purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/2000-66-0x0000000006480000-0x0000000006820000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
2036	voiceadequovl.exe
2000	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
2036	voiceadequovl.exe
2036	voiceadequovl.exe
2036	voiceadequovl.exe
2036	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
384	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	voiceadequovl.exe
Token: SeDebugPrivilege	384	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2036	1992	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1992 wrote to memory of 2036	1992	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1992 wrote to memory of 2036	1992	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1992 wrote to memory of 2036	1992	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 2036 wrote to memory of 2000	2036	voiceadequovl.exe	29
PID 2036 wrote to memory of 2000	2036	voiceadequovl.exe	29
PID 2036 wrote to memory of 2000	2036	voiceadequovl.exe	29
PID 2036 wrote to memory of 2000	2036	voiceadequovl.exe	29
PID 2000 wrote to memory of 384	2000	voiceadequovl.exe	30
PID 2000 wrote to memory of 384	2000	voiceadequovl.exe	30
PID 2000 wrote to memory of 384	2000	voiceadequovl.exe	30
PID 2000 wrote to memory of 384	2000	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
194.5MB

MD5
ba78f23bbc24ad9b6c62c88caceebd37

SHA1
9c5e7cfa391d8d5c520e43f63031bf5e5f735fd5

SHA256
18d14e5d2818fe866035229177cb7ff4fb6fa7cc6466d96ce49d11c59e5d658f

SHA512
10f057a46c907fb52609bca0f4c4685a20b1ae21c6f83534f582af8e2cb01f0a73a0df8b91a46c4f76b668c592a0d76ac1bdc4537f56724c979631ebac832330

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
191.6MB

MD5
5e6a90b4728a107d3d3de0c2174b03ee

SHA1
7e3f10b543e10f6512d2669ccb58a96e3ae7f466

SHA256
a14567de9da7d7aa3b933c1ebcdff1422e6f60535c2d17f0e0b7ef846155457a

SHA512
cfd9981f3c3ead04c65042481b3117dada5274fb2217e2aa99fac9ecfbf6821d27bfea342ddc854bb151db3b29c023fc9a8cb7c2ab02eb13d496b3f356625f64

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
283.4MB

MD5
563f2493c3b19ee1ba9a7c000c6897a9

SHA1
a105b8c7293aae8674688f30cae05db2947d38b6

SHA256
42fd52476165e8283cafcce9710d787624d39253c4441e427cc538c20e659597

SHA512
aefce1f2f9768da61f481c6fdc7e934bc3206a16c8dd42bfeb2f00828f810306f2276fa3e9bca4d121e41f76a651c238656d367b67ce77a329e79c44554fa918

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
278.8MB

MD5
24bb6f7b81d8efab1847ca85aa06c278

SHA1
ff6bc8ad0502c0a0047c92ddeb4854fd0ca5dce3

SHA256
477769686cf476f2e2a6e49dc4079703122cecabf10945df0235aa4163228c01

SHA512
3068505a0009e4b343c4f2f6d253ec3e13e0b9f40e455e0e7ee0acc07e5198423aba02e83ba28d68abac227c0376c8fc2b7de655d9b0c3eb35185907dafb975e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
215.8MB

MD5
9977ac3d5aa43eec49e842792b8111c6

SHA1
0117925bc9c014e6c893da0a54d5085f419b8abc

SHA256
1eab1870c5073c98434c51c9761e2409c9068bdab5dc55fff3b03fdc4a757955

SHA512
0b1b1a7ae051f53bf10febcbe601b484e0f93c9095658a91ec77f2f413399b4490f711aba9f6e4e8245eb01eba27f2ee41fde5f134991ca6e125daf3c7f39ea4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
228.7MB

MD5
23911db7c22df976d1f6cf5b7368a3ea

SHA1
fd2cb2944adc520d2e3b013c1800b74aa797c231

SHA256
b8c48db744c06e0a8498e65ccca875c568d857ee5b38bc3e8b45250453a8552f

SHA512
7db86fbd00b145a414d134a1cb0e5c044e50a75321071ec17fa1976bf2238694216935a6b5f54dc27412e99d5e83fb02568febc44d692d5a28b2a14519d381ed

Download Submit
memory/384-70-0x0000000070330000-0x00000000708DB000-memory.dmp

Filesize
5.7MB

Download
memory/384-69-0x0000000070330000-0x00000000708DB000-memory.dmp

Filesize
5.7MB

Download
memory/2000-66-0x0000000006480000-0x0000000006820000-memory.dmp

Filesize
3.6MB

Download
memory/2000-65-0x0000000001390000-0x0000000001B04000-memory.dmp

Filesize
7.5MB

Download
memory/2036-56-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing