purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
137s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/848-66-0x0000000006310000-0x00000000066B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1244	voiceadequovl.exe
848	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1244	voiceadequovl.exe
1244	voiceadequovl.exe
1244	voiceadequovl.exe
1244	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1304	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	voiceadequovl.exe
Token: SeDebugPrivilege	1304	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1244	1744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1744 wrote to memory of 1244	1744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1744 wrote to memory of 1244	1744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1744 wrote to memory of 1244	1744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1244 wrote to memory of 848	1244	voiceadequovl.exe	29
PID 1244 wrote to memory of 848	1244	voiceadequovl.exe	29
PID 1244 wrote to memory of 848	1244	voiceadequovl.exe	29
PID 1244 wrote to memory of 848	1244	voiceadequovl.exe	29
PID 848 wrote to memory of 1304	848	voiceadequovl.exe	30
PID 848 wrote to memory of 1304	848	voiceadequovl.exe	30
PID 848 wrote to memory of 1304	848	voiceadequovl.exe	30
PID 848 wrote to memory of 1304	848	voiceadequovl.exe	30
PID 848 wrote to memory of 912	848	voiceadequovl.exe	32
PID 848 wrote to memory of 912	848	voiceadequovl.exe	32
PID 848 wrote to memory of 912	848	voiceadequovl.exe	32
PID 848 wrote to memory of 912	848	voiceadequovl.exe	32
PID 912 wrote to memory of 588	912	cmd.exe	34
PID 912 wrote to memory of 588	912	cmd.exe	34
PID 912 wrote to memory of 588	912	cmd.exe	34
PID 912 wrote to memory of 588	912	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:588
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1968
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1592
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:764
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:816
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1072
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:916
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1860
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1712
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1804
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
010bb6545234d78a08efb211611d6aba

SHA1
db6e95d2e1a53229e5ca572a8a41f48911999d16

SHA256
8e10e62988dacbf97be8cc25b1c9075c175d289546bf76276e021c2c6cb6b3e2

SHA512
e0f1dc4b2a9d763b2783de768c6adf6acc802d504a4da093fd3564ae8491de010e81dab74f5b49491c19175314c42b8dd2e3443ef33db6939d2d60cc6857ded8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
272.3MB

MD5
964d0284e52420f6ff55fb03f457d108

SHA1
90e1aec5636257b3730f9138245554f198eaea61

SHA256
486cfd524cb211b1c7093e51deff5e65795456241db4376963c60a2009eeb92d

SHA512
2623f36b6ec21cb2a152c8a0dc7366aa9907c0b3f6eb85c5014e9b706407ef78f29bbac2be83a887362a4372e3eea80a379453511376f7f74901566a3fd7ede4

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
274.2MB

MD5
ba5c69bfc73fac18d4ec17a32ab955e4

SHA1
8dbb728210cb1ab2331af68cb128c2d993ca16ea

SHA256
1b8eabc69b5a04313057181940fb07315b6c3c9914d17a52850d155cca4fa715

SHA512
a0bf0375ad341fd99b4294ed6d4cb94ebce0dfb572d78bcc4a929c8807aa9bb82a94b615210500656ca684531ab508ff307ef6495b8e908bb2cb9b4eb4ceb93d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
14.0MB

MD5
3d965fa3afb981fe14fcb52fbf5884ab

SHA1
475672bb41848bf42db73f85f337ab231bebddb5

SHA256
017967de9fa871977a76367e3694f6cfa24322579095fbd74fd07d4d483c86d5

SHA512
e921e82b6a12798cded73836ec4002a341795626f201cf771d70be9cc05e60b94959d9f181c759f28ad652bcd1af3131232978059c7f72d61ceace7771afacd3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
12.6MB

MD5
b67853627e29745152678137c66297a1

SHA1
6303baac8cf0fb82a74bbe46d928da966ecfde63

SHA256
d63efd9894bdfcc11f05b41c4214f669a750991f8278a9aae6f43b721549f247

SHA512
1216838468d2fd902336b16d9637d8a6291f1c73bfa0e45983a2f6a6dca75515a7fbd312be64a3c5eadc715df304710c690a5def8b818a64f947334f5a024067

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
13.9MB

MD5
64406f0d24dbdc2cf30b4ac4c0cf4050

SHA1
44885cebd420e26bfc190b81d401f2996a0c4824

SHA256
dbfa719231bc09a72f74586271d08e2e9e4e4968915d5162901501ea1d8d2f6f

SHA512
b1cd8d8da0ab73b3442516a679bdabc9de43ebe6ddf85fca671ba37265162f7eb30c1b421d65532e26912cfa63b47811a0614f0eb0fcf2f77f108145d03039ed

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
12.7MB

MD5
0ef489b29878a621d52ed160606e5c67

SHA1
e9cdefaa34f1b40534d103a1a783d255d5e8211d

SHA256
67347cfdc7978329362b9064404dec3b16cb6dda485d9b03e65bb7cac9a53ce6

SHA512
b868413cf28438000b099c6a11d78eae63547b5ba2a3aa18963120c814a7e6dc311b9894dbbb7933c84abe755a22cf5d53c70c4b1b81c1aa6a5d789c0c39bba7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
13.7MB

MD5
3b9c257f9552ba34d2d5b8c92635d69b

SHA1
67f3179b8373d04450c5d70686a84a1a19a6344e

SHA256
455d199404a8515abab250ed03b69e1bf402a646d85c5d079e24048172c77d94

SHA512
e90ce5d4b34c7dfae151fd1977e77128b2977b069c3218b5d6de11286264dd9e77c38ecb4306dc122021a28faff63888d1f834c063e7e9ef541929ea24a95a9c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
12.5MB

MD5
61ea418511f2edbba8850ebd833c627c

SHA1
b6d8a31b8ac3599088a12aacfd42a7ff95c10021

SHA256
90ac26e45039702f956c2ecc5025230179499584173f657580537fad9217919f

SHA512
61c2d639adb84c45d03adb58c34e048d5127b38717177bf361479659b2a39bfcd494e507812f0134ba7662d63520779a3ac958201e9f3d5c9e1c4a4ea4956df5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
13.6MB

MD5
edf1cfd6228f6ef7dea74e839a47dddf

SHA1
2d01244750fc144617a09aa8fe76a41562083cc3

SHA256
f08f3eafdc4ab9642f46c5d0e1ee82814760fed74d5eade187739b7e031bcb04

SHA512
968af631bcdab10871346ee76503572913e4fc7d55b0ec6dd70faf11b77c38dbebc6477a2528216d2f05b87ad96cf846067db5b728c97672719dc4974819daf9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
13.6MB

MD5
edf1cfd6228f6ef7dea74e839a47dddf

SHA1
2d01244750fc144617a09aa8fe76a41562083cc3

SHA256
f08f3eafdc4ab9642f46c5d0e1ee82814760fed74d5eade187739b7e031bcb04

SHA512
968af631bcdab10871346ee76503572913e4fc7d55b0ec6dd70faf11b77c38dbebc6477a2528216d2f05b87ad96cf846067db5b728c97672719dc4974819daf9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
13.6MB

MD5
edf1cfd6228f6ef7dea74e839a47dddf

SHA1
2d01244750fc144617a09aa8fe76a41562083cc3

SHA256
f08f3eafdc4ab9642f46c5d0e1ee82814760fed74d5eade187739b7e031bcb04

SHA512
968af631bcdab10871346ee76503572913e4fc7d55b0ec6dd70faf11b77c38dbebc6477a2528216d2f05b87ad96cf846067db5b728c97672719dc4974819daf9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
13.6MB

MD5
edf1cfd6228f6ef7dea74e839a47dddf

SHA1
2d01244750fc144617a09aa8fe76a41562083cc3

SHA256
f08f3eafdc4ab9642f46c5d0e1ee82814760fed74d5eade187739b7e031bcb04

SHA512
968af631bcdab10871346ee76503572913e4fc7d55b0ec6dd70faf11b77c38dbebc6477a2528216d2f05b87ad96cf846067db5b728c97672719dc4974819daf9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
241.2MB

MD5
585edf44154d6f55d2a673d9ac45e3af

SHA1
8fafac4f74ab57d5c0657ab4872654efca968f3d

SHA256
42c68251b21cc16ae5a90bb34a0fdaa0c6922a416bd4f0e1e10291a6af022a38

SHA512
2cc0146313aeb2477d2bfaf21812c02095545bb2efffa7206308de1cbb59c726c3c0d80a8d2ff4a3970a5497c459ab74e724750ad958b6821a6cb0db1cd7c194

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.8MB

MD5
ee2edd6e2d5b2251a476a6b6271626cd

SHA1
54c38128f575e281be2c961f7e9730ef09f4da6e

SHA256
d70ff8c2d6fa829521b23a78a4119ec3cd184a4fb8b83f30094768e068337710

SHA512
8a11137a740170f40d149aa9dd58a904be256b7638ce84055b3315909ff76bda75fe6e1ea59093504b049a05f64d67be8c2cec77ccea52bcb52b9ae99ca75109

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
271.9MB

MD5
7b8fbe347b25e88437dbe3ba8df74941

SHA1
75f3baf087f24afe56961f53ec90c6c6e64568b4

SHA256
9189dbee8826c29854bedf81e2a186a238f1c8912228f311b40ac00ef1f9b13f

SHA512
b0d5c81d9c91eca55ac34a24e11768fe2d4e2933ac71a1fed4e179e31fec6e83c3f94e83979040429f5694fd28015c306116d1c7760a032181f6efd13d9bf9c7

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
268.6MB

MD5
44509a58e16cb919f01ca9ac8de02962

SHA1
87ea475172487585d2017e5aebfa956a25460ef3

SHA256
c5c6a823daed5bc4c672e877c8a04e1698680ecc2e4a0522527cc9534e87f1ac

SHA512
89e412538385e1d812131f741937b770acd4bcced1ee9a8e01e40051b4374e8b2d8bc8cbfd9a26b7a4e6b7d03c567813fb058d34e92d36df323fffd166259489

Download Submit
memory/588-87-0x000000006FBF0000-0x000000007019B000-memory.dmp

Filesize
5.7MB

Download
memory/588-88-0x000000006FBF0000-0x000000007019B000-memory.dmp

Filesize
5.7MB

Download
memory/848-73-0x00000000051E0000-0x0000000005352000-memory.dmp

Filesize
1.4MB

Download
memory/848-66-0x0000000006310000-0x00000000066B0000-memory.dmp

Filesize
3.6MB

Download
memory/848-65-0x0000000000250000-0x00000000009C4000-memory.dmp

Filesize
7.5MB

Download
memory/1244-56-0x0000000076531000-0x0000000076533000-memory.dmp

Filesize
8KB

Download
memory/1304-71-0x000000006FC30000-0x00000000701DB000-memory.dmp

Filesize
5.7MB

Download
memory/1304-70-0x000000006FC30000-0x00000000701DB000-memory.dmp

Filesize
5.7MB

Download
memory/1304-69-0x000000006FC30000-0x00000000701DB000-memory.dmp

Filesize
5.7MB

Download