purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/432-66-0x00000000065C0000-0x0000000006960000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1748 voiceadequovl.exe
432 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1748 voiceadequovl.exe
1748 voiceadequovl.exe
1748 voiceadequovl.exe
1748 voiceadequovl.exe

pid	process
1748	voiceadequovl.exe
432	voiceadequovl.exe

pid	process
1748	voiceadequovl.exe
1748	voiceadequovl.exe
1748	voiceadequovl.exe
1748	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1364 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 432 voiceadequovl.exe
Token: SeDebugPrivilege 1364 powershell.exe

pid	process
1364	powershell.exe

description	pid	process
Token: SeDebugPrivilege	432	voiceadequovl.exe
Token: SeDebugPrivilege	1364	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 1472 wrote to memory of 1748	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1472 wrote to memory of 1748	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1472 wrote to memory of 1748	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1472 wrote to memory of 1748	1472	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1748 wrote to memory of 432	1748	voiceadequovl.exe	voiceadequovl.exe
PID 1748 wrote to memory of 432	1748	voiceadequovl.exe	voiceadequovl.exe
PID 1748 wrote to memory of 432	1748	voiceadequovl.exe	voiceadequovl.exe
PID 1748 wrote to memory of 432	1748	voiceadequovl.exe	voiceadequovl.exe
PID 432 wrote to memory of 1364	432	voiceadequovl.exe	powershell.exe
PID 432 wrote to memory of 1364	432	voiceadequovl.exe	powershell.exe
PID 432 wrote to memory of 1364	432	voiceadequovl.exe	powershell.exe
PID 432 wrote to memory of 1364	432	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
PID:1044

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
248.2MB

MD5
7623c0c598a0015bc69349bacc4e39f3

SHA1
c2e27fed0712c8dd0081b82bd6f2976e903ebe65

SHA256
fe9fa0074ec8291f3ea78f0182b6bd38c52b8921be82d972909051c2663884d9

SHA512
04f351a14d0aeb94f6ba01ec086e898949038b39b33c3a3e41f59101c2144cfdfec6476b779055c270d6b4ed12f00824b4e6ba599deeeb393b2b583294db8089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
232.0MB

MD5
b2286de339956599424f1f156ae66e3d

SHA1
9cbb5c77c0ccb9a19cb2a9d1bdb3bf00d3735ea5

SHA256
8c9ad88a5d681fbf68337c4483b6e1a06787ee27f07113accec5a49a9a11b8b0

SHA512
48ee304d7c96ffd37996762afca0bf02cd3eb17c7cae166c1f8efac31c8698a69e51374a044032f407c8819510f1710b469ddb5969d112f1bbd42c3e9b463118

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
302.2MB

MD5
f65c5350f17fc9bb3e23013c08e10ca1

SHA1
56e4c6999618559a346bdaa09ea5a27617028100

SHA256
c9faaa63c44ca7e5c7003aa1b603eb07be30860011e28707573124339fc88c30

SHA512
a6744765776ba63919d9a0f93629eea27bc9e9ebcbd281d3426549b1a1383bca4d8d5786967683e8a12f9d6bbb8099be12b96a40cdbc162c623b81b309a3cf01

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
295.3MB

MD5
44aa0159e1f82c635b81feb90745a13c

SHA1
f369d68986d4217ebb9f355347f31c26b739ed0a

SHA256
67c61d8f644cd401bf22c6f69efceef09890fb6bfcd5811c6537a6ebd238ab94

SHA512
0582b88e5ba9fb792f076430371b8d7b4f7fe9221b61dc0deed9b33ce4ad21523409850efa389b27bc8c540fadc43d1efff4578cbbbc5f6048f4215504407f80

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
299.4MB

MD5
b086d2ce909526d1a66d6cdfcc65c23d

SHA1
f484e570c31bf588ac0125d152a3490cca7489f3

SHA256
4cb9d2df0f6fded54585eb17bc0bd2b97dcffede1b70572124c0ad62a5b2083b

SHA512
639f74694542964133da6f244ed396a927355e8753a7cf6a13bc72da3b37810ebef6e4d4692107c00ca65f9b0cb2de382578e586c098df07efd50ff43d0be317

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
302.1MB

MD5
8f1a5e8a4e8c28330149e1754a7c4e2d

SHA1
d9fa677bd13af1ea3f57f65da9ec36fed818b9c2

SHA256
ca28ee88cc3f246ff93d1e828eb4b7dbf1382acdf0c1dd224bf98bdc255f4bd1

SHA512
f766084cbbd9cb74ed2295556fb366b6510e20b84fb7bb91784bbc1365b497c690363cf918ab302a3c9345f439aa4152e18ee08100ed78846c57851f85036400

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
280.3MB

MD5
fa6e5a0db08c86f7ab16402b9d55296f

SHA1
d1e356e60cec2ada6e72f50fb5fafe7e838f9f95

SHA256
197c1367c9113f7ab5152a1484b4f2f84ebd476eaf0112260d74088a0c13d3eb

SHA512
95d51db88b53eb0c133da5a7ef36f5887503e6e22e13449af5e5d970ef8cc48b43fcc8a3f9e944680e0781fb2441beb60a5e9f475893e19ac350acde399e8fe6

Download Submit
memory/432-66-0x00000000065C0000-0x0000000006960000-memory.dmp

Filesize
3.6MB

Download
memory/432-62-0x0000000000000000-mapping.dmp

Download
memory/432-65-0x0000000000180000-0x00000000008F4000-memory.dmp

Filesize
7.5MB

Download
memory/1044-72-0x0000000000000000-mapping.dmp

Download
memory/1364-69-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-67-0x0000000000000000-mapping.dmp

Download
memory/1364-70-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-71-0x000000006FEF0000-0x000000007049B000-memory.dmp

Filesize
5.7MB

Download
memory/1748-56-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1748-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads