purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
120s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/852-66-0x0000000006490000-0x0000000006830000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1452	voiceadequovl.exe
852	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1452	voiceadequovl.exe
1452	voiceadequovl.exe
1452	voiceadequovl.exe
1452	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
288	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	voiceadequovl.exe
Token: SeDebugPrivilege	288	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1452	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1532 wrote to memory of 1452	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1532 wrote to memory of 1452	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1532 wrote to memory of 1452	1532	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1452 wrote to memory of 852	1452	voiceadequovl.exe	29
PID 1452 wrote to memory of 852	1452	voiceadequovl.exe	29
PID 1452 wrote to memory of 852	1452	voiceadequovl.exe	29
PID 1452 wrote to memory of 852	1452	voiceadequovl.exe	29
PID 852 wrote to memory of 288	852	voiceadequovl.exe	30
PID 852 wrote to memory of 288	852	voiceadequovl.exe	30
PID 852 wrote to memory of 288	852	voiceadequovl.exe	30
PID 852 wrote to memory of 288	852	voiceadequovl.exe	30
PID 852 wrote to memory of 928	852	voiceadequovl.exe	32
PID 852 wrote to memory of 928	852	voiceadequovl.exe	32
PID 852 wrote to memory of 928	852	voiceadequovl.exe	32
PID 852 wrote to memory of 928	852	voiceadequovl.exe	32
PID 928 wrote to memory of 328	928	cmd.exe	34
PID 928 wrote to memory of 328	928	cmd.exe	34
PID 928 wrote to memory of 328	928	cmd.exe	34
PID 928 wrote to memory of 328	928	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:288
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious use of WriteProcessMemory
      PID:928
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:328
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:816
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1516
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1808
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1680
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1052
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:804
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1980
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:1652
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:808
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0535e4747d90a59d5e9f4a8b3b570c62

SHA1
20653910ad98d5672ba6536c62622e9715495fc9

SHA256
429d8c2253f9e4cd02042b92e4bcee0d9b1848ff5e494c8ecd7c4e8f7048cdd3

SHA512
d1e75666ad143484834068c3636c35e069ac1bed195c2c874c0b3b2d9d1ce6c539b6a11f01c7100afab5acfe41540aef381a82cd327d4177df1c2cf879933c86

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
184.9MB

MD5
a3a1870f19e9df918eed27b512575a15

SHA1
191002326af1f704ed0c4725438ff650bfb5164f

SHA256
651e559d5fd29d67e929cd99e5c40a4a19598064ea669b3db114d4e667a0d5c8

SHA512
a7323c4db11e7e203c3665a3a2abfcddc8f8e7afe05dc91c4d690a2d05b62af0b53a489ab7dcdb3ab70037df4c2973e1ae9560ca9d147fc4685da19682618874

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
199.0MB

MD5
f5df90775011edfcb71d9a1451d0c0dc

SHA1
e9a40a30897a79e67b83671b84124992e2eca315

SHA256
bfce254fa86c1991fb0a2a081445f919e1b2369c8219da9b07b6a5d1caf91187

SHA512
50a344652fee59973704281a1bd525ad0a9c9ef3fdf279973dab2fe9432e6e7c7cf88753b2405048821454ee9c998d59fb746a6694fcfe63c4161ca7c797c399

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
30.1MB

MD5
e4fa68358cbde86bdd695254c46270f6

SHA1
1d014e5e4f14985ec37670fb44da47a6fbea880c

SHA256
d9546622cdf9d3e1b6d2243201b6b5808df5bb5a5e6d9c38ea1088501b148152

SHA512
1e5d76726e95ff44144341fde63590c1371741caf77680529c79d1e2f020b2caf7303e0751236ae4d732047ebf7293318610d002136fbcbd1a816aceb12b1253

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
30.1MB

MD5
d8223a1bce3f5699a0867678b671ea3f

SHA1
bfd60212c9d67d6eb1b4d0ffc95ec66ae757746b

SHA256
c48e779fc205c725afe3ef40af1a30f09ec169ee6f7df22d7faf70285535facb

SHA512
ab79770c5410113eafe987ec191521d140330fb4f1f36d47516ff4b8cae9d0cdd319186c33908e3f5521122e596ac40210288170497759af0ed010788618c4ee

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
30.0MB

MD5
fff97730de500521887975039875f57a

SHA1
a041ab3b8b244efda27e2712253120004ef5e272

SHA256
6e6a708af5bcdae1e00988cfd01883148f85300d1724f5f4942ddd538c6fa0a6

SHA512
f79b1fd4dd7ec66c01a508e08800dcf25889034c22ec18d169ac7446467169f26bf45ad5c2996364531d9b4d605bfd6db1deb8b6b90db24a0887d5736514d452

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
28.9MB

MD5
f119913fd8c6e2ca6541673c0e20afb2

SHA1
93804a3f1b7b81fc07a3c7cab7462fd1e7b24225

SHA256
3113d49f7c71233291873b221323957ae8fa8c3a3cff053c5974d4e1289e6a6b

SHA512
c173f237878ce06d0f3c2765d84e9b5c4f833dd773cf0fc53778b1641c7f21f9744ca26fe81432bbe9812dce9eff1f5b57547f6f8b00353970d6a4a278715b29

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
29.9MB

MD5
f193265e59f74cb447caaa17df895bf8

SHA1
d41c4ceac87b48bdbd516e6c21cddadf823bfaf3

SHA256
966c9feffa45c133416906e46e007fa01cbc28ea81b71d2fc1ee0fbc2271570e

SHA512
7de812a0f104345915300b7b03b4bcaf8777214fc1857d253094810f2cd863a79efd75d1e7b29157ce01abfe55b6bb9217cc38ab87a929d4bff4c93788f17de8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
28.9MB

MD5
309fc0ead28295fb3a87b642547627e7

SHA1
265e907461adb92e82142d2322281acccb7b58e9

SHA256
a12494b431335e4a81751954dc871198f1623bfae823b90c7b72775b7a66f593

SHA512
ea7ccfebbfad4bd391fd6e29524664069f94d6eb6b89ecc97d5de40f98a6922a4ed269174aab1df530f275bcc6aafb7f6cb4575270f455cf8e3f8978ef06ed84

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
29.8MB

MD5
29788fbd23d4279063b9c719264175a9

SHA1
284aae0cf03d83db1e0612e224d37d0f2e0d4ec3

SHA256
223568bb39b4dc41a142f0e958dd59bafa7e8eb3857faec4920a868e3a2e0357

SHA512
68902f4a3a3878912cce92c9bde64bdd1c3d4b929e1e9bafcf1cf7aa7070ccc2740bcb1460d414b9e5f0920ce0e1b36d4a37252d1d410766c6eb4ba554d3659f

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
28.9MB

MD5
309fc0ead28295fb3a87b642547627e7

SHA1
265e907461adb92e82142d2322281acccb7b58e9

SHA256
a12494b431335e4a81751954dc871198f1623bfae823b90c7b72775b7a66f593

SHA512
ea7ccfebbfad4bd391fd6e29524664069f94d6eb6b89ecc97d5de40f98a6922a4ed269174aab1df530f275bcc6aafb7f6cb4575270f455cf8e3f8978ef06ed84

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
29.8MB

MD5
4fcfd642e506e47bcdf35f4e1632e442

SHA1
ba6ca715de987c3ed15ac356f8b6911bff252fcf

SHA256
3310718a972304b9fb2093dd5850d065052f41b70debd36e5155a9e4fad754a0

SHA512
6666ac9db83d7e8256e66a89e59df4f29812f6297ed405ce48c660dd71947104d97888a501f8ec29650cf7ed82d52ef39d39081546cbefd873a2241230813d49

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
29.8MB

MD5
29788fbd23d4279063b9c719264175a9

SHA1
284aae0cf03d83db1e0612e224d37d0f2e0d4ec3

SHA256
223568bb39b4dc41a142f0e958dd59bafa7e8eb3857faec4920a868e3a2e0357

SHA512
68902f4a3a3878912cce92c9bde64bdd1c3d4b929e1e9bafcf1cf7aa7070ccc2740bcb1460d414b9e5f0920ce0e1b36d4a37252d1d410766c6eb4ba554d3659f

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
241.4MB

MD5
72883e11b4c0b431643d41073654fbbe

SHA1
2695b41735bd83b0cf2293e6f8749b3efab54632

SHA256
d0715765ff58bcf56df5f25a2e016389670b98481561207c135926f7007b99ac

SHA512
ea2a0a2db862322bce4695e333efa4aa1bcd941e72d791b43a6ea01fee013cc547321493ac1b575e4504f70bccc7fce200711e35fef22b740036beb80fc85ea4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
200.1MB

MD5
6dbcfd4f2d13f9b11a084e9b572ad940

SHA1
7240623ed2bdc0aa28e5423276fc688b1eb3250e

SHA256
3ee4c843852a582db16d9b692f6bd2055af172d00efa5238da2e87eca5b0d55f

SHA512
43f3cf288ef180d8d31420ba7f4d818b5cb5220764936ee889ffa7e5bccb52c536942d22c445f75e21ac8f59c4cd96f7eae442fa1e95e333b38ef31d58273e99

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
192.3MB

MD5
ee952564ac78f93d90b7c8dc28470e8b

SHA1
e4e9e97363481882349358cd65f20df7cddf8301

SHA256
193a1ffe6c101d72dbc0eaa5fb6940ef9536db12ac9f79aa9b94dafbe219a6de

SHA512
05f1bc8848a2799b7ad67b5b3082a551b7dfa225e4d3ea9882df12b091f2ad4465e1f27361c8f6f85ab027f4a86c0edf990f4235bcaae3f64504c2376e24dd05

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
210.1MB

MD5
2cbf329b791482ec8847194eace273ad

SHA1
aac88b024525fcf8c26e0805331e773fe35b904a

SHA256
8b6bb4ab9349e7cb806e913fccb5bb587ee6698fdf885788a60cf96bc0d01448

SHA512
7b3cc6a2b76878ab51533e922aab278240c965ca5c7976aed936c2b389f655a5b4c4dbefc673b6c1db17f2e15d528f9753aeba99867aa4c143c59555e2c73a14

Download Submit
memory/288-71-0x0000000070170000-0x000000007071B000-memory.dmp

Filesize
5.7MB

Download
memory/288-70-0x0000000070170000-0x000000007071B000-memory.dmp

Filesize
5.7MB

Download
memory/288-69-0x0000000070170000-0x000000007071B000-memory.dmp

Filesize
5.7MB

Download
memory/328-88-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/328-87-0x000000006FCF0000-0x000000007029B000-memory.dmp

Filesize
5.7MB

Download
memory/852-66-0x0000000006490000-0x0000000006830000-memory.dmp

Filesize
3.6MB

Download
memory/852-65-0x0000000000030000-0x00000000007A4000-memory.dmp

Filesize
7.5MB

Download
memory/852-74-0x00000000053B0000-0x0000000005522000-memory.dmp

Filesize
1.4MB

Download
memory/1452-56-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download