purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/580-66-0x00000000065E0000-0x0000000006980000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1416	voiceadequovl.exe
580	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1416	voiceadequovl.exe
1416	voiceadequovl.exe
1416	voiceadequovl.exe
1416	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1200	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	voiceadequovl.exe
Token: SeDebugPrivilege	1200	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 1416	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2032 wrote to memory of 1416	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2032 wrote to memory of 1416	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2032 wrote to memory of 1416	2032	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1416 wrote to memory of 580	1416	voiceadequovl.exe	29
PID 1416 wrote to memory of 580	1416	voiceadequovl.exe	29
PID 1416 wrote to memory of 580	1416	voiceadequovl.exe	29
PID 1416 wrote to memory of 580	1416	voiceadequovl.exe	29
PID 580 wrote to memory of 1200	580	voiceadequovl.exe	30
PID 580 wrote to memory of 1200	580	voiceadequovl.exe	30
PID 580 wrote to memory of 1200	580	voiceadequovl.exe	30
PID 580 wrote to memory of 1200	580	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:580
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
279.0MB

MD5
f5fb4cfe4c23ef34b14cb46e72aaa397

SHA1
afe716fc964151d907d7e6a266efc3ff78f4d0e3

SHA256
98ce914f67c60be1eee1edd917c0290b5ccf7eb973fc17f3a84fae149ad7abc5

SHA512
1839e4ce1b665568e69a91da9c10b91daf7accba9582878a28570b956959e0d7aa32b0eadaf023634bd469494ae095bedbf4af0c62f64c1d29a4fbb620093275

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
255.9MB

MD5
a8a89a09f698c4b2e9d9af900bf4d34e

SHA1
d2ac4eaa426fe548d99379cb02324a61fb010006

SHA256
979f9a53955a7615fa8fadf952553c8c4cc3a0dbf0f95afdf918576c33f5a7cc

SHA512
45b799c8ac13e1a58aa28494f084da21afd83637ea8ed3776d675251fb563487ed3fea38d9d9a2d4159168e34c3147f2f72fd7387452b86bc69e0e9e8d560109

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.0MB

MD5
809878ce7936b3fd2d67ea5f365fa07f

SHA1
814eeea23567598bd174c79f8b5df369399f357a

SHA256
0e2c1ab2219155b2e905869c75f15c1b3f06bb3905acd941f90bd3db1f42d6dc

SHA512
4270533abc0f00bd3937f2df1933031b15d0b836a2002bdea287c7f1e0fbab98a5f5c19f9f29b0f44858204797962bf6f25c1f36df2424dcadd31a3896bc64e4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
245.7MB

MD5
b1002dd9e9c61a0abb411c64e9f5c727

SHA1
eb608c3d88451bb19d767544b9419e05535fdf4a

SHA256
f31cb0bd7d72ece441bf1b9ae9ae6b261fa5e638159ace8beeaf6e4466486690

SHA512
997247aeeded22394ead717acef7e16693e3feefc2b37e6238bcf9efe91cba2afec4e04f7b8777abb0f67226ec157d9513a8cf7d3c2180eac5719fc0055bc9ff

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
277.6MB

MD5
150a2f1ab5c48d202cf9a90ba0f7ab84

SHA1
0c2e26a417b03121375f570fb576a655f0be9c00

SHA256
4b397808804c60d513e953ea8c78c950ad18d37da1c5aded473e5b319e1caaa8

SHA512
f71025341a62e1ac23d7fef480ace26ecbf3cc66d5462704eabf8b90a9650055fd46039fc35d66067f0fce8df9fb5bb9a967da1ba82db8f5554ea2450c26a1e8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
272.9MB

MD5
86f9ddc3be53eb4ba042ee9d59c0afa0

SHA1
3a439a0c998c88a09427abb46f2835c9f01753c2

SHA256
ff5c5003787841483100ddd3ff95101359251dee68cc646d2ce320944f317c71

SHA512
08689af6e10d8561fbe7380ec7ef3e7708240202734be97802c7c4f0f9bf5281a9dd775e485c39b13e1a0f23243d2985a141a57abc163d77375618b7e69cf060

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
264.2MB

MD5
73856ef6c28943d3295c80ebaa8baedc

SHA1
f9b179779ae181cdeafca9c55155938e01290dad

SHA256
7cb0863ee129f02f0db62baefaa4d816395180c8d736050faf667852545da016

SHA512
78843326d50e20023ee148bdaaeeff266b1551bdfd4655f9d4a526e5ed3e30578c5b72c09efd9f5404b4c10a4f725bdb3b3c4b3bf85109bad6356755fa5e4612

Download Submit
memory/580-65-0x0000000000840000-0x0000000000FB4000-memory.dmp

Filesize
7.5MB

Download
memory/580-66-0x00000000065E0000-0x0000000006980000-memory.dmp

Filesize
3.6MB

Download
memory/1200-69-0x0000000070010000-0x00000000705BB000-memory.dmp

Filesize
5.7MB

Download
memory/1200-70-0x0000000070010000-0x00000000705BB000-memory.dmp

Filesize
5.7MB

Download
memory/1416-56-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing