purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Analysis

max time kernel
128s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-02-2023 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1640-66-0x00000000064F0000-0x0000000006890000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1988 voiceadequovl.exe
1640 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1988 voiceadequovl.exe
1988 voiceadequovl.exe
1988 voiceadequovl.exe
1988 voiceadequovl.exe

pid	process
1988	voiceadequovl.exe
1640	voiceadequovl.exe

pid	process
1988	voiceadequovl.exe
1988	voiceadequovl.exe
1988	voiceadequovl.exe
1988	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

692 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1640 voiceadequovl.exe
Token: SeDebugPrivilege 692 powershell.exe

pid	process
692	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1640	voiceadequovl.exe
Token: SeDebugPrivilege	692	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 1988	1692	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1692 wrote to memory of 1988	1692	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1692 wrote to memory of 1988	1692	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1692 wrote to memory of 1988	1692	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1988 wrote to memory of 1640	1988	voiceadequovl.exe	voiceadequovl.exe
PID 1988 wrote to memory of 1640	1988	voiceadequovl.exe	voiceadequovl.exe
PID 1988 wrote to memory of 1640	1988	voiceadequovl.exe	voiceadequovl.exe
PID 1988 wrote to memory of 1640	1988	voiceadequovl.exe	voiceadequovl.exe
PID 1640 wrote to memory of 692	1640	voiceadequovl.exe	powershell.exe
PID 1640 wrote to memory of 692	1640	voiceadequovl.exe	powershell.exe
PID 1640 wrote to memory of 692	1640	voiceadequovl.exe	powershell.exe
PID 1640 wrote to memory of 692	1640	voiceadequovl.exe	powershell.exe
PID 1640 wrote to memory of 1580	1640	voiceadequovl.exe	cmd.exe
PID 1640 wrote to memory of 1580	1640	voiceadequovl.exe	cmd.exe
PID 1640 wrote to memory of 1580	1640	voiceadequovl.exe	cmd.exe
PID 1640 wrote to memory of 1580	1640	voiceadequovl.exe	cmd.exe
PID 1580 wrote to memory of 1852	1580	cmd.exe	powershell.exe
PID 1580 wrote to memory of 1852	1580	cmd.exe	powershell.exe
PID 1580 wrote to memory of 1852	1580	cmd.exe	powershell.exe
PID 1580 wrote to memory of 1852	1580	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
5⤵
PID:1852

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1896

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1320

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1544

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1612

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1864

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1676

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1764

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1780

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:816

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
4⤵
PID:1532

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
66e92e5cdbb6ef6542c90e2f3d65ad3b

SHA1
aea3bee89e770186dd50baa7c4230d98e7e4c5a9

SHA256
b42765877cffad52137eb905bfc8fd1d44d4c430b488c1fe6af3c2d5933b13f3

SHA512
7510f86d126ffdbd1a0c023d20a92cf694a37ddd73064e9993e3aba195bc874324f239d663209fb1b1cc46c933c8afec42c949945458f9e7fdaf0ab6fa0068d0

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
227.6MB

MD5
c4f8c24640c651297f65869eff0141ce

SHA1
96ae4106105cda8d39416bfead10790150c70c9c

SHA256
d6f38615c9b9fc974faeb9a1a58043bb1a0da8333a5ffd94477bf9edeb3c2656

SHA512
39fcc108b87fc8ebc80c7827a3c9abba685dc2b045192c16e385d47b0d3b5c7967971699f972beff3ab2304fdf828e99e7071b6f41910a8d19b4e29528786bd2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
207.1MB

MD5
a98db3b33af7192de478bea56e57e5f0

SHA1
9eb877203f64de55a1dd862404ad1378e431750f

SHA256
53219454abd7dbc9fc8f7a9352bd213be3dd75122573420d912ee0faace1ed14

SHA512
3a32bdf07ccc76b4874b253794c020e9513f7a0d1298a4b386034e229aab70fc00458c0e9782bf4a417036780c4ad706c419aa1083f4906478c6fa5b32085f40

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.6MB

MD5
f35ad6c2339911a55f85ee0dff946ae1

SHA1
359896ff1ec651fa700b0e245ed0bc14427cf72f

SHA256
5b39b4f886d8e3f2bca91c2d10a588a3d07015c736b8b44041dae20348c7e9e3

SHA512
b121f48cb282bc80f395c8bd6602379fc36752566cdd10a8e4b5f8b4eeac94b079a5986539f32efaed846437c1d476c624397687f61f7b88c22801c5b37cde55

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.6MB

MD5
f35ad6c2339911a55f85ee0dff946ae1

SHA1
359896ff1ec651fa700b0e245ed0bc14427cf72f

SHA256
5b39b4f886d8e3f2bca91c2d10a588a3d07015c736b8b44041dae20348c7e9e3

SHA512
b121f48cb282bc80f395c8bd6602379fc36752566cdd10a8e4b5f8b4eeac94b079a5986539f32efaed846437c1d476c624397687f61f7b88c22801c5b37cde55

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.6MB

MD5
3b50ae8b2de611bac5f7c4d88e9fe1b1

SHA1
6fc92ad97bfbaff0164f47a39da794ecb63475e4

SHA256
feff2f2ba3d886b8b3b79a468024368d16a42365952c250ac8ad5e3fc7504d06

SHA512
c18c2107b9bf87dbe72061819f0f5b680664b9375a143a17b912d1caf0c3a744fc31247b0dbb29f1d885d2e10d404e6b7154079a57ec560fbd97a6de8469668c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.1MB

MD5
c8099edba5c53c83ac5fa1292ef1b182

SHA1
89d84a04420317d342b09ba95ebce074240bb2e5

SHA256
ba9a41115572d34af80ffd69d48088521fb6760919facbb08d9df9f8340acd36

SHA512
04a832dfc26a47ab62e278c5021099ef2762266690ab35f610e5bdc4b43f35bba0b4600219f3bdcda5f5fa9f42c104f97f9d8af89c95635adb9babdfcae85e94

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.6MB

MD5
3b50ae8b2de611bac5f7c4d88e9fe1b1

SHA1
6fc92ad97bfbaff0164f47a39da794ecb63475e4

SHA256
feff2f2ba3d886b8b3b79a468024368d16a42365952c250ac8ad5e3fc7504d06

SHA512
c18c2107b9bf87dbe72061819f0f5b680664b9375a143a17b912d1caf0c3a744fc31247b0dbb29f1d885d2e10d404e6b7154079a57ec560fbd97a6de8469668c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.2MB

MD5
b90a257eb7aee43fa47bc6f9e50a51e9

SHA1
2f67a8383e8a0c2c606e03bfe6591b1d061c31d9

SHA256
90efe8322c079f11fd98413dd61020b6f758d4902ef0d81f140510c3823db604

SHA512
97e2224f7bc773595e634bfea06b0abdcf93c4f89463daad55960af13d8782809b4e297f029ea19f44cf306b6cebeb4491f98b4b92a3934b3701ff64fda3e8b3

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.6MB

MD5
3b50ae8b2de611bac5f7c4d88e9fe1b1

SHA1
6fc92ad97bfbaff0164f47a39da794ecb63475e4

SHA256
feff2f2ba3d886b8b3b79a468024368d16a42365952c250ac8ad5e3fc7504d06

SHA512
c18c2107b9bf87dbe72061819f0f5b680664b9375a143a17b912d1caf0c3a744fc31247b0dbb29f1d885d2e10d404e6b7154079a57ec560fbd97a6de8469668c

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.5MB

MD5
f704542584301b309c0407d5a33dfea6

SHA1
04059d5f7f8318a0e238dc713337256ba41a11f3

SHA256
e7b8b83432f807f713bce57f1e33c387874eeebba9c40dffa76fccdadcc1e4a3

SHA512
8e2f209e36b46d3185a83b839cf78ece88aafe850f92099a86950dec005e19b639f5879a88373c2a97b417a120587d7db7cab0b463404bbc0c80b26f8b98abed

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.5MB

MD5
f704542584301b309c0407d5a33dfea6

SHA1
04059d5f7f8318a0e238dc713337256ba41a11f3

SHA256
e7b8b83432f807f713bce57f1e33c387874eeebba9c40dffa76fccdadcc1e4a3

SHA512
8e2f209e36b46d3185a83b839cf78ece88aafe850f92099a86950dec005e19b639f5879a88373c2a97b417a120587d7db7cab0b463404bbc0c80b26f8b98abed

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
23.5MB

MD5
0c6569f40d1a9aa932e99bb28b309e6e

SHA1
05ed9b7fbf4040f02e519b3845584409a92f451f

SHA256
cde6d1425a461c45ac289e39e9b791da97f8db3d0a7e0b52cca9c23caa72963b

SHA512
cf5fb05bbf99d00485cf14ef43346bd16d8f36ae98d4405c7797645e2cd787881547b4edfbf553e244d0c9284e5aa756b972969446c8146771d3e26f795de2b8

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
232.5MB

MD5
d3eb51cf584228e2c204b521808e9844

SHA1
a3aa67e0d1a47f7a6fddb1b88ad646399eb45be2

SHA256
c81a2751f3fe00589e4f94271b3fb3082245b3f640b720e8ec5e009eac566547

SHA512
2c534bf7bea4fedc9b7305175301f81439436edae246c3300b369daab5eb7a5384b53114bebe49c57193676d742090c6ec1c3e65a343bb0a381dc5de752d6a9e

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
215.4MB

MD5
58b6f197adf488f625338d6e5333c9be

SHA1
65cde9ed3ceebffc4d58cacb8a83d3833bd37093

SHA256
eda19f108d11dc7a3262436934a11d1c086ada55e71f18ffcaf61c4ea0c9479c

SHA512
29a522912581d1ad0768f80d54aa43da677e59ad600e7b3de69cd0ad18b3117acc79e638335a2c539780db351c03d600be602f0c9412beafead8fc14f9b8f170

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
209.7MB

MD5
87da05817c96a0e43d3fd217bd55d487

SHA1
113729e74392904cf784f75d51ff45ddf0bab5af

SHA256
2c09df05726f5792bf69f357b25babb5e9fff0b2c6aa7a8ac07c3e558221d152

SHA512
6926c45427a4167205dac17f516e5a756b9580bae3044f6616efe7ebbd9e8c426ef9d605da66e42da1c85351f1e8541aef1373c1a6f4a0d52b279d72dc58a518

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
230.8MB

MD5
24b2572aa4ca2b2954b72e83ba3afdee

SHA1
0e9b7d20b40208973cab1e06928d74f4399949bd

SHA256
d3eaa9746df5023d571a896d56eba79cd9193d836e04dcccbf40d61a72cc66df

SHA512
e122bd9371e21264aa93449450fa6123fa690465c8fa4f805415c00f8a7edc8a28a49a9bfcbb9c6370f1b54c133eac1d82ea8f2808600a7d155d6caa88f05343

Download Submit
memory/692-71-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/692-69-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/692-67-0x0000000000000000-mapping.dmp

Download
memory/692-70-0x000000006FED0000-0x000000007047B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-72-0x0000000000000000-mapping.dmp

Download
memory/1640-62-0x0000000000000000-mapping.dmp

Download
memory/1640-66-0x00000000064F0000-0x0000000006890000-memory.dmp

Filesize
3.6MB

Download
memory/1640-65-0x0000000000370000-0x0000000000AE4000-memory.dmp

Filesize
7.5MB

Download
memory/1640-74-0x00000000054E0000-0x0000000005652000-memory.dmp

Filesize
1.4MB

Download
memory/1852-73-0x0000000000000000-mapping.dmp

Download
memory/1852-87-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/1852-88-0x000000006FC20000-0x00000000701CB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-56-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/1988-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads