purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
141s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/572-66-0x0000000006360000-0x0000000006700000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1956 voiceadequovl.exe
572 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1956 voiceadequovl.exe
1956 voiceadequovl.exe
1956 voiceadequovl.exe
1956 voiceadequovl.exe

pid	process
1956	voiceadequovl.exe
572	voiceadequovl.exe

pid	process
1956	voiceadequovl.exe
1956	voiceadequovl.exe
1956	voiceadequovl.exe
1956	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1692 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 572 voiceadequovl.exe
Token: SeDebugPrivilege 1692 powershell.exe

pid	process
1692	powershell.exe

description	pid	process
Token: SeDebugPrivilege	572	voiceadequovl.exe
Token: SeDebugPrivilege	1692	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1964 wrote to memory of 1956	1964	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1964 wrote to memory of 1956	1964	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1964 wrote to memory of 1956	1964	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1964 wrote to memory of 1956	1964	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1956 wrote to memory of 572	1956	voiceadequovl.exe	voiceadequovl.exe
PID 1956 wrote to memory of 572	1956	voiceadequovl.exe	voiceadequovl.exe
PID 1956 wrote to memory of 572	1956	voiceadequovl.exe	voiceadequovl.exe
PID 1956 wrote to memory of 572	1956	voiceadequovl.exe	voiceadequovl.exe
PID 572 wrote to memory of 1692	572	voiceadequovl.exe	powershell.exe
PID 572 wrote to memory of 1692	572	voiceadequovl.exe	powershell.exe
PID 572 wrote to memory of 1692	572	voiceadequovl.exe	powershell.exe
PID 572 wrote to memory of 1692	572	voiceadequovl.exe	powershell.exe
PID 572 wrote to memory of 560	572	voiceadequovl.exe	cmd.exe
PID 572 wrote to memory of 560	572	voiceadequovl.exe	cmd.exe
PID 572 wrote to memory of 560	572	voiceadequovl.exe	cmd.exe
PID 572 wrote to memory of 560	572	voiceadequovl.exe	cmd.exe
PID 560 wrote to memory of 1264	560	cmd.exe	powershell.exe
PID 560 wrote to memory of 1264	560	cmd.exe	powershell.exe
PID 560 wrote to memory of 1264	560	cmd.exe	powershell.exe
PID 560 wrote to memory of 1264	560	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:572
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:1264
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1808
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1268
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1868
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1876
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1972
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1556
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1928
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1496
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:436
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
232.7MB

MD5
465918d95b00505cc73221ff9475a9e4

SHA1
b5a95c094de66ea253e35ded91d555362f17369d

SHA256
aa0c3ad3a284387b4f724a3911a751b66361ce4cd41b850cb480ad0c8d76fcb7

SHA512
d0edbb191c96075564bf5900369ff4456c1043aab0543b0fbe1ed79dbc166d5be67aa67fbafe8630326462350b4ad09b5d8ce42c8a6f9483eebb3d52fad4fffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
364.2MB

MD5
56bec31790cff231cad17feb91d966e0

SHA1
f0e0e3d9ed90944de07ac586d93831e3ffe1944b

SHA256
173361054a3cee8c1b12d041a85362acca7249baf9b36fb42913cabd9d8fa253

SHA512
07d154f88dc8ebaa390dceec710d85384e1f1771a78048238f475830d8c0451894b3bf0e108acdc19f3b62ac6528386b19172c28ee175809dc9d1b091df9c5d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
106f7d8ec716f7d8b5956cfda63055b3

SHA1
991162df4244ec43457ac74a5b1b117c6c3503c9

SHA256
4185d8903d1307f9cd3563c40951d8ade89be106eddc88e35d7d42e8f87cfe9c

SHA512
6995c178c9222c8d2c3f5aaa737e8db8dbf9e98356508484db82c5eed06a1f163efe1661d4b130ea11d6c81f53948b0f9757015b8797583c0fd10343bf1b21a9

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
258.8MB

MD5
a898bdd4a96b77adf8e0bd6ca2ec2fae

SHA1
c21a3607566df35af34953d5b07e06adeac2f983

SHA256
49bba7d449b5118d377ac9fa2103ae0f24e2d4170b73707831e51f1a6835c325

SHA512
0194030f3f7d01a4e6d8ca67ba7caea153f195b1f2f7ee1541a9a7594dec1d244beacf31c6eae105c841f334ad7cf7ed257892f97a78e590e45bd794cb37a3c8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
221.4MB

MD5
052fc684cba31eeaa2a59879dc205835

SHA1
3222fbf90809b23fcc4bf5149303b7bd84b84be9

SHA256
cffe8b95fc8d1080a7daff233a68ca59e37611414aab8c74a2274c94a35013c0

SHA512
b20f8fc1ea6466a4148a23f331c359dc66356285c4aae66546257029805e04dd2b5e74e37ad8556b4c195226dbdbc7564ffd7888c53b8ccd683bf269665a355e

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
8.2MB

MD5
c6b6e64c95e4ab752215174d533177a7

SHA1
c1bee3e244da7baf51939ce0080371fb78701768

SHA256
4aa678679967d4904fc3884564bcdcac5b98a88c3eb95e9a97cbf7b4c6faa4ee

SHA512
5c3bf946db54e08b806eca9a8e7c1d3f86d806d7580d29b640fd21a00fdafa2a534f2ef60d19bed8fd5ed9fa9ba0cc1fd867c42dd103955ee039555d7c0cb96b

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
7.9MB

MD5
e21b43f4ca2e5bab7575aa175e61bf46

SHA1
afc38ef3e54894607c2c587fe4d67f301a7b34c8

SHA256
c7619b41ecd1564986d9eba15f497a962724ee428d9988acda816ed0dc6203a7

SHA512
a2c82d6637adacafaedd6d4025f39f1a16832304ba5465e9625cabfa9ba5608610562f060edc8deea82e2f075adabe936f9b402114fb590a45b229f933037bb0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
7.4MB

MD5
25f3104dda89c4c3ad262d29a4031df1

SHA1
84c4515d3406b55746efbb032a8e763790706a23

SHA256
78057fa3712908b70d24065b6fd8e2f7baff5f8f471992ed21f9647ffb3d3586

SHA512
c6f6b2750bc12ddcd4861fcadcf61b74064f942ad51f35fc31a4b7726ece310496fe817b9fa7aebbe2c03b45adefe78967d89ebb93ec5bf6e7fc0628b97a047d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
7.4MB

MD5
25f3104dda89c4c3ad262d29a4031df1

SHA1
84c4515d3406b55746efbb032a8e763790706a23

SHA256
78057fa3712908b70d24065b6fd8e2f7baff5f8f471992ed21f9647ffb3d3586

SHA512
c6f6b2750bc12ddcd4861fcadcf61b74064f942ad51f35fc31a4b7726ece310496fe817b9fa7aebbe2c03b45adefe78967d89ebb93ec5bf6e7fc0628b97a047d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
7.9MB

MD5
fdf073fcc139d9295b2b42ff594e25ef

SHA1
34001ed0f3bef7f9f33f30446357dacf74c1cf92

SHA256
f4e6f208964e2797935c608f1fd7b7101a0ccb9e5c4b6afae607a737b3d909f9

SHA512
d39e1838530e4e3fcbefa2c0e6f3ab73632b510f86e83b42a47d664accdd4e1d6173503426e3143e194badf8abd7fb159ed447e60f7b01f8baf20a5dec411c1d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
7.4MB

MD5
25f3104dda89c4c3ad262d29a4031df1

SHA1
84c4515d3406b55746efbb032a8e763790706a23

SHA256
78057fa3712908b70d24065b6fd8e2f7baff5f8f471992ed21f9647ffb3d3586

SHA512
c6f6b2750bc12ddcd4861fcadcf61b74064f942ad51f35fc31a4b7726ece310496fe817b9fa7aebbe2c03b45adefe78967d89ebb93ec5bf6e7fc0628b97a047d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
7.9MB

MD5
e21b43f4ca2e5bab7575aa175e61bf46

SHA1
afc38ef3e54894607c2c587fe4d67f301a7b34c8

SHA256
c7619b41ecd1564986d9eba15f497a962724ee428d9988acda816ed0dc6203a7

SHA512
a2c82d6637adacafaedd6d4025f39f1a16832304ba5465e9625cabfa9ba5608610562f060edc8deea82e2f075adabe936f9b402114fb590a45b229f933037bb0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
7.5MB

MD5
4b2deaca2a79ae4c27693da940ab6a11

SHA1
175e8bc4de958ddc3ae2f5964f6cdcd0913c4b13

SHA256
a7dbeba7ae3dacde8cd727721780259602b2b3e36837816d3172d5d6012bc7cb

SHA512
cb37a8ed111a42ea1a5397bf3c124b7cd19b4a9bc1f59ce47d84b2977e84431642a759922473909f9e63957cb33e91daf95b53cdd051fbeddcedda08a76bf828

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
7.9MB

MD5
fdf073fcc139d9295b2b42ff594e25ef

SHA1
34001ed0f3bef7f9f33f30446357dacf74c1cf92

SHA256
f4e6f208964e2797935c608f1fd7b7101a0ccb9e5c4b6afae607a737b3d909f9

SHA512
d39e1838530e4e3fcbefa2c0e6f3ab73632b510f86e83b42a47d664accdd4e1d6173503426e3143e194badf8abd7fb159ed447e60f7b01f8baf20a5dec411c1d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
7.8MB

MD5
1c64a2c0c9df1f771ebf82826ab377ac

SHA1
241b08cdeced6a4d1c4db91f113d6494ccc04b8d

SHA256
aa5afea17ddd982e071540097362c4fa3af17e768369edc7b8ec71b0f256910f

SHA512
14fa91bd09b11f37c4c96f4c0410392a30f6f2cba26892e0277c688e3f762239bd098c73c2968ced68e2c5238a04bd7c709a1d18ccc1e6da3b55fd3192911a02

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
249.9MB

MD5
8e4da8bc478244c4abd023c6ebf2e32a

SHA1
2d3b7ff4038f9dfdd6b90f6695dbe9b07fc43d20

SHA256
30c54887e2122d1da452def7225a07fd97fe16af8a6eedc4c7c692fda0d53b75

SHA512
8cb40908aae1d4440d1824ac18fff00079909d8c18da6cc10972a9f2b5d1b007a42d3940be07d6ba7ae5a3575c92da71f62124bec06972d835cb90164d9dc283

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
232.2MB

MD5
2f639f3f7db187ea4ba840210fc08fba

SHA1
de165dea392355a6c633c8d4806c8ee12529971a

SHA256
b86a4d72d5d270f81ecc8d79bca8b36d21957bec7f113db6e4c2dba6b4585e79

SHA512
e20fe4346cbccef00374dc4f2c4c34d38932caecfe56df74ee113835529351da07660f814b6e6abfd4e19f0aa67cae27537ec841816b78813a2c4b72c47f0153

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
247.8MB

MD5
ad54695bbaf35354b16f2fd96bcc59ee

SHA1
08e40d28816cb36c5d4406d87632e119580897e7

SHA256
1428d79050870d0a7463da6c86dfc695837014d57d308b821d9582d16f9492b3

SHA512
5047fbdd0b82c527da1649b2fc997eb79db60326e6ca49507e5815bcd6232de8ac95c820c729b014aa1750082e2ec1a0ee3dd55a736111a04c274485a7022bfd

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
251.2MB

MD5
6836cab7bf45f5428707eb2079520c5f

SHA1
fc8dde50bbb3b9cdfe965f6ce087261554354635

SHA256
4eb2fee08ce6905fc8d03f79395b928192e1cafad87f8e2c197d907c12fc1b97

SHA512
0fb48beb979c7ff2b8f1f23545d039ba62c57719f42b079bdc085b749814140e8f955405368660d0a68bc8671caf952e610d9202296f9bc30265fe4ff315efbf

Download Submit
memory/560-72-0x0000000000000000-mapping.dmp

Download
memory/572-66-0x0000000006360000-0x0000000006700000-memory.dmp

Filesize
3.6MB

Download
memory/572-74-0x00000000052B0000-0x0000000005422000-memory.dmp

Filesize
1.4MB

Download
memory/572-62-0x0000000000000000-mapping.dmp

Download
memory/572-65-0x0000000000080000-0x00000000007F4000-memory.dmp

Filesize
7.5MB

Download
memory/1264-73-0x0000000000000000-mapping.dmp

Download
memory/1692-71-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-67-0x0000000000000000-mapping.dmp

Download
memory/1692-69-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/1692-70-0x0000000070060000-0x000000007060B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-54-0x0000000000000000-mapping.dmp

Download
memory/1956-56-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download