purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1892-66-0x0000000006490000-0x0000000006830000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1452	voiceadequovl.exe
1892	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1452	voiceadequovl.exe
1452	voiceadequovl.exe
1452	voiceadequovl.exe
1452	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1256	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1892	voiceadequovl.exe
Token: SeDebugPrivilege	1256	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1452	1972	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1972 wrote to memory of 1452	1972	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1972 wrote to memory of 1452	1972	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1972 wrote to memory of 1452	1972	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1452 wrote to memory of 1892	1452	voiceadequovl.exe	29
PID 1452 wrote to memory of 1892	1452	voiceadequovl.exe	29
PID 1452 wrote to memory of 1892	1452	voiceadequovl.exe	29
PID 1452 wrote to memory of 1892	1452	voiceadequovl.exe	29
PID 1892 wrote to memory of 1256	1892	voiceadequovl.exe	30
PID 1892 wrote to memory of 1256	1892	voiceadequovl.exe	30
PID 1892 wrote to memory of 1256	1892	voiceadequovl.exe	30
PID 1892 wrote to memory of 1256	1892	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
187.3MB

MD5
f98392363e9e140573229440922e9941

SHA1
2434cf3818b1e2fd8ae7fcff1126e7f1a38e0b33

SHA256
19e5ef1b5c35edb5dc66281a4ea11a02c4ace9bd1df1130cec97988fd056e29d

SHA512
40140b4a5f7d27c6fcf4b60b884f229b75f16eb100a51c8e0af955267f72fa4d6b0c13b372cbc39231bf58e6b13957d10f03b17b47bb7fa89dddc5e88bb07373

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
172.8MB

MD5
516b070243862c2f4434b8630493085c

SHA1
08fc6ab6d09f7658fdd7abab1ee00f3fcf2e9dc6

SHA256
4798757eac698a0c976663be3f82f18f9032336db355d79d26c479b06831f78e

SHA512
87951047702a542fcdd96ec959c3ec673a03fe08bd9ac9fdac0774b9e6bc5380f58350be933682d292eda11a5a25c70498cc2765f7e7b282e99faef424a0f0c3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
197.2MB

MD5
0db9664d6361222dfe450604fa10c82c

SHA1
3ef395ff9f69502a3e13c1f02cfaf781b4979bb8

SHA256
0bb53e21c873202b0b7c948b963a2df9f9ab03ab8cef447cb2aa7cfa2864d3bf

SHA512
26d924514a0b6049f375d4c0d84d3a8435eb55f7fd8168e9a54bdf355b2c4ee7fbaa1b0ed33ff14fab789ed32960fed7447b2e88e441473ba26930a0b6106b83

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
169.2MB

MD5
a8fd12655277cf9dba3e6bb61fe21514

SHA1
6623c68257688a824b1392ebe8780c157acac989

SHA256
c12a17e70f95241a828f19393671abd4401ffcfd2ecb5fb996423c18a0056844

SHA512
c8edd87fe94458dd70e2dfa09957368e6b27dc82fdedc1d5662737d5c769d1a58a30706575b25f18d6251548c989998088f2466d51032b66b77d9bd06ba26dd9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
200.9MB

MD5
63fb53c289f78384af84243e21b3fd3b

SHA1
95b7e06e9030de45b63e7bf2e36a6428545cd1c0

SHA256
18a9b3d68a965e2159825b9febf09e58746d1f1d556c8249b97d92dd1a41ea6e

SHA512
0cc6ace1cb884eac33942e12cc25d52cd46e97c1ff373f10d1a3af49bc437f71cf7819b428bffd4f37658df9338b53eb6f9e7ddbee594fe5faacfb7142da8ec8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
192.5MB

MD5
9052b99f28a4f10a412613222857b854

SHA1
c7b15344a9c0c93677303a400460d7687db9a613

SHA256
45b086fd036f0132572b8c4444324a8e5fb6e00db932f923ea238e1cfc602d79

SHA512
5b03b4115e20dc5d228ebb817d4ddffea9e0a93d4d4bfd9939238fd647134ba4e1d248a59a823a663c1cc443cc58e38844ffbeef95daffe26ad3523915d01992

Download Submit
memory/1256-67-0x0000000000000000-mapping.dmp

Download
memory/1256-70-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/1256-69-0x000000006F3D0000-0x000000006F97B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-56-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1452-54-0x0000000000000000-mapping.dmp

Download
memory/1892-62-0x0000000000000000-mapping.dmp

Download
memory/1892-66-0x0000000006490000-0x0000000006830000-memory.dmp

Filesize
3.6MB

Download
memory/1892-65-0x0000000000370000-0x0000000000AE4000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing