purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
149s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/564-66-0x0000000006490000-0x0000000006830000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1708	voiceadequovl.exe
564	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1708	voiceadequovl.exe
1708	voiceadequovl.exe
1708	voiceadequovl.exe
1708	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1676	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	voiceadequovl.exe
Token: SeDebugPrivilege	1676	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 1708	744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 744 wrote to memory of 1708	744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 744 wrote to memory of 1708	744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 744 wrote to memory of 1708	744	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1708 wrote to memory of 564	1708	voiceadequovl.exe	29
PID 1708 wrote to memory of 564	1708	voiceadequovl.exe	29
PID 1708 wrote to memory of 564	1708	voiceadequovl.exe	29
PID 1708 wrote to memory of 564	1708	voiceadequovl.exe	29
PID 564 wrote to memory of 1676	564	voiceadequovl.exe	30
PID 564 wrote to memory of 1676	564	voiceadequovl.exe	30
PID 564 wrote to memory of 1676	564	voiceadequovl.exe	30
PID 564 wrote to memory of 1676	564	voiceadequovl.exe	30
PID 564 wrote to memory of 1912	564	voiceadequovl.exe	32
PID 564 wrote to memory of 1912	564	voiceadequovl.exe	32
PID 564 wrote to memory of 1912	564	voiceadequovl.exe	32
PID 564 wrote to memory of 1912	564	voiceadequovl.exe	32
PID 1912 wrote to memory of 1304	1912	cmd.exe	34
PID 1912 wrote to memory of 1304	1912	cmd.exe	34
PID 1912 wrote to memory of 1304	1912	cmd.exe	34
PID 1912 wrote to memory of 1304	1912	cmd.exe	34
PID 564 wrote to memory of 1384	564	voiceadequovl.exe	35
PID 564 wrote to memory of 1384	564	voiceadequovl.exe	35
PID 564 wrote to memory of 1384	564	voiceadequovl.exe	35
PID 564 wrote to memory of 1384	564	voiceadequovl.exe	35

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1304
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1e4deced60398489ccf80396e6925a5c

SHA1
0ff50b4777be2ae7f27131fbad7dfd9f92a87473

SHA256
bc9e8d966df077269d95cee7aa16cfec04798ba8c1532759ac886e5a94367b2b

SHA512
0e0c6fb0f7681ef05a96e08077589492b114010023ec2af647d64f5fad6f5c90565824439249aa8e492089f1cb435df0242462769949d660e4e6a63bb282b4b5

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
223.9MB

MD5
1213eb2c0055cf378b8b5e7e2ad0085a

SHA1
932911f41bc9ff1ac7797bd9e3fcb9ca7c6ec562

SHA256
9138279ee9584e9cee7b5b2fcc494453a3f62de5ea93d9f85956f9fceae98e5e

SHA512
03d7913a74685d2fd99016145167350328cbed0e123d26b58c6b2baf94a70d04725577dce6e893c2301231d21800fc2920086550e772fb27211816aef1161192

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
243.0MB

MD5
f10fc529ccd582f5a970e362a3254b09

SHA1
44eb217bedc6d2065ba281e8caea11ef81378c91

SHA256
790a717ecaaab69fa60f47030225512d9fd457f441b5aed553be8d6fa2959f5f

SHA512
6815227bc73e4e1d760c352f32a81003c42f60d012b86edab2e597a27a80faadfe2a0d40d4a459468487949419a2f729bcca4ee855afe2d56f5f29fec4c6e813

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
1.1MB

MD5
8a023face67ef1cdef72c12f3e17692b

SHA1
dfc3792e2f553ce28cfafda78d2a06b32835a081

SHA256
a788d895c5fdf5be7a8b17252fedc3f6190bc9c93447f44b4e4e6e06f1f7e803

SHA512
c20a1ff538a327410d4516059bc95bdf3f68e874c6dc83c0e7c497967a9d4a319b02e1b790de212f88c7ed4853fe1a39a52e919db2f2909a6d6d2b63bd4983dd

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
253.7MB

MD5
0316b5bd7c4e72e76e4d1f99798ec23a

SHA1
3144741549ac43a1362f0971254240f4f4f4b64c

SHA256
23e62b3ae0e27c86b0ad505b7054b798dfa8977607defbd1b015712bd7fe16a1

SHA512
5d02243c20a4ba2aef7904f7ab38ce7478d39a7260c6a13b0f68aa6ca357d994fb599f639b5e2019268949e9132a22a7e01d54f1ea9014f3b397a2b1b20bd064

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
246.8MB

MD5
8ab0055c015344b4fe6ef0ed9e5466fb

SHA1
2960d72deadb045e4af255c296d40a177fc51dd6

SHA256
76854af86c84226df2bda15e663e7a8aec6c887b45e877b86758fda341339fea

SHA512
b23278a9e4e0ca0c89b825dacaeec078fd032af67593e0784e38cd4ded5645a631e26d8d116e30fe54dca8d96bfadadfe38cfdcbfa25228c4b17ad3d488a00c1

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
249.1MB

MD5
010008c99ceb585e398023f335a1795f

SHA1
7c19c7107f2203c4ed4208f47241ba32f3b05cd1

SHA256
a20a5fc2895ce3d2c43e1061d4532de53cc41be10d5ca1376118f1e4ec6a4eee

SHA512
9a3771a053661f78ccf2f2dd0a0b329f9551f79f973a3a5d75cc180cbeff74e64138c1d252af3852b3862312a13e879d325261c5aa55e09a10e7d8aec6ddfac3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
239.4MB

MD5
5c2702ccb30e028d6766de3a501d0736

SHA1
5f8dcc4dcf6fd5653e7d7b4bdeec996fc8c32b2d

SHA256
7841ef17a21400c00bde15cfc418171838f78ed4b782db3603844e0bd4879a22

SHA512
8e3ca2a6a7854643c444db53b3c1ef4f00ce66b4746582c9d0a108d557a993d79645d17f6dfb7ae3a3fc7985c2d999b8c34696d86bfc805741766f5e08e200bd

Download Submit
memory/564-73-0x0000000005420000-0x0000000005592000-memory.dmp

Filesize
1.4MB

Download
memory/564-65-0x0000000000890000-0x0000000001004000-memory.dmp

Filesize
7.5MB

Download
memory/564-66-0x0000000006490000-0x0000000006830000-memory.dmp

Filesize
3.6MB

Download
memory/1384-77-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1384-84-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1384-88-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1384-92-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1384-76-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1384-82-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1384-85-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1384-80-0x0000000000400000-0x0000000000731000-memory.dmp

Filesize
3.2MB

Download
memory/1676-69-0x000000006FFC0000-0x000000007056B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-71-0x000000006FFC0000-0x000000007056B000-memory.dmp

Filesize
5.7MB

Download
memory/1676-70-0x000000006FFC0000-0x000000007056B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-56-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download