purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
138s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/272-66-0x00000000063E0000-0x0000000006780000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

948 voiceadequovl.exe
272 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

948 voiceadequovl.exe
948 voiceadequovl.exe
948 voiceadequovl.exe
948 voiceadequovl.exe

pid	process
948	voiceadequovl.exe
272	voiceadequovl.exe

pid	process
948	voiceadequovl.exe
948	voiceadequovl.exe
948	voiceadequovl.exe
948	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1364 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 272 voiceadequovl.exe
Token: SeDebugPrivilege 1364 powershell.exe

pid	process
1364	powershell.exe

description	pid	process
Token: SeDebugPrivilege	272	voiceadequovl.exe
Token: SeDebugPrivilege	1364	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 948	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 948	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 948	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 948	1748	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 948 wrote to memory of 272	948	voiceadequovl.exe	voiceadequovl.exe
PID 948 wrote to memory of 272	948	voiceadequovl.exe	voiceadequovl.exe
PID 948 wrote to memory of 272	948	voiceadequovl.exe	voiceadequovl.exe
PID 948 wrote to memory of 272	948	voiceadequovl.exe	voiceadequovl.exe
PID 272 wrote to memory of 1364	272	voiceadequovl.exe	powershell.exe
PID 272 wrote to memory of 1364	272	voiceadequovl.exe	powershell.exe
PID 272 wrote to memory of 1364	272	voiceadequovl.exe	powershell.exe
PID 272 wrote to memory of 1364	272	voiceadequovl.exe	powershell.exe
PID 272 wrote to memory of 1044	272	voiceadequovl.exe	cmd.exe
PID 272 wrote to memory of 1044	272	voiceadequovl.exe	cmd.exe
PID 272 wrote to memory of 1044	272	voiceadequovl.exe	cmd.exe
PID 272 wrote to memory of 1044	272	voiceadequovl.exe	cmd.exe
PID 1044 wrote to memory of 956	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 956	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 956	1044	cmd.exe	powershell.exe
PID 1044 wrote to memory of 956	1044	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:956

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:936

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1596

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:888

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1900

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1888

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1868

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1528

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1148

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1124

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1356

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
47a49cbd588bb0f032fcf1e73223ef9f

SHA1
f83606f28bf57158147f14fb49fb3a1ac1c3a3e5

SHA256
b2817eb4832f7012e1532ce1cf0961450e7ca186e0853cf945da538f9ebf67ce

SHA512
fbd748cd20aafb035f2689e5209dca8cc3c8c3d1fde655f6eec1acf47593b121a3a6589a3991db9e4965ded2ff24f031f853c7619a8b2242774dfc20a5056d3b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
228.8MB

MD5
2ce2254ce09fbdc5cc626dad11f34a57

SHA1
66fc9a6b19c28350499761f1e63501831efb1c25

SHA256
70b21d3d7ed2043f03bb665ae3fe28f88538857ce4deded965636c8a2ce3b3fe

SHA512
5e4180a918e6866827714e5ee5a48acf9a5d0b476312eae1e84e4a19c3c7df485e029be2fa937d17201ff3caa8f68bc16b61d7ea411cca7b284d9074f5d07c8b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
210.2MB

MD5
561e80820dc237a378d12498b336b660

SHA1
b83ffa34cd937bc38e67d38eb9da0d2f1886047d

SHA256
3fe9cffc699f9d4a860b0b9a0421bca1de3cfec610e2ca827b7629fb1977426b

SHA512
ecbd2f3cba36ae39c23e0d722adfed28e1f263aa529a47ca93d0d0435b066585b5d9a7b9ae758cfa6c36cf625e9c736787662dea52675fcc97c4cc8621f41979

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.7MB

MD5
0a18399a507d810c514ab5d09643d445

SHA1
1ed36302047953996c46786fc3fa004af695b894

SHA256
32ff0e47010880c74f268eda1fb61368d0c9fbb382309e56bbbcae602e8e469f

SHA512
5f59752e6ecdb9a3afbf9ea9ed53c6e0c9b793fd62021d60fbaf384cf14bc8775c7f3beed20d2c4628ecec3c11961402c92142fcfb92295732fcc1c35770ce15

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.7MB

MD5
0a18399a507d810c514ab5d09643d445

SHA1
1ed36302047953996c46786fc3fa004af695b894

SHA256
32ff0e47010880c74f268eda1fb61368d0c9fbb382309e56bbbcae602e8e469f

SHA512
5f59752e6ecdb9a3afbf9ea9ed53c6e0c9b793fd62021d60fbaf384cf14bc8775c7f3beed20d2c4628ecec3c11961402c92142fcfb92295732fcc1c35770ce15

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.9MB

MD5
568211b79e3379f1b22aa58290eba9d7

SHA1
73e68661707679d0c158eceaa6984614e4a536a5

SHA256
5dae90fffb335f609284e1ebba7a9965b7a859b4bfce211218e404cb830caaa6

SHA512
0054cd6ef5aa1711237767c12dfe3a5d9213d75e808fc1babf2c1f65b3dd28efef4b7c00492f888a28406acbe4dd97aa1780bcf3438669fb27f90d0a947d4759

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.8MB

MD5
dbee078c1ffa6939eb3640b2f4076d8d

SHA1
dc91fbcf423c5a8da63f4414395a70170bd11202

SHA256
d2633868d1af2bc36cf05a650bc423021207e3c5753b2ffba6242d4922214624

SHA512
e524ce7f009c640f66be0873d3de19d7869d49bc0c9546da2bdee248122ed688bc522e08e4dd957c10824fcb1f8004868caaba4e8f855b707342a5c3e607fc15

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.8MB

MD5
dbee078c1ffa6939eb3640b2f4076d8d

SHA1
dc91fbcf423c5a8da63f4414395a70170bd11202

SHA256
d2633868d1af2bc36cf05a650bc423021207e3c5753b2ffba6242d4922214624

SHA512
e524ce7f009c640f66be0873d3de19d7869d49bc0c9546da2bdee248122ed688bc522e08e4dd957c10824fcb1f8004868caaba4e8f855b707342a5c3e607fc15

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.6MB

MD5
f58b6728d09b74e5134199f3cff6d4dc

SHA1
d3d442ea12d74eae8f82e9a0a78aef55079e1184

SHA256
05793c4b602c35f704504f3c1cf77903705ce690f56eb9321f6c61d8e77c8b52

SHA512
d63527101690079a231c54e8e61df5ef658ef887f4bf0363c543450ca88b51c9c8ae1ad49e71b86c976573b4eec4d8d3cf8d8f88780fcc4d1c9e7bc17dd177f6

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.8MB

MD5
58de456b864740a8577abef609d435ed

SHA1
ac89b0c288c3f30b7c40b5b1af30a22549c7780c

SHA256
14ff41f50f34c01a0526a8ea14b2536458c8bb5ff20994e148fd33ac98074d5e

SHA512
635c95f0f205efe046588d235adb6466014afaeceaf30447c4aab3f4671aaac1912b09775ec69b2c8cd17e32abb516a11ef76782a8a39e45ec40b37e6d598493

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.8MB

MD5
58de456b864740a8577abef609d435ed

SHA1
ac89b0c288c3f30b7c40b5b1af30a22549c7780c

SHA256
14ff41f50f34c01a0526a8ea14b2536458c8bb5ff20994e148fd33ac98074d5e

SHA512
635c95f0f205efe046588d235adb6466014afaeceaf30447c4aab3f4671aaac1912b09775ec69b2c8cd17e32abb516a11ef76782a8a39e45ec40b37e6d598493

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.8MB

MD5
58de456b864740a8577abef609d435ed

SHA1
ac89b0c288c3f30b7c40b5b1af30a22549c7780c

SHA256
14ff41f50f34c01a0526a8ea14b2536458c8bb5ff20994e148fd33ac98074d5e

SHA512
635c95f0f205efe046588d235adb6466014afaeceaf30447c4aab3f4671aaac1912b09775ec69b2c8cd17e32abb516a11ef76782a8a39e45ec40b37e6d598493

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
11.8MB

MD5
58de456b864740a8577abef609d435ed

SHA1
ac89b0c288c3f30b7c40b5b1af30a22549c7780c

SHA256
14ff41f50f34c01a0526a8ea14b2536458c8bb5ff20994e148fd33ac98074d5e

SHA512
635c95f0f205efe046588d235adb6466014afaeceaf30447c4aab3f4671aaac1912b09775ec69b2c8cd17e32abb516a11ef76782a8a39e45ec40b37e6d598493

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
239.7MB

MD5
3f6842383856ef9e54f9b06d88e78b03

SHA1
cf68fd04f346a23a0b6ffcb5b3e64084c8df2e80

SHA256
baaf955d1dd90c855af63ed636a9a5a526469e010a183a55555f48a2df5ea30d

SHA512
8fa75268e50d8c594c18663a85bf1692d25608941e9c709cf3148efed9cacfa7f0ff5e8e90c05f151c93fd05bc313d29377d7f4609e31d56aa5e5d9dc93efca1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
243.8MB

MD5
ee2edd6e2d5b2251a476a6b6271626cd

SHA1
54c38128f575e281be2c961f7e9730ef09f4da6e

SHA256
d70ff8c2d6fa829521b23a78a4119ec3cd184a4fb8b83f30094768e068337710

SHA512
8a11137a740170f40d149aa9dd58a904be256b7638ce84055b3315909ff76bda75fe6e1ea59093504b049a05f64d67be8c2cec77ccea52bcb52b9ae99ca75109

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
221.3MB

MD5
03117b4a746ca163968e32e948663acb

SHA1
07780b09cc0c88636b5eea2ace00915d0b7c90b9

SHA256
1df236b96b88032ce6e89a95d4bceab8f2ceacf63e39b5b0ec8682768de2bad3

SHA512
9653cc50200d6b621ae080383ec26efd98bdbb0d19e8373f100566f4fd5f17e86d7a49cf01ca111fc54eb83a42c908e8b04ebe371afe689ceb8bcb1b601d3351

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
253.8MB

MD5
c763525ae0d68c703d42d2428d38227b

SHA1
41febea676d46cb46f88d3f826f1300329916185

SHA256
2880400adad69fd0bff674b84551065fdd8a9698d2e961774d4ca14e8a913fdc

SHA512
1da14a838ce741716289b65dc91377941ba24311a82982b34b1c479c0813628e392aa5acd951dc1139114f2c401b8d89d40df13f8e58264458b770b4d21aa55e

Download Submit
memory/272-62-0x0000000000000000-mapping.dmp

Download
memory/272-65-0x0000000000120000-0x0000000000894000-memory.dmp

Filesize
7.5MB

Download
memory/272-74-0x0000000005330000-0x00000000054A2000-memory.dmp

Filesize
1.4MB

Download
memory/272-66-0x00000000063E0000-0x0000000006780000-memory.dmp

Filesize
3.6MB

Download
memory/948-54-0x0000000000000000-mapping.dmp

Download
memory/948-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/956-73-0x0000000000000000-mapping.dmp

Download
memory/956-88-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/956-87-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/1044-72-0x0000000000000000-mapping.dmp

Download
memory/1364-71-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-67-0x0000000000000000-mapping.dmp

Download
memory/1364-69-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-70-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads