Analysis
-
max time kernel
145s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05-02-2023 07:08
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20220812-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/1280-66-0x00000000065B0000-0x0000000006950000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 2 IoCs
pid Process 1964 voiceadequovl.exe 1280 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
pid Process 1964 voiceadequovl.exe 1964 voiceadequovl.exe 1964 voiceadequovl.exe 1964 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1316 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1280 voiceadequovl.exe Token: SeDebugPrivilege 1316 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1356 wrote to memory of 1964 1356 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1356 wrote to memory of 1964 1356 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1356 wrote to memory of 1964 1356 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1356 wrote to memory of 1964 1356 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1964 wrote to memory of 1280 1964 voiceadequovl.exe 29 PID 1964 wrote to memory of 1280 1964 voiceadequovl.exe 29 PID 1964 wrote to memory of 1280 1964 voiceadequovl.exe 29 PID 1964 wrote to memory of 1280 1964 voiceadequovl.exe 29 PID 1280 wrote to memory of 1316 1280 voiceadequovl.exe 30 PID 1280 wrote to memory of 1316 1280 voiceadequovl.exe 30 PID 1280 wrote to memory of 1316 1280 voiceadequovl.exe 30 PID 1280 wrote to memory of 1316 1280 voiceadequovl.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
Filesize
251.4MB
MD54e78658782b9d7a3ddb2036b708c6424
SHA1a2460acbdb38812b26b7626c61adacdffb8361b5
SHA2569135fc91eb7575ae02d330f565b47e45297016797998cb881184bab1f69c5b6f
SHA512204c6b5ad67600cc1920b6cec2c3b7e536896d62745404b5faddc7fac47e84414bcd608daa535f4bd0de03372bbcf365c8fa33157b8ceba9fda0e80139c6c5be
-
Filesize
240.1MB
MD50717c00d4652760eca2ab5d80ba2ed68
SHA117cf7e3aa63f02d97e2c3b065310d4d7a0ca095d
SHA2565af18b0baf249d460844351b6abfc2f91be29e4d34520ffda7b91b96ecb69ae2
SHA51283166ce66dd698dd62a389959f42567cb226d8e7bf49674308ffafceb01bcd2e58bcf5be543135ddcadc054f495ea99df955a23c878514293ae6c45e73a2e0f2
-
Filesize
222.8MB
MD55f274ca42843e23fb7c6551b5945e77b
SHA1405fd041d8906665309366d41df33829d49b4413
SHA2568d66bf1e823b6de909f776c54499fec4924c48839c5fe6df61e1f39813845d41
SHA512b479f095d5d4889a9316613659ee41f11c2ba5a3ace2c64d7880fd4fc9a1253f2c0b225ffb23d98456a17bcf06a2ead27a1cf2e6f4c744805a650be7334a9896
-
Filesize
251.6MB
MD5c70aafbfb35ddd431ae47fd0feffcca0
SHA1f850a0e8ea9deb141ec210f8bf51fff828f9d097
SHA2567616249e2f59fed347eaf7b538ee53609b2ab31c6f303188d60b423df7a720f4
SHA512b7b145c3ac1eca3bb77e16f56d980b4dca18eea046eb6bfb4d95d8c7a297675886001e68c914bc4f3a32aa0700f385c0170c642e7d2213967f5886257642f03a
-
Filesize
245.6MB
MD5cc39e8fd5ff45f4e030f5c80271379aa
SHA1c2553f4b978797bc1aaed7fda87eb4b4bc12dd05
SHA256f219254289f2fa65faa7135f638e255f65df1413994ce541e5a9c1ef7b4c342d
SHA5124341d78086f4a97cb97d1ca5dc05a1ecf9240c58e1d24aca34c07f67aadb30e59d8217dc3baff0a9a55dbac0132414d0111e7252fcc979e125076ece641c81f0
-
Filesize
246.6MB
MD569879de934b18b58ce43ed6af510dddb
SHA175c2d5bca0a04260ad6ab25cc1800a16cbf8f039
SHA256e0ee93605ecbebfdf1d5a48f424d23fdeea430671763a177ea266ee0d6cb489d
SHA512310041800833984719b07942e75aa729b05935e61b4f9f395c6387b501f24557857231ea24948644da66951931d8eb0c7436ba1d473941b808d24b775c223dff