purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1076-66-0x0000000006510000-0x00000000068B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1940	voiceadequovl.exe
1076	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1940	voiceadequovl.exe
1940	voiceadequovl.exe
1940	voiceadequovl.exe
1940	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1388	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	voiceadequovl.exe
Token: SeDebugPrivilege	1388	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 1940	1844	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1844 wrote to memory of 1940	1844	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1844 wrote to memory of 1940	1844	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1844 wrote to memory of 1940	1844	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	27
PID 1940 wrote to memory of 1076	1940	voiceadequovl.exe	28
PID 1940 wrote to memory of 1076	1940	voiceadequovl.exe	28
PID 1940 wrote to memory of 1076	1940	voiceadequovl.exe	28
PID 1940 wrote to memory of 1076	1940	voiceadequovl.exe	28
PID 1076 wrote to memory of 1388	1076	voiceadequovl.exe	29
PID 1076 wrote to memory of 1388	1076	voiceadequovl.exe	29
PID 1076 wrote to memory of 1388	1076	voiceadequovl.exe	29
PID 1076 wrote to memory of 1388	1076	voiceadequovl.exe	29

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
248.8MB

MD5
22b39d1dbb6fa4de2a326b0c8e40dc70

SHA1
187a22b5db89163ac9f4989f7bd10c4ac0631ece

SHA256
bd14867ffacc3bbd1e73f5c004ace414ec2461fccad25dc53469a10536153df0

SHA512
7794522495e202652839bb9ee8b02c3c70b94dfff41aa1fec7c7e4b7bbb25dff68ccb2cd01142279b2257aa6da3a3edf4a5a750859c43779e4701ebf97e30a39

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
230.3MB

MD5
503b2f1944c00ad7cdd2d796b35302fe

SHA1
be6c99689a598bf0859c9ccd6f8e7e18c0b58ba9

SHA256
c843345ec073835d56593c61d7e7de6a37df7f66def015c63c30b96832c0bc6d

SHA512
9939b2570e4c53ee8f4ba44fcdd8d8f7c6de2b8872e8d73765cbc931513febc7ac57c24bfd89ead43c6154c8bb0434eb86d8d492c5473815121b77d15c3902a1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
207.4MB

MD5
ad3b7071fe2095f7e4ca0dc0c0b8faa1

SHA1
306dd50a0fbd1652afa3d3bf3d71b26c1859026a

SHA256
83fe92bdcf03942e14f99e342c5b9afd1fd93a15799d8ed5677a3d3b2d50fc4a

SHA512
d4ee312c71ed5d3a33a55666d7e6ffbcbf3a4c372097b7eb89ae89cbd3e0b0198e20ae1349c2345a6542f7ca2835697fe6d2473f2a6ed6001971cd5d8b2c7ac8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
247.7MB

MD5
92d5cca19525cb10c9a3e6a0c2e07ffc

SHA1
082f12b25705bd27854f8a817c9ec74a6deae2c3

SHA256
2da2f17829615150008501070a569ef0f80bd143ca504ae2138351cd36c8743e

SHA512
53cc76cb6859220aa0cdbcf6c1bbdee8a14415da5330c4bd3ad74870f329710991b73fc295b006d3fa39788c68980bf9b5c83b5dac9ca9a7b897791f44055d73

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
256.8MB

MD5
dadc52eed207bc9c74fe1f2db74d0efc

SHA1
23d27c1a7cc60ae2b39cc4950df5b6280d1a9356

SHA256
ac4271fb561e5088da27cfd73011ce5e7d46ff664e7827b0a8ae8a0d6d091e5a

SHA512
4bf84d72f5cb2100a20dd2aa57388386ffa36e4f00aa532b1bd6305d94c45f248691987d8bb8f1661a2f338de22eaf738235e4cb3ae524b9e86e309787ad7c97

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
261.3MB

MD5
82c3baa54cde3ea288ab22e10ef753c1

SHA1
a01e224ce5cd30d7bafc1441642d4909653ac5f4

SHA256
5de84d83fa86dbfdddad9a8e331bfcef4a49da66003c782e111aca00a115b393

SHA512
1eb5e0fd285932d5bdc524906aa28fe333f38632f4a1698b3df963c39c33e1e4c7e2910fc54879a6ab539b0d5ddf13b19782d9b9b2107058b03f14b3f7d5dacc

Download Submit
memory/1076-65-0x00000000002C0000-0x0000000000A34000-memory.dmp

Filesize
7.5MB

Download
memory/1076-66-0x0000000006510000-0x00000000068B0000-memory.dmp

Filesize
3.6MB

Download
memory/1388-69-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1388-70-0x000000006FB30000-0x00000000700DB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-56-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing