purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1032-66-0x0000000006400000-0x00000000067A0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
308	voiceadequovl.exe
1032	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
308	voiceadequovl.exe
308	voiceadequovl.exe
308	voiceadequovl.exe
308	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
836	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	voiceadequovl.exe
Token: SeDebugPrivilege	836	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 308	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1472 wrote to memory of 308	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1472 wrote to memory of 308	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1472 wrote to memory of 308	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 308 wrote to memory of 1032	308	voiceadequovl.exe	29
PID 308 wrote to memory of 1032	308	voiceadequovl.exe	29
PID 308 wrote to memory of 1032	308	voiceadequovl.exe	29
PID 308 wrote to memory of 1032	308	voiceadequovl.exe	29
PID 1032 wrote to memory of 836	1032	voiceadequovl.exe	30
PID 1032 wrote to memory of 836	1032	voiceadequovl.exe	30
PID 1032 wrote to memory of 836	1032	voiceadequovl.exe	30
PID 1032 wrote to memory of 836	1032	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:308
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
231.9MB

MD5
43a798e5b1255944cde374b0211007b9

SHA1
f1a7cf1cb23631f6efeb14031cf5ca8f4ff56a4a

SHA256
8158654021aae9ae287d6f26d7c6bf0f3cd9136bf478ea5bb337e1ff7d3f7a98

SHA512
a0fbb2acb68f7dd29a5abc6ec649f13eb636bc6c27cabda3ccacc1fd78924329b431bf04dd0c573e42254cffa09bd134be65919574c692a5eb0d7c8ba51ab7d2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
265.2MB

MD5
922888bb7e6ced119f06d91715e3f20b

SHA1
dc26c208a5a3fb9ae8a49c0b6a4089287608e18b

SHA256
4c54e0e94d1dfe7344065628b18799eab3498e5f128d7a676215b7508bd52a66

SHA512
7429d2c10a33c508a28ff9d6b569f525dfb4e6a1cd93a076a239023df2ca694abbab9b2acefbc1fb6fcce9dd9a66de133ee67e28a0065965d4b865b1d8bd1f6e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
241.5MB

MD5
ac6d027c90479e305cc1ea69bc1f1920

SHA1
b6234af7dff2e3c2263eeb3f425348f8c2d893f3

SHA256
78e3c6352b61c91504424932b26b2ae240244f4c6802123302d104e33ba0c8b4

SHA512
dfcdb3757724ac4708daf3173eb09c902ecbea1e1b83aa050025298f9f10c861c075f6885905c4aa814574df84af6fbcffb6a9fa17a84614985d5b160bf3d788

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
269.5MB

MD5
05f6e9f8dfc109db66a58337f5732a77

SHA1
0cb8ae7c3139d3db6ffe0f712992594476bc6cb3

SHA256
bfe0ea89ba5d9972a2e2f5285d2164a2f8e42afecda141a978da75bae1a0736f

SHA512
4e205603bf8bbaece8df85fc257acbf2c8a988b84ac185a417e9c76e9faf50af1800c94235bbb702e5abc88729be3b06f6c42f502a0d59e6bd2276f8e46c5223

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
270.1MB

MD5
e0fd3cf2ee6da55faab08aa55807abce

SHA1
99f3502b71f755a3ad492ad490c31ac483d19cb4

SHA256
052c8b8ddeb967c6e65850dcca2e44464e7d98db634301e9df8d237141d26ef6

SHA512
7f8822a9ab74f27baa0987828c8dc597584b4ec46b2ab036c3571e8987b95152d31dab8322d2b151f7c1d53964221f8d28e0505c55317146e3a63cd9ef8b9bf4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
261.8MB

MD5
43db4dc829660dc66334a370dbfba064

SHA1
ffc780bbf01c83c6bdec9df131d0d5b2d757a174

SHA256
b2a9adec379ea7027b8534689d089cbec9f022073c932c001a742f2542829de3

SHA512
e56409ea9b9c87d899f60e4de930875a94ac059d5d825355244ec94d8e66b1f35b5deb3a87f30ff65efdc35b33d30592f13659e87a204d5a60cf7f839573585b

Download Submit
memory/308-56-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/836-69-0x000000006F630000-0x000000006FBDB000-memory.dmp

Filesize
5.7MB

Download
memory/836-71-0x000000006F630000-0x000000006FBDB000-memory.dmp

Filesize
5.7MB

Download
memory/836-70-0x000000006F630000-0x000000006FBDB000-memory.dmp

Filesize
5.7MB

Download
memory/1032-66-0x0000000006400000-0x00000000067A0000-memory.dmp

Filesize
3.6MB

Download
memory/1032-65-0x0000000000BC0000-0x0000000001334000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing