purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/948-66-0x00000000065F0000-0x0000000006990000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1572	voiceadequovl.exe
948	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1572	voiceadequovl.exe
1572	voiceadequovl.exe
1572	voiceadequovl.exe
1572	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1528	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	voiceadequovl.exe
Token: SeDebugPrivilege	1528	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 1572	1080	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1080 wrote to memory of 1572	1080	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1080 wrote to memory of 1572	1080	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1080 wrote to memory of 1572	1080	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1572 wrote to memory of 948	1572	voiceadequovl.exe	29
PID 1572 wrote to memory of 948	1572	voiceadequovl.exe	29
PID 1572 wrote to memory of 948	1572	voiceadequovl.exe	29
PID 1572 wrote to memory of 948	1572	voiceadequovl.exe	29
PID 948 wrote to memory of 1528	948	voiceadequovl.exe	30
PID 948 wrote to memory of 1528	948	voiceadequovl.exe	30
PID 948 wrote to memory of 1528	948	voiceadequovl.exe	30
PID 948 wrote to memory of 1528	948	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
208.4MB

MD5
8bc63d39cf1f0d0e3a465e5245f5188c

SHA1
ce945ce50c4e1919412fcdd907b67f3a4c02e37b

SHA256
cd7a83524b58cfadd696c5cc0c9638f065d698628d484234cfa9a271dbc3f000

SHA512
2d531c0cd82877ee493d64ac9f9e61c198d8113f4ad8228344552057494d4319a53054a802b8e89a0bd558a59a419adc69e7347d07adaab02b2f2ae8e2982606

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
208.3MB

MD5
ea1da7f792c53a2f77da2d7de436a73c

SHA1
ce84ffe8579f67037931bcc393c483f66f0fa4da

SHA256
3cd62b226c383ab1ea89fce01e5a795e672ea9771181ada14ca7ba0403a7e95a

SHA512
08454b30f36c0289f1034ba831dc00005255fa58b5c902e6dc5228cc1fa377751d92016df82eac24f22dfc86e298d150f37051db9afff5a97c837ab7ccd7ce22

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
214.4MB

MD5
021bdcbd54c3c3cf3c3812fd7ff42d80

SHA1
c2c88e275c4635d07bc93315930e4d77d9a1e9fe

SHA256
7809ed75ce7f856a0581c29b202fc237d7384afdb076004231b71a46b46a6036

SHA512
5bb7751abecffbe182f639b0236ce554b5fb516ff1fd41c157e05d6819f369c2df5ca053b93d3a6967ad25ea4904cbd1086d87d5814e583e4bf5e86dfb4a7e75

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
219.0MB

MD5
673a4ee4e192fe58e1684e000fea595a

SHA1
ddea61c8f32fe3b7ef46cd79b3f256a629eee018

SHA256
5346f94b97ca481bf8fcffb81bad7bcfe9fb7d899ad11fc913151af2afeb9c02

SHA512
89930abb8363c6e7f63b90756accce633876aadc9be79669d81d72d7e511d25af5ca21df505f0a0f69225c04f1fe395ca363d2662e7b043b458124b3c49d3fc3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
215.5MB

MD5
d3010a47afa389fe96aac550a2b6dc75

SHA1
a3408ae261ba5be7e43e86ef6882b213afdf02f0

SHA256
9e9d0cdce592ffc4c00bbec860d481db58bd8455b18d7784ee720d8f18e83fe4

SHA512
3f2eb21219207183d4451c96f50792958b4aba79fa07b90acbf47f4d6f63e36bc0852a81a82c0a06b46db3cfc9090712f2d65e083da5ad5ebbefb6d6db946bf2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
211.8MB

MD5
a935323b5fd7470f3f3b4b9e594c8fb9

SHA1
4e963e74861923b9c371d54f55cb7b9447de9a41

SHA256
845fab42a1deb0542e887f95e6e9b2f3eb8aa6e05f48ea2885f54ab7573f38e6

SHA512
d865675792acec056adbf95e9e7af8a619e04cc87dcd2059a7cb1cd9e6a81577d5edf35878819c331bd10908e40504de9e9ed01357d7be7a4367efa577f00b2b

Download Submit
memory/948-65-0x0000000000BE0000-0x0000000001354000-memory.dmp

Filesize
7.5MB

Download
memory/948-66-0x00000000065F0000-0x0000000006990000-memory.dmp

Filesize
3.6MB

Download
memory/1528-69-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-70-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/1528-71-0x000000006F9C0000-0x000000006FF6B000-memory.dmp

Filesize
5.7MB

Download
memory/1572-56-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing