purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/676-66-0x00000000067C0000-0x0000000006B60000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
2028	voiceadequovl.exe
676	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe
2028	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1876	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	676	voiceadequovl.exe
Token: SeDebugPrivilege	1876	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2028	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1700 wrote to memory of 2028	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1700 wrote to memory of 2028	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1700 wrote to memory of 2028	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2028 wrote to memory of 676	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 676	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 676	2028	voiceadequovl.exe	29
PID 2028 wrote to memory of 676	2028	voiceadequovl.exe	29
PID 676 wrote to memory of 1876	676	voiceadequovl.exe	30
PID 676 wrote to memory of 1876	676	voiceadequovl.exe	30
PID 676 wrote to memory of 1876	676	voiceadequovl.exe	30
PID 676 wrote to memory of 1876	676	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
268.5MB

MD5
4b2c8cc3bfeb5f8c626f06da02de4cd6

SHA1
e6270a50eff0fa4ca30ba59c3fa49b2d56af507b

SHA256
b10e02228604544bb5a59963ec887223cbf6acd24873b55f3556192539a4a716

SHA512
a38dd647e2a83c9effa7afd85e614e6bd3662dd0b6eb5dd6430877ce83cadd4be3bfab16a7fc434bb481cf5b6eea75ef8b9ec7682eff7bf463c29ecfcd7f372b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
291.0MB

MD5
44c99a73f382484cbcc9149ba8563b5d

SHA1
603ece54c4f2471af7660d4be61fa6467930c344

SHA256
585a3b47c4dbdd2c9acc96eb6fba7626468dd442c0cc097d742ae223a22c9486

SHA512
ebdaa3eec930ae8e51991af6ed0fcb7a583fae2b51ad01a3fee42301cbda746134f86b09d1e61af48270ff0ff193a3b5e4f4337225c7417869935ca01a080390

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
298.2MB

MD5
b542a9aa218feeb8a20c636e514151e6

SHA1
c74b981914a59278ce507822ef3302f42ec1a446

SHA256
746988aab6213de3f769afc69bef85604afa3901b8dd1d3915b2f968451c2a5b

SHA512
5ad78475b7cb28b10b5f8a5a64d86af92fa64d186d506a67fe06fe601c00b0dfbd95f2b2a8925508604b3b67e8967796cfbfd0df831f1841e218560d73986c7a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.8MB

MD5
eaf0131e61a285dfd26999806e54daf1

SHA1
028c37f025a2e9d37c5de6f78b08bc95715d3bdc

SHA256
5faba6017c92e1d67dc98d4fa3f2ad344db580c4f0ae8342d2d60baa25c6884c

SHA512
00560db860a00f562d1d7aa92240c7a212a350cfaf34f3edcc7c04ee51a8c0134fbd4e172bb52bf482234c399752d7c776cdb6d44c655b56065088fb57452053

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
284.0MB

MD5
efe69ff936d16df7a3b21b887e6ccec1

SHA1
bab1477de50e387548c42dca185053f3ae6720ba

SHA256
dd35d0457ad08048492cf69160c598f1d66ffdd4325031463470941623ed1769

SHA512
57a8ec0e201a418e988e025caf8cef626f3ebacf9d251e818c362faada20e3d3ecdf01d9b625a710c488df88acff24637ce55558288d2cc9979b7ecebc9731f3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
292.8MB

MD5
ab968e4ba14fbe8d5f66b16b449fcc1f

SHA1
a565fe57eea717cb33d9830b82c4b1a1ab0c1476

SHA256
77953bbe1ff5d3e21351cd0442f33d645ba92a0820f9174e2ce79b158f2a6c14

SHA512
2779bb769208f5418dd882949a4993a0e840fe122c5320af101d980f1cd538f21803ef40b98999bbf40ee70103ed4b3ca584814f165b1618f873b2555d40630b

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
289.6MB

MD5
c27c4d3e29f15a838146aa9fa638e94c

SHA1
5641c71d4b78b6c8fc8b34331b6513df17c3f33e

SHA256
c741d2f02bad3b571605d2aedf84d483818a357e15ebf4a0d19f7dc7af6899eb

SHA512
7071ae48924dd707eef83b360d9ada61a030d91c6ccdcfb33b597188f25114165287a3cc8b87dfef1468786818664041f09e34ac62310abdd6e0162436f36b85

Download Submit
memory/676-65-0x00000000011F0000-0x0000000001964000-memory.dmp

Filesize
7.5MB

Download
memory/676-66-0x00000000067C0000-0x0000000006B60000-memory.dmp

Filesize
3.6MB

Download
memory/1876-69-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-70-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-71-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-56-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing