purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1504-66-0x0000000006360000-0x0000000006700000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
2036	voiceadequovl.exe
1504	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2036	voiceadequovl.exe
2036	voiceadequovl.exe
2036	voiceadequovl.exe
2036	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
896	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	voiceadequovl.exe
Token: SeDebugPrivilege	896	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 2036	948	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 948 wrote to memory of 2036	948	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 948 wrote to memory of 2036	948	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 948 wrote to memory of 2036	948	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2036 wrote to memory of 1504	2036	voiceadequovl.exe	29
PID 2036 wrote to memory of 1504	2036	voiceadequovl.exe	29
PID 2036 wrote to memory of 1504	2036	voiceadequovl.exe	29
PID 2036 wrote to memory of 1504	2036	voiceadequovl.exe	29
PID 1504 wrote to memory of 896	1504	voiceadequovl.exe	30
PID 1504 wrote to memory of 896	1504	voiceadequovl.exe	30
PID 1504 wrote to memory of 896	1504	voiceadequovl.exe	30
PID 1504 wrote to memory of 896	1504	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
268.9MB

MD5
26014e6c8aa59a067d0d5d570ba4a78a

SHA1
02e04f8adc9e510b45f286ba5153ee3373c00907

SHA256
46761d9ee6634efe078a0059c4eec6c47261ad619818ecf8d1573ee47ec8668a

SHA512
6c57f177c761427490d0f0ce9bc697fe8680945ff355e06b15f3de606af4ddede4a64a22baaf24c8aba24ad45cb67d85ea7795ed339350cd8dad6720daadc3fb

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
240.0MB

MD5
e328d9b0a27ec66eec1295f3c8dd154b

SHA1
9acfde666877915fcbff9395ac55fd0424ea7a43

SHA256
0831c82d7837360fa925e4a4a8d1241fc99e5f08a60c56557b4939d76f8721fc

SHA512
efda72f853fa56acd50a0f215fba2aa550a4670ce26f63f1fccca8df27c81955a9d078906c40bff2960ae926633bb09b211b64137ec683c4cbb298a98ac35cc1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
291.6MB

MD5
af3f3ca44cac012a102b6d489e013948

SHA1
d1938cea1748681951e5ae650f735ef70258e2d8

SHA256
9d51647dbf25a955f4b5387076da6cab45837c52a6251e04f0bef9709466121d

SHA512
35a1d3074b3a4fa84524571e725fdc50d8f8feab3b67ccff7c6346cec2e9c72375ea389356944780d03a361fe301b7092561dd374e59ab26e579caeb6d5adcfe

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
263.4MB

MD5
c26c1b256f0c886deb8bf4dc16c037bc

SHA1
8035226c9e66de18b136945d5e0e7df8f24febbb

SHA256
ee4e4285238f761eacb5905ef1a4d621bcef5baf33c92234a763db4ab78a22cd

SHA512
bd49034b601eed72882a8b5342db8af1be85c2714acb9a3af40167c27914f13e2181f5ed4eeaaa5b44950d436cd8d37947242615a6803f340b2650be5fc25ff5

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
295.5MB

MD5
1c55b295bfe3d4c029d034e7731cf873

SHA1
aef9c26a061ddd7a44983b298f03d6a27b06ad0f

SHA256
e3dbd398ebd3a11ce7c9d4b682d18549f26cc594049802f95b269966e6795926

SHA512
5b57ba1e0d57fe4a9bc0bb94efe27276a9b9a36a983c0c28dd9b5eefe95cf2d093c3ace462a48b9c56c531ed71aade5149675e01528a89144bca23380f37084f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
247.2MB

MD5
9acf3f4cbf311a8286113fccaed4e24b

SHA1
eece47463f5025420cb766e36a8600b8aae3e81d

SHA256
c093362d511bb88814a5e8ea2fcdeb6596a31dbe5bcee8c038645dfc50d7ad45

SHA512
b9d98623339e11740dd967dcb2b3e5102b50dd193bda1b527afc0e777849d896531b953f678e79d09fe4874ba17900d7d5eb0513a3d640526022c77441f2ee9a

Download Submit
memory/896-70-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/896-69-0x000000006F920000-0x000000006FECB000-memory.dmp

Filesize
5.7MB

Download
memory/1504-66-0x0000000006360000-0x0000000006700000-memory.dmp

Filesize
3.6MB

Download
memory/1504-65-0x0000000000140000-0x00000000008B4000-memory.dmp

Filesize
7.5MB

Download
memory/2036-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing