Analysis
-
max time kernel
111s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
05-02-2023 13:08
Static task
static1
Behavioral task
behavioral1
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Resource
win10v2004-20221111-en
General
-
Target
5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
-
Size
3.6MB
-
MD5
36fd273ea7607d3a203f257f4e2649ed
-
SHA1
5e243f79ecb539d0d1f75fce7ddfedeccee70a48
-
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
-
SHA512
cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh
Malware Config
Extracted
aurora
45.9.74.11:8081
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/752-66-0x00000000064F0000-0x0000000006890000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 3 IoCs
pid Process 1688 voiceadequovl.exe 752 voiceadequovl.exe 1476 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
pid Process 1688 voiceadequovl.exe 1688 voiceadequovl.exe 1688 voiceadequovl.exe 1688 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1276 powershell.exe 752 voiceadequovl.exe 1504 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 752 voiceadequovl.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 1504 powershell.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 940 wrote to memory of 1688 940 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 940 wrote to memory of 1688 940 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 940 wrote to memory of 1688 940 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 940 wrote to memory of 1688 940 5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe 28 PID 1688 wrote to memory of 752 1688 voiceadequovl.exe 29 PID 1688 wrote to memory of 752 1688 voiceadequovl.exe 29 PID 1688 wrote to memory of 752 1688 voiceadequovl.exe 29 PID 1688 wrote to memory of 752 1688 voiceadequovl.exe 29 PID 752 wrote to memory of 1276 752 voiceadequovl.exe 30 PID 752 wrote to memory of 1276 752 voiceadequovl.exe 30 PID 752 wrote to memory of 1276 752 voiceadequovl.exe 30 PID 752 wrote to memory of 1276 752 voiceadequovl.exe 30 PID 752 wrote to memory of 924 752 voiceadequovl.exe 32 PID 752 wrote to memory of 924 752 voiceadequovl.exe 32 PID 752 wrote to memory of 924 752 voiceadequovl.exe 32 PID 752 wrote to memory of 924 752 voiceadequovl.exe 32 PID 924 wrote to memory of 1504 924 cmd.exe 34 PID 924 wrote to memory of 1504 924 cmd.exe 34 PID 924 wrote to memory of 1504 924 cmd.exe 34 PID 924 wrote to memory of 1504 924 cmd.exe 34 PID 752 wrote to memory of 1476 752 voiceadequovl.exe 35 PID 752 wrote to memory of 1476 752 voiceadequovl.exe 35 PID 752 wrote to memory of 1476 752 voiceadequovl.exe 35 PID 752 wrote to memory of 1476 752 voiceadequovl.exe 35 PID 752 wrote to memory of 1560 752 voiceadequovl.exe 36 PID 752 wrote to memory of 1560 752 voiceadequovl.exe 36 PID 752 wrote to memory of 1560 752 voiceadequovl.exe 36 PID 752 wrote to memory of 1560 752 voiceadequovl.exe 36 PID 752 wrote to memory of 1560 752 voiceadequovl.exe 36 PID 752 wrote to memory of 1560 752 voiceadequovl.exe 36 PID 752 wrote to memory of 1560 752 voiceadequovl.exe 36 PID 752 wrote to memory of 1560 752 voiceadequovl.exe 36 PID 752 wrote to memory of 1560 752 voiceadequovl.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵
- Executes dropped EXE
PID:1476
-
-
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exeC:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe4⤵PID:1560
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic os get Caption5⤵PID:1472
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic path win32_VideoController get name"5⤵PID:1576
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic path win32_VideoController get name6⤵PID:936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C "wmic cpu get name"5⤵PID:1404
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic cpu get name6⤵PID:1528
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
289.8MB
MD5d1bb9951b974182d842ca4668d2605a0
SHA19906add9dc0bcd70d267fc89a26db22b6b628cea
SHA256ae0400fd611c70fe3344bd14a5e503bfdb962789735a215df0004bea5585f426
SHA5128da7fa2fdd2029e72b95a042d7bbeba8f12a0d3f5dc9b43f7bcec08df3fd4fb58d4629951c9520311180f6607019836d0c931a1bf1d66f535f6c8ec1937c45f4
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD55c7046f81ca4d097870a3dfd4d1c7e33
SHA19f45c44d212763273b44642e6457bdb9a7419fe2
SHA256ad0a6b05cf451e9b3bbb9bc9e1838c4da277eaf5874d5b691c135e3fee9caf14
SHA51221b790fcea5cd5707a707e5a7b52f72f5eb04402112199c8da246d3962999f8c6b094aa9d0f1a4d17dceeb533d97c701e3c50a378f891466b297470215d21104
-
Filesize
257.5MB
MD51196f6681f430b8d1838215ca9028834
SHA1f21a68dcdc5bae179deb9f66648a033b9b18fc25
SHA256797ec079fdb06c02ca0cdcd64798714b86931d10a15f3421fa36edff0f4af234
SHA5129ae96380e3cb9e27e3cc99971391886a553080b14aae3d51cf07a396a94693f91cbe6619def229dbe89fb4e6a588038b3fb326bf8070558d7159391f88699d73
-
Filesize
258.2MB
MD5f54f9fa91a40555f0383a57c29653dc2
SHA1796ddd59c3fc68de0a22ed0ff17d0ee52728043b
SHA256ea18787c42cbdb469079866629d3b6e76ff95540205b2c5d8c68d5a866cbb6c2
SHA51261f6e3d5992b153694517a0802d816fa2ce489f94991517e08cd17db5559183d429488489b0d68b6c841ee3d03e036ac8690ade4dae273e9be23e4013cc14765
-
Filesize
71.5MB
MD5c4f9ddb41f0e151291cc4c64160b0b40
SHA131806f4065b67b185941bf85fde9962c01bcef16
SHA256e44a2aca9b8826caff1aa8ec8fec8543e29be2d472592b0032c5d7d8c5f5b180
SHA512637b36c591f72dc3fa8e3b7f6c133b3561c17329a5199a1bff8a2d131becaeb83eb43c70f3ac2818beeb9b228903702e75b9a971dc94c3fa9efa09a9a7a7eb77
-
Filesize
62.9MB
MD5da59dc27cccc22c35e31549700521808
SHA1318853be177f64b01d36ad0f3dab8831a5166a5d
SHA256a3dc04ab507fe0f8e759d7ae83386a4473b1369411c5caf5868738cb07c5baa7
SHA512e3cdd3178d6c7b57c66ae9de735f49ae502d270f8a5b20654cc2b46ab3278b3c5f78c1686711f3c2af4606a9d1f3f606c6d123dd90d95ef3d5923877f3b29436
-
Filesize
262.6MB
MD574d24145c9ddcbd9b5c7c1c411da96c7
SHA18709e56ccfccd1be5f805b11808efe343dbdf8fc
SHA256b3b82ebc50def11ea608b81bd89371c1cdddf0cef6478137a61517cba3cd17f8
SHA5126078731d0f16881f63d119e92c14e149a28bd7800596883543132e6b76f2b24ae7cd47fbb914e357bb3b346d7f5e76cad1037f858416aad8ff6e570b79cf983e
-
Filesize
265.5MB
MD51445a9acddfea5283a8da65c2857aeb5
SHA115fe82df0b2e43d79bc7e4def25dfde2fe901673
SHA256e37453da3748110b2fb9e1a4168aa8ba907370cb49971251a3cff62c88b0b869
SHA512caeeeb6bf84f45bf42cbd1606a85d30cfc3081092b9162c80bfc4705350e80ba159d915765845fcde15b78837bc7a76bb63e6abe91d343e18fbd118fbaa2488b
-
Filesize
248.2MB
MD57a3758bfee88492b2b80c9255a1cca54
SHA1b76f8295d1b6aa8c49583b5f839b68dbab875358
SHA2564e8a2c284d612c3aa434b0a4ed25dd23fc9de8e897eecf347444641132d74676
SHA5123964bd4553814c8105d9ee201e347d76ebdf106229a929e77e5a0942621cfc2a12af43fac83948df6b45f3d8ff8ff882e35e9327c3d0d4931abc439bc372e7e2
-
Filesize
254.2MB
MD58968fbd2ead02dd325159bb6b66b0196
SHA1d64c4d4e25fc74d6ee623c9c5ad2df5fc09c8ef2
SHA2567c67f2b2644b955dbaa72cfa51323268af25ff901e92fe6df9fcf0db75f28374
SHA51249de72722f466d9f6fc58dd71784fa2583277fc646da3ed866d99dfb8b04ea4d97140d1ce98c465170d67a5f6686688aa4b09adb34d020eb592ea9a72aa88df3