purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
147s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/02/2023, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1624-66-0x0000000006350000-0x00000000066F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1460	voiceadequovl.exe
1624	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1460	voiceadequovl.exe
1460	voiceadequovl.exe
1460	voiceadequovl.exe
1460	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
468	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	voiceadequovl.exe
Token: SeDebugPrivilege	468	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1460	1320	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1320 wrote to memory of 1460	1320	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1320 wrote to memory of 1460	1320	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1320 wrote to memory of 1460	1320	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1460 wrote to memory of 1624	1460	voiceadequovl.exe	29
PID 1460 wrote to memory of 1624	1460	voiceadequovl.exe	29
PID 1460 wrote to memory of 1624	1460	voiceadequovl.exe	29
PID 1460 wrote to memory of 1624	1460	voiceadequovl.exe	29
PID 1624 wrote to memory of 468	1624	voiceadequovl.exe	30
PID 1624 wrote to memory of 468	1624	voiceadequovl.exe	30
PID 1624 wrote to memory of 468	1624	voiceadequovl.exe	30
PID 1624 wrote to memory of 468	1624	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:468
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      PID:292
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1100
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1512
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1008
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:480
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:2008
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1352
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1768
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1336
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:888
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1752
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
250.0MB

MD5
9573352d35fc60d35c3441805bb528d5

SHA1
3a538b451c1ce79e781831472aae68ab2ae811ae

SHA256
976afdb4c364366b45ff068c801f912e8b868eb06381bd416571128a269e0948

SHA512
bdd778fe1cb7d0583cdda5071b230b67d5b2a83e0374f5ef4ac4b41c422e30b8e7c83f843574d9761579cc4198a9aed828e3a22a93f8e9179677121195fe4b2b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
252.9MB

MD5
cda22934d7aa7591be268795575deb12

SHA1
917141271e657928ed6ccd9a76c62a61f82a4aba

SHA256
daf66361a3f7b6fd19b414be3ce96317346a6735edb24b417f3dd42281deb0af

SHA512
b76a417f48ecc63a4cad05e99c11a3fd6bff68f5e335978cd1f4f6727616534154382248def90790c90064903a5261866c4cc61c3eff461dd6f620debdf2287b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
384KB

MD5
fc679442e2437b18cd61d4dc97ed05c8

SHA1
b0aba7b6a4d46c7918901b27a317f5268e6eb767

SHA256
9b4da709f0278553afb3a05ae97844582354212b96068a6a42adf2d5c0788ed4

SHA512
266d69d1586fe45b869d890fce085e4a0ffc2ac814edd266720b7630e559c0158c9a91149754b154957b4c229050351fd07ca642a7f1318eaabe1fb4678a87bf

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
2.2MB

MD5
2de22163eb03238f30541627c67061b4

SHA1
328ab926642229f5aec46bbf67cff4a577ceca77

SHA256
2183b3839c9af9fac15e8fea6df5d6fe6fbd044f79723dcc283246f0303784a5

SHA512
9c73383fae53c3891fe9a752496117524c884bc7692fc8ab8e0c1fc4c030e5b072d3ebfce76b43cb5c57c5a5d652f9a455a3b039e2923632426e988917492b05

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
2.2MB

MD5
2de22163eb03238f30541627c67061b4

SHA1
328ab926642229f5aec46bbf67cff4a577ceca77

SHA256
2183b3839c9af9fac15e8fea6df5d6fe6fbd044f79723dcc283246f0303784a5

SHA512
9c73383fae53c3891fe9a752496117524c884bc7692fc8ab8e0c1fc4c030e5b072d3ebfce76b43cb5c57c5a5d652f9a455a3b039e2923632426e988917492b05

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
2.2MB

MD5
2de22163eb03238f30541627c67061b4

SHA1
328ab926642229f5aec46bbf67cff4a577ceca77

SHA256
2183b3839c9af9fac15e8fea6df5d6fe6fbd044f79723dcc283246f0303784a5

SHA512
9c73383fae53c3891fe9a752496117524c884bc7692fc8ab8e0c1fc4c030e5b072d3ebfce76b43cb5c57c5a5d652f9a455a3b039e2923632426e988917492b05

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
2.2MB

MD5
2de22163eb03238f30541627c67061b4

SHA1
328ab926642229f5aec46bbf67cff4a577ceca77

SHA256
2183b3839c9af9fac15e8fea6df5d6fe6fbd044f79723dcc283246f0303784a5

SHA512
9c73383fae53c3891fe9a752496117524c884bc7692fc8ab8e0c1fc4c030e5b072d3ebfce76b43cb5c57c5a5d652f9a455a3b039e2923632426e988917492b05

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
2.2MB

MD5
2de22163eb03238f30541627c67061b4

SHA1
328ab926642229f5aec46bbf67cff4a577ceca77

SHA256
2183b3839c9af9fac15e8fea6df5d6fe6fbd044f79723dcc283246f0303784a5

SHA512
9c73383fae53c3891fe9a752496117524c884bc7692fc8ab8e0c1fc4c030e5b072d3ebfce76b43cb5c57c5a5d652f9a455a3b039e2923632426e988917492b05

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
2.2MB

MD5
2de22163eb03238f30541627c67061b4

SHA1
328ab926642229f5aec46bbf67cff4a577ceca77

SHA256
2183b3839c9af9fac15e8fea6df5d6fe6fbd044f79723dcc283246f0303784a5

SHA512
9c73383fae53c3891fe9a752496117524c884bc7692fc8ab8e0c1fc4c030e5b072d3ebfce76b43cb5c57c5a5d652f9a455a3b039e2923632426e988917492b05

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
2.1MB

MD5
613fe0b659038e4b56e24f0d4d993abe

SHA1
61ca1921478b5f93bfcf2708d8e1dbed21559356

SHA256
d0a1d29ea79a50d9b32ed3d72f733ee4d26605965b5c3e47f82a85274626032d

SHA512
6cd4deda5d97ffc0f2d2f65a79c9e834038525bc51f7a7ece3b90868d8fa3e8dd533d2f0746143d8e67a897d5c43cb12dc597e985fe70bfdfbf04308b61de108

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
2.2MB

MD5
2de22163eb03238f30541627c67061b4

SHA1
328ab926642229f5aec46bbf67cff4a577ceca77

SHA256
2183b3839c9af9fac15e8fea6df5d6fe6fbd044f79723dcc283246f0303784a5

SHA512
9c73383fae53c3891fe9a752496117524c884bc7692fc8ab8e0c1fc4c030e5b072d3ebfce76b43cb5c57c5a5d652f9a455a3b039e2923632426e988917492b05

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
2.2MB

MD5
2de22163eb03238f30541627c67061b4

SHA1
328ab926642229f5aec46bbf67cff4a577ceca77

SHA256
2183b3839c9af9fac15e8fea6df5d6fe6fbd044f79723dcc283246f0303784a5

SHA512
9c73383fae53c3891fe9a752496117524c884bc7692fc8ab8e0c1fc4c030e5b072d3ebfce76b43cb5c57c5a5d652f9a455a3b039e2923632426e988917492b05

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
230.4MB

MD5
f2073c43fbd2e7ce8fc28e44c7e2bb9c

SHA1
56d066d8d7515bde8f487d55122d633c67c472ee

SHA256
79556659d43822c2af997da61c7b12b36bfded222b034192f68c0efd7122251f

SHA512
afdd2830aa8f0e875849bbac6fae86cae3e9a24df1f1045bb09ea6a2d7f9a3a53bf6283e0c71596fad751fc66a9aa2fb51addebccf03ebe39b2e440b596b33cd

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
235.8MB

MD5
47e5965b5010b8cc23d1d9f373d2f8f3

SHA1
94bed402f08009ab9328bdd50984ef30150907fd

SHA256
49c61dc4e6911e0b057e2a57a916c4ac56b53a868f8dd97c5d5cdc7dd05649c0

SHA512
76fd40599771b4d330c9be013511efd42ec2d22b94288ebe11208a87626b8462a1b1cac4404b7d2047a1d5302b600aa71e15e96e4f77b99edc39f9b3f9de9ffa

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
245.2MB

MD5
7a6c9bf8823b7a6a3f1a8b379386b347

SHA1
68506d411afa1d2d7727132b1f9e2898d283d407

SHA256
c874a255109babc2b39ba1223805f4ca8e3e1cc203d009e04509dbc270f2a675

SHA512
be90d76d84f4dd481baeb097d23d44f4b11ab6365675f7b70dcc1814654ad65da585f23fe2a07cc347ce572bee9022f9fc9a745b99390969044f5f1be1ccc562

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
239.8MB

MD5
dcf14bcbf3bcdbf6235b2148b6975c33

SHA1
332734bb8b6c1819d43cd4c74272bc1b919bf62c

SHA256
17b4f8fec956800b2080a55b986b6962587e6536dbcbdb3d5280fd212a9cf926

SHA512
17fc799a556c2c360a940fac5832261c354b211415b7d37f334f09e34b2b450255490719ddf560805762240a43a072ecdc73b2ddbba83e37a45aab2236b22ba5

Download Submit
memory/468-69-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/468-71-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/468-70-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/1460-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1624-73-0x00000000053A0000-0x0000000005512000-memory.dmp

Filesize
1.4MB

Download
memory/1624-66-0x0000000006350000-0x00000000066F0000-memory.dmp

Filesize
3.6MB

Download
memory/1624-65-0x0000000000280000-0x00000000009F4000-memory.dmp

Filesize
7.5MB

Download