purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1160-66-0x0000000006630000-0x00000000069D0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1116 voiceadequovl.exe
1160 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1116 voiceadequovl.exe
1116 voiceadequovl.exe
1116 voiceadequovl.exe
1116 voiceadequovl.exe

pid	process
1116	voiceadequovl.exe
1160	voiceadequovl.exe

pid	process
1116	voiceadequovl.exe
1116	voiceadequovl.exe
1116	voiceadequovl.exe
1116	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1992 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1160 voiceadequovl.exe
Token: SeDebugPrivilege 1992 powershell.exe

pid	process
1992	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1160	voiceadequovl.exe
Token: SeDebugPrivilege	1992	powershell.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 1116	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 1116	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 1116	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 1116	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1116 wrote to memory of 1160	1116	voiceadequovl.exe	voiceadequovl.exe
PID 1116 wrote to memory of 1160	1116	voiceadequovl.exe	voiceadequovl.exe
PID 1116 wrote to memory of 1160	1116	voiceadequovl.exe	voiceadequovl.exe
PID 1116 wrote to memory of 1160	1116	voiceadequovl.exe	voiceadequovl.exe
PID 1160 wrote to memory of 1992	1160	voiceadequovl.exe	powershell.exe
PID 1160 wrote to memory of 1992	1160	voiceadequovl.exe	powershell.exe
PID 1160 wrote to memory of 1992	1160	voiceadequovl.exe	powershell.exe
PID 1160 wrote to memory of 1992	1160	voiceadequovl.exe	powershell.exe
PID 1160 wrote to memory of 1804	1160	voiceadequovl.exe	cmd.exe
PID 1160 wrote to memory of 1804	1160	voiceadequovl.exe	cmd.exe
PID 1160 wrote to memory of 1804	1160	voiceadequovl.exe	cmd.exe
PID 1160 wrote to memory of 1804	1160	voiceadequovl.exe	cmd.exe
PID 1160 wrote to memory of 1540	1160	voiceadequovl.exe	voiceadequovl.exe
PID 1160 wrote to memory of 1540	1160	voiceadequovl.exe	voiceadequovl.exe
PID 1160 wrote to memory of 1540	1160	voiceadequovl.exe	voiceadequovl.exe
PID 1160 wrote to memory of 1540	1160	voiceadequovl.exe	voiceadequovl.exe
PID 1804 wrote to memory of 840	1804	cmd.exe	powershell.exe
PID 1804 wrote to memory of 840	1804	cmd.exe	powershell.exe
PID 1804 wrote to memory of 840	1804	cmd.exe	powershell.exe
PID 1804 wrote to memory of 840	1804	cmd.exe	powershell.exe
PID 1160 wrote to memory of 1540	1160	voiceadequovl.exe	voiceadequovl.exe
PID 1160 wrote to memory of 1540	1160	voiceadequovl.exe	voiceadequovl.exe
PID 1160 wrote to memory of 1540	1160	voiceadequovl.exe	voiceadequovl.exe
PID 1160 wrote to memory of 1540	1160	voiceadequovl.exe	voiceadequovl.exe
PID 1160 wrote to memory of 1540	1160	voiceadequovl.exe	voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:840

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1540

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
266.2MB

MD5
0cc639e2038df6dc6ed8efa81dbc8190

SHA1
c5c1e0ecc87824ae7d217615f57d52328f1c49b2

SHA256
46ee1e98c1ddfa23783cab981569edca28562e428a73f08c137fe3a4b28877c2

SHA512
958f069dea4bb30df9b7f710d625e8f2a3114ea80a6632ba555f274be09c21145a464c78db666ada02436a50d760a6440aeb4f2b8254c2f77186e58430962185

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
264.1MB

MD5
c2978936d27aea31ba399c09aedfc92d

SHA1
56c20f5ba11e19c0589c9c27e2a3f8a14ebb56d1

SHA256
c2d36b773f356f4544a642c35b0c6a70bcea1a1f98a70f0d3251bee8caa3435a

SHA512
0a1dced340da6ef5509273481decc00d3b07b7d7dac46618120a11262827a48f5b1b22e1b161a1e0cfd63dae577640f17361b49798dd2dfaeb73a291862101b7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
263.2MB

MD5
7b989fc759e5c83cb55b82738fc260c7

SHA1
4a4788ab61a28618ed7d818676163d40c4ea1ddd

SHA256
3574bc373082fa4f7e3e90905fa29431872b4935ba62dc5a0bd90e2c2488571f

SHA512
6083bfe8e284235c95ed419e612456e3180bc9a4691e956a4c76289cdd4ccb7e68681c33af0833a20bfb0a3c7c312a7f71564bea89965f7ffc7f19e911b2cb8a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
267.6MB

MD5
2728ccf51794ddbf6ad7e2bc603048d3

SHA1
a00b61447139a6b3018adb75736e599db534e72f

SHA256
c96f5846a09824728ac16f67071f3e00d72700cb7e5eef729b0c7d6291211cd4

SHA512
8a3105263f642763a1d97d29bc8db31494d319b354f931f93d584f0d8023dfc5ed498791b4e640ce020166cc5534563abed90efbe681f50dd4832a082df8e99a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
248.4MB

MD5
967692b1b2b422955118861c4d3e5cda

SHA1
36e40723b2cbe872ccd64dfc7e82a7ad9ff35089

SHA256
5f99931ffbc4897327792771d70613f8a956fd8e7d85ff2dc57994ce461cdd71

SHA512
7973d1ac76f5aeeb88ca78a7c0e68307d4e67a2f9f62b97692ad14e4002a5217310e491ae14916ca7462b4e266cf59c5fc8cbc1f1c16c5523f4882bd88e0079c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
259.9MB

MD5
a033480d74158d5c22a7e69f067f2cee

SHA1
522a5f352816c00b1e221dce48ec2b527ff2c576

SHA256
d595e7d830f161145ed539b065b26222462319baa9af3a4929a4931d7a04f061

SHA512
a9eaee63e9abf70db1e42ef348238513b358ea0dc06b013d668b5c5e36629bfed6228ed01f3d57491d31bfb92fc85e844d128f1176520204cbc20c4091feaf40

Download Submit
memory/840-75-0x0000000000000000-mapping.dmp

Download
memory/1116-54-0x0000000000000000-mapping.dmp

Download
memory/1116-56-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download
memory/1160-66-0x0000000006630000-0x00000000069D0000-memory.dmp

Filesize
3.6MB

Download
memory/1160-73-0x00000000054F0000-0x0000000005662000-memory.dmp

Filesize
1.4MB

Download
memory/1160-65-0x0000000001310000-0x0000000001A84000-memory.dmp

Filesize
7.5MB

Download
memory/1160-62-0x0000000000000000-mapping.dmp

Download
memory/1540-74-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-78-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1540-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1804-72-0x0000000000000000-mapping.dmp

Download
memory/1992-71-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-70-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-69-0x000000006FAD0000-0x000000007007B000-memory.dmp

Filesize
5.7MB

Download
memory/1992-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads