purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
148s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/860-66-0x0000000006480000-0x0000000006820000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1216	voiceadequovl.exe
860	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1216	voiceadequovl.exe
1216	voiceadequovl.exe
1216	voiceadequovl.exe
1216	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1820	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	voiceadequovl.exe
Token: SeDebugPrivilege	1820	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1216	840	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 840 wrote to memory of 1216	840	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 840 wrote to memory of 1216	840	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 840 wrote to memory of 1216	840	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1216 wrote to memory of 860	1216	voiceadequovl.exe	29
PID 1216 wrote to memory of 860	1216	voiceadequovl.exe	29
PID 1216 wrote to memory of 860	1216	voiceadequovl.exe	29
PID 1216 wrote to memory of 860	1216	voiceadequovl.exe	29
PID 860 wrote to memory of 1820	860	voiceadequovl.exe	30
PID 860 wrote to memory of 1820	860	voiceadequovl.exe	30
PID 860 wrote to memory of 1820	860	voiceadequovl.exe	30
PID 860 wrote to memory of 1820	860	voiceadequovl.exe	30
PID 860 wrote to memory of 1808	860	voiceadequovl.exe	32
PID 860 wrote to memory of 1808	860	voiceadequovl.exe	32
PID 860 wrote to memory of 1808	860	voiceadequovl.exe	32
PID 860 wrote to memory of 1808	860	voiceadequovl.exe	32
PID 1808 wrote to memory of 1616	1808	cmd.exe	34
PID 1808 wrote to memory of 1616	1808	cmd.exe	34
PID 1808 wrote to memory of 1616	1808	cmd.exe	34
PID 1808 wrote to memory of 1616	1808	cmd.exe	34
PID 860 wrote to memory of 988	860	voiceadequovl.exe	35
PID 860 wrote to memory of 988	860	voiceadequovl.exe	35
PID 860 wrote to memory of 988	860	voiceadequovl.exe	35
PID 860 wrote to memory of 988	860	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1216
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1616
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
240.8MB

MD5
798e28efcb8d942dd23e80a5b35f0237

SHA1
907a7fe95d03259e8f6c57c5eea9c32886c004fb

SHA256
a4f6e6b4c6af6d8717a81ad6a8e90a5944a2c56b89452afef9dc043d979586f2

SHA512
53993c62e4f867194fb1e37236f18c9976873473129aa9fdbc968b6fd7461926fb0867675a3553f97c8659aa822956c82c0a7112346f5495edab0ecbcb96ed52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f97abc528ef1a0c87c86a3dc4553a177

SHA1
d369fbdb791f83cde483d80f727deff9ce7ab284

SHA256
dde831b276b7a524bdae1c6df9ed8653e90949dcd0b3c813ae6ae77cea94f038

SHA512
0343c6ebe02a64f0804ef4b07c08a4a43daefa298ab9f62c38d7cce469898d2fa0734590a409592a7a7cf9e7c019d68d3d2c3780764dccb8fb09ba4869e39ccc

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.5MB

MD5
ae18822c02dbb87e9aea79a9f01b3f45

SHA1
7c6c0065d1d46ec87d7472668771135de9398c10

SHA256
3142ca39293d18157f99223449e1df65b9d610cf94b49fe2933499f8a6229d2f

SHA512
4cb23e891342df3de93c04c36f75c5cd142f64de3d9bd5699ceb02c87feacfd38b2dfcbd13684076b2bf0eede2439a1616df826a579e50d4e9b22aef2e827c7b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
254.4MB

MD5
665abff3bbcb71ee90c0e706f7ab2865

SHA1
7ab728a91014cf0d6fbcaf88def183d39f117abc

SHA256
4fec864a687117290c7cde2e45ddaa83cbbdc51283041ce8e95f78d870e8d72b

SHA512
045e0215de5a24909948f51931f832af3abba769aa9ebebd7c09ff1c61f73e1bca925c750626218ac1ad45f3d1211d3da33194422cc39f847d7012a953bff9de

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
1.4MB

MD5
6508e1333a661975a13550f5296b017b

SHA1
039d2a04dee51090c64d470bdbd287851f405aac

SHA256
919a34aa0124d22f3ccf26b7b561d50ab7ea7895c8fe954d6bc6b3b3720a45fe

SHA512
3d3a127d8ccb015e917a68dc16225ed1f7e0d16e07844076b281dd7a3677b0b24e0464c36551c7dba1c92701c3f9c5e56928dcb9ff16fd3271982718023c958f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
230.2MB

MD5
8e591699358113dcd597b534225591bc

SHA1
a1ca2b4e714d110c0e8cff7cb57be9e2ea5af0b1

SHA256
deb95d519d56627049fd80c30ffd5aa8255c2cc636fa5e2236907ef98be132c8

SHA512
e594578a87b3824c47185e297a2cbc183bd63fdb25c83227559e731d3152b0bf666e71aac51fa17455f0c430d551bfaf594d1598f8252a7f080c9d927b125e5f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
256.3MB

MD5
4cebbdb999cd1a3e89a64bad623932a3

SHA1
305a6cb6f5001c99061bf38fa7873534b43d97a2

SHA256
e1dc4c0c7048c0fbff99b8c43ab47949876c244c3b6e6eef33d3298adf527707

SHA512
7d2281d9c92b9418c2267bb909f5639c59d6e42624deeb2c87f7aa25fc82fdde62116419f5338fc129691d2ccfac02258204504b7a1d5ce01420a26460d524b6

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.8MB

MD5
c8d1d57ac66b43cf4769a63e8927441b

SHA1
e18aeee9b96cda01e6a4756e847874700bddc765

SHA256
d9678671e7ee8eda2293d968e1771ee7e10ddf9a152666039c09131116979d36

SHA512
af37ef94d4cce1f4d7d9831c79e2e17f815acf658232a9696035f7120eaf6c7f90d601b35b5b158593bd0812dfcdf0bb45e7bfad174210a70b89c3ee92e10d16

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
256.2MB

MD5
5c20016a84adcf16016c9e37e8ff5e69

SHA1
b859a886d4a9527c7a90aa79c45d7543e7f91274

SHA256
e8ae1c958526a6e38c02247bc07090bad38d207ca1c4b39b534207e2a4a12171

SHA512
c521b4519b94475dd53ece84a123c2c549d64474a7a043ff398514e4f6b97fe6daf061c068d92f208d53705c37d0875869c84eee0acdf2b3df86b68840ade7d1

Download Submit
memory/860-74-0x0000000005350000-0x00000000054C2000-memory.dmp

Filesize
1.4MB

Download
memory/860-65-0x0000000000E70000-0x00000000015E4000-memory.dmp

Filesize
7.5MB

Download
memory/860-66-0x0000000006480000-0x0000000006820000-memory.dmp

Filesize
3.6MB

Download
memory/988-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/988-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/988-93-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/988-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/988-89-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/988-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/988-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/988-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/988-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1216-56-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1616-87-0x000000006F2D0000-0x000000006F87B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-70-0x000000006F540000-0x000000006FAEB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-69-0x000000006F540000-0x000000006FAEB000-memory.dmp

Filesize
5.7MB

Download
memory/1820-71-0x000000006F540000-0x000000006FAEB000-memory.dmp

Filesize
5.7MB

Download