiceadequovl.exe	29
PID 2032 wrote to memory of 1104	2032	voiceadequovl.exe	30
PID 2032 wrote to memory of 1104	2032	voiceadequovl.exe	30
PID 2032 wrote to memory of 1104	2032	voiceadequovl.exe	30
PID 2032 wrote to memory of 1104	2032	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.0MB

MD5
a2523a8b7a8e2f19f55828ebbf86b2c6

SHA1
265be95725061e89b48a63bcb1a94cc9a2f67aee

SHA256
3b04fbcb28b8a0e643ee6eab97305a0d522c0c93af85c6ee17b535db06b09a53

SHA512
1cfef5bf441a5b8dcada23e8496d95cf14f44a326c86c28fa5884c5e7c4a0c49147159b64e5fa43e518fdb5abc01690b404780c33ae3610debbb9051d320fc10

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
268.8MB

MD5
2c9f86898796a8943d36aae7731a3c5f

SHA1
d7d3e32fa7e88e19084e1bd96ea0dca73ce13928

SHA256
2c839b39890245c7a6ea70726ee8c57be8c2753e7dc145e1c453a334a54f6b22

SHA512
e3935189c9ce9bd882a3a5a37bc047b67bc27d2672331abcd8e651d44f5a4b3fc7ac74fc2777948dc253bd69ec401b476c8585a5aae1d00e7d0d58c56560369f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
295.2MB

MD5
b5b94cc50f360a69619820ce5335c0c6

SHA1
5525aade786e1c6f8eee378e8456e7a7d9b979eb

SHA256
863e15aacdf9f8b4014d70bd69aa04acd22f06654cce5c497207881cf13f7548

SHA512
fca5e0fc7338d920dbf4551789db7a58010fddd7351171ac6c865f1f6d002d945860c703bf56c3ec2001971a23e0f1c2a0f42f5b7e5612b65ad8be71ef9a6170

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
310.6MB

MD5
f18a02a6d369612d207984e1c35358a4

SHA1
ce3b089dd008635e8ec42db40ef230d008e0cf39

SHA256
e69e270b7d265ec56ce49ff2acdf483f7c7beade24fbd1f6141eec77794518f0

SHA512
c6d8cc964e7351903e79972db1ee0dc4ec86a43ad0ba1ffaba8d2e6c1287dc06775380658cc6974bbe0e2d548aa822f13169a176a833937e205dabd101d45577

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
308.2MB

MD5
04f71bd2c5c0a2290b99d5c84e61d619

SHA1
1749c6c92ef058a6de9675f831219c5afe33d3ed

SHA256
4e8d4846a6c2ea698483263bdc3303db74feb2e701341370004abd3a479db4fc

SHA512
e8dc5f307183e3df4993689dfe6f1118e14d375991c83bd3d5d40624de993373cf5f9093d78ce2afcfe874eb37cc86d51a2cbf4ca435087bf5476ac377db17ee

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
290.2MB

MD5
1b6734b6065a2aedc718dac098cb7ab8

SHA1
7ac104affc28914ffcf034686e9d27b6f64dea21

SHA256
8c07e69832d0886bdf8fee7d83ff8392a3e855c66258aafccb26dc7db6ba640c

SHA512
89438959dce5c4e30e86ec26c9530c9876d21ccc640edcda512f836818b902b2bb46f6c6193a4f63cb45ce42a3ddf736d932a04877691bc070d820a3b4387fc1

Download Submit
memory/1104-71-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-70-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download
memory/1104-69-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download
memory/2032-66-0x00000000064C0000-0x0000000006860000-memory.dmp

Filesize
3.6MB

Download
memory/2032-65-0x0000000000C00000-0x0000000001374000-memory.dmp

Filesize
7.5MB

Download
memory/2040-56-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing