purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/520-66-0x0000000006250000-0x00000000065F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1352 voiceadequovl.exe
520 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1352 voiceadequovl.exe
1352 voiceadequovl.exe
1352 voiceadequovl.exe
1352 voiceadequovl.exe

pid	process
1352	voiceadequovl.exe
520	voiceadequovl.exe

pid	process
1352	voiceadequovl.exe
1352	voiceadequovl.exe
1352	voiceadequovl.exe
1352	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1112 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 520 voiceadequovl.exe
Token: SeDebugPrivilege 1112 powershell.exe

pid	process
1112	powershell.exe

description	pid	process
Token: SeDebugPrivilege	520	voiceadequovl.exe
Token: SeDebugPrivilege	1112	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 616 wrote to memory of 1352	616	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 616 wrote to memory of 1352	616	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 616 wrote to memory of 1352	616	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 616 wrote to memory of 1352	616	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1352 wrote to memory of 520	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1352 wrote to memory of 520	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1352 wrote to memory of 520	1352	voiceadequovl.exe	voiceadequovl.exe
PID 1352 wrote to memory of 520	1352	voiceadequovl.exe	voiceadequovl.exe
PID 520 wrote to memory of 1112	520	voiceadequovl.exe	powershell.exe
PID 520 wrote to memory of 1112	520	voiceadequovl.exe	powershell.exe
PID 520 wrote to memory of 1112	520	voiceadequovl.exe	powershell.exe
PID 520 wrote to memory of 1112	520	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:616
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
250.4MB

MD5
e3a701d574a98d8f6c9ecf79eaea817c

SHA1
4bae689338ede6e8e04e1d9dfd4e0b9a19053038

SHA256
a6572be5519411d2b8f1e695ec5c97d8835f8a88d08c95c1b8d1d0280730d78e

SHA512
ed93d091efc76e436f99dd4f73a85eb7936562be1664b20c1a584fc2e65e1a1316dfdaf3b9345e32e4def5116469e9f9f8cc99ea22522a76f0d8d81d4e2b7932

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
247.8MB

MD5
ad54695bbaf35354b16f2fd96bcc59ee

SHA1
08e40d28816cb36c5d4406d87632e119580897e7

SHA256
1428d79050870d0a7463da6c86dfc695837014d57d308b821d9582d16f9492b3

SHA512
5047fbdd0b82c527da1649b2fc997eb79db60326e6ca49507e5815bcd6232de8ac95c820c729b014aa1750082e2ec1a0ee3dd55a736111a04c274485a7022bfd

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
257.2MB

MD5
f1b1b32e0737df47ee6c2eaf2d823765

SHA1
8702039487bb827e1b870f69b5c5cde1bfd25904

SHA256
a35b35fb11640505b47f763e47744e8e58bbd5bdfd6cc57ae4858b95bcaf38ca

SHA512
7bf37dde526210b54a8112c5203b8a6a1fe3605c672d8553f56e764586b5eff55c5e8936622c269e06c7c0c2856368bc903f44ea1aa76bdaed357ea87941357a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
242.0MB

MD5
d773954ac7b9d46cf9396c6e215e6366

SHA1
dfa0d5dc01d5d9926576333a68ad8d72246df308

SHA256
23a71af655a61886b470e618e0a9bab58c002ab0cd38405684b55f8da253267a

SHA512
75e9a2a1ff0e4ef75ddd34a7513748d3cae378df3283c7be7e1e23450588891ff972316a9850bfbdd4b91a820f97af526b2c23bde7a8724adedf30d62ea21179

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
257.0MB

MD5
6b8d779a2014f60918ad661c1ab7f238

SHA1
e84139c854e501b61504afc28018525ca9c5f0a9

SHA256
2a3fa1df8b67a7226cc1100a532c164ec157e98880d477a0cda4e3f46222af8c

SHA512
3e6f4aebe8230d76f21a054a26de5baf1a42181c1097f50548bbf11461724d18207ba9172ec5beb02a5f95d64567abd51a10ada81b29852604dcd03a26f8acc8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
256.8MB

MD5
dadc52eed207bc9c74fe1f2db74d0efc

SHA1
23d27c1a7cc60ae2b39cc4950df5b6280d1a9356

SHA256
ac4271fb561e5088da27cfd73011ce5e7d46ff664e7827b0a8ae8a0d6d091e5a

SHA512
4bf84d72f5cb2100a20dd2aa57388386ffa36e4f00aa532b1bd6305d94c45f248691987d8bb8f1661a2f338de22eaf738235e4cb3ae524b9e86e309787ad7c97

Download Submit
memory/520-62-0x0000000000000000-mapping.dmp

Download
memory/520-65-0x00000000012C0000-0x0000000001A34000-memory.dmp

Filesize
7.5MB

Download
memory/520-66-0x0000000006250000-0x00000000065F0000-memory.dmp

Filesize
3.6MB

Download
memory/1112-67-0x0000000000000000-mapping.dmp

Download
memory/1112-69-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1112-70-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1112-71-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1352-56-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1352-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads