Analysis
-
max time kernel
130s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-02-2023 07:06
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20221111-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Extracted
aurora
45.9.74.11:8081
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/268-66-0x00000000064F0000-0x0000000006890000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 4 IoCs
pid Process 1496 voiceadequovl.exe 268 voiceadequovl.exe 1432 voiceadequovl.exe 1644 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
pid Process 1496 voiceadequovl.exe 1496 voiceadequovl.exe 1496 voiceadequovl.exe 1496 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1696 powershell.exe 268 voiceadequovl.exe 268 voiceadequovl.exe 268 voiceadequovl.exe 268 voiceadequovl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 268 voiceadequovl.exe Token: SeDebugPrivilege 1696 powershell.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1508 wrote to memory of 1496 1508 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1508 wrote to memory of 1496 1508 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1508 wrote to memory of 1496 1508 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1508 wrote to memory of 1496 1508 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1496 wrote to memory of 268 1496 voiceadequovl.exe 29 PID 1496 wrote to memory of 268 1496 voiceadequovl.exe 29 PID 1496 wrote to memory of 268 1496 voiceadequovl.exe 29 PID 1496 wrote to memory of 268 1496 voiceadequovl.exe 29 PID 268 wrote to memory of 1696 268 voiceadequovl.exe 30 PID 268 wrote to memory of 1696 268 voiceadequovl.exe 30 PID 268 wrote to memory of 1696 268 voiceadequovl.exe 30 PID 268 wrote to memory of 1696 268 voiceadequovl.exe 30 PID 268 wrote to memory of 1192 268 voiceadequovl.exe 32 PID 268 wrote to memory of 1192 268 voiceadequovl.exe 32 PID 268 wrote to memory of 1192 268 voiceadequovl.exe 32 PID 268 wrote to memory of 1192 268 voiceadequovl.exe 32 PID 1192 wrote to memory of 1824 1192 cmd.exe 34 PID 1192 wrote to memory of 1824 1192 cmd.exe 34 PID 1192 wrote to memory of 1824 1192 cmd.exe 34 PID 1192 wrote to memory of 1824 1192 cmd.exe 34 PID 268 wrote to memory of 1432 268 voiceadequovl.exe 35 PID 268 wrote to memory of 1432 268 voiceadequovl.exe 35 PID 268 wrote to memory of 1432 268 voiceadequovl.exe 35 PID 268 wrote to memory of 1432 268 voiceadequovl.exe 35 PID 268 wrote to memory of 1644 268 voiceadequovl.exe 36 PID 268 wrote to memory of 1644 268 voiceadequovl.exe 36 PID 268 wrote to memory of 1644 268 voiceadequovl.exe 36 PID 268 wrote to memory of 1644 268 voiceadequovl.exe 36 PID 268 wrote to memory of 964 268 voiceadequovl.exe 37 PID 268 wrote to memory of 964 268 voiceadequovl.exe 37 PID 268 wrote to memory of 964 268 voiceadequovl.exe 37 PID 268 wrote to memory of 964 268 voiceadequovl.exe 37 PID 268 wrote to memory of 964 268 voiceadequovl.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵PID:1824
-
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵
- Executes dropped EXE
PID:1432
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵
- Executes dropped EXE
PID:1644
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵PID:964
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD554dd97274608c7fedfa4a4d137e4a5c6
SHA1d027ec511b916094d7611d43c9f0b6149c61cdac
SHA2563025dfe93fee7eacb7870f805c952d3d5161cd8d39544ec2de959c2423f07ed3
SHA5121110311784c26678c448f4758f55b861f9a48dd0e0f29b7e0a83cf286332b7fac5d5f0f1c6316a82fcb349b38a9ea8206e0cd032ce890407cf3d5256eaff1ce2
-
Filesize
230.1MB
MD55395a96c61c44e6d207775946d46b415
SHA1dd4ac46b6981f17829d7ac2941b26b3ebe9e7b47
SHA2560aed24a0b968e0c91fb2d1566c6ea8b4f2c889db0c30ab643a9044ce6ca303ff
SHA512327eb5a7ed6c9e5515740e5ce9b57396efb6a89b4e3ffb575e86d71cc8627fb8e2da59a74d134e5753eb79fd5094378a13b4e0a0b7641b8276562541c3c20a90
-
Filesize
220.4MB
MD5a690387ed434a35dca58df3dbe29a06b
SHA12c3d9aa51cebd49107e8cc2f38edd79cabf3fa74
SHA2566f7d0b433772ef44e7c8e283f182816a99e33006cf2b8ae8ad15e27791d7db8f
SHA51250b6bcefdf3fec48e0905a92c9dd3b4196dba8237d4d0ba6dcc643f0031f5b923790b914ee505530fd123244a36c802c7dc1693d90885d566c8d9485640fce21
-
Filesize
47.3MB
MD534669631c6086c13b9ccc48c23a62816
SHA16529eb7e5a9e61341549262234611c4f9b81d91c
SHA2561652211f755b03d0b5e4e4cb681800d61719497a476a035d32d63b82ed24ed3f
SHA512b47fdf70236e4d7eb13a83b848096f4eb37b7729fe77e3e7e0dce524acea6db6da38944a9ba8d209efdfce91e3429346ade26ef4f461eadc8597aed8929527d4
-
Filesize
42.8MB
MD59a662ea6162c217cb5f50602053791d1
SHA19a11aaac9b450c375b6cbaf220160f63444792d2
SHA256a87b9f4d697524b76558533bd9bbcafbace93ad9f686c5d3808f3d8e65184d20
SHA51270ebf3f9e12891dd10d55856e8dc75b10e5fab46c96054167b4819c76af44766a6ce1d56c9d1ec0c3a1283cf7ef620d6772cd515251265dd42151f3e3340ebbd
-
Filesize
12.9MB
MD55a860d843faf21dfe9e5c5d740a46990
SHA16e49ab78a494b5d6b4d4e43482b3fc861a5f527c
SHA2564d296e96baf5cdc538012ddf35054319dfffe0c1ce8f3dcc549227f2ca09b8f3
SHA512365eb347daf657e2a438dd035c2ba8731c4e3325dadf03bdbfaddce74fe319d1ba20ebabc14b0d9da54f4688346fa4bc7aeb61b32944e136398954ac7bd501fb
-
Filesize
224.0MB
MD536015d5eb6f30679a8a1a774ddf24c42
SHA19aea67fa3ff1f757e35020021b5e19f0d318f47c
SHA25636a18129d6279967e8c6ae6c2bd341ff2991aeba79c8f8adb49fbca457ad6511
SHA512f632a5d8c7e28bbd4a593754148f8e23dce1281db2e8e7d0cbea542dd55899ebbd99103e99c1a8376c59f2d137538e129de1f804ceb385ba5fe441217515ebbd
-
Filesize
228.9MB
MD597bd9499e36413e7012054bb0529b27e
SHA15a91f7241e73630eea4b653950c24ed84fbb6635
SHA256ba38b8148fa15f182afde29beede27a802433fe719f1dbda7e9a9190df873570
SHA512a9ab29d883d9d9e06e0602bafd8b5f0c283fab5fb8e0eb87225ac01d25277cecb40e243fb0be725e0ff450103c5fdda87e9d76c0f9375df6e9ade4af926e6fcd
-
Filesize
238.2MB
MD5c3a9381b2e9a7b513367287f030de889
SHA1e59b0d95c1e806d1f4c66934f94b6fb7e4408406
SHA256953bc2a907bed5a18ff98dc626489a5cf262d1a246239d28bc7bb08d7594ea6a
SHA512a83e3f1e79e97dc5a2745ef79f7e71aebe4d31acd94ddd7c50d606001bf9603970a271ac1103adbe384a71d4c9905dac1a4f10d141b536e66a55bf557aba1656
-
Filesize
225.7MB
MD505106e8c54e95c221fc67ec266c1f543
SHA18ef4c84b1574bec5915d50db8f5bc15c6fb9b347
SHA2568a02e712f9c1b976d6926c61a8008c5db4b6932d4ee40280e4d056d76fda186e
SHA5126f06fcc523e3657b1d476f10bb7e3a718a62c010f70a3a692f978fba8544a26bad4e9ea10e508319e608524e8de2d8585e210bb93c583becce22d4e22b95adbe