purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1700-66-0x0000000006510000-0x00000000068B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
884	voiceadequovl.exe
1700	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
884	voiceadequovl.exe
884	voiceadequovl.exe
884	voiceadequovl.exe
884	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	voiceadequovl.exe
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 884	1080	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1080 wrote to memory of 884	1080	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1080 wrote to memory of 884	1080	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1080 wrote to memory of 884	1080	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 884 wrote to memory of 1700	884	voiceadequovl.exe	29
PID 884 wrote to memory of 1700	884	voiceadequovl.exe	29
PID 884 wrote to memory of 1700	884	voiceadequovl.exe	29
PID 884 wrote to memory of 1700	884	voiceadequovl.exe	29
PID 1700 wrote to memory of 2040	1700	voiceadequovl.exe	30
PID 1700 wrote to memory of 2040	1700	voiceadequovl.exe	30
PID 1700 wrote to memory of 2040	1700	voiceadequovl.exe	30
PID 1700 wrote to memory of 2040	1700	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
226.5MB

MD5
0099e0be0126d2994d15a0381712357b

SHA1
524be4c943d59133305f56546c0b1eff3a1048f2

SHA256
c3e42879fcaf298497592aea07de339e30a6fdeaa62a4d0f71edbc368f38c1b6

SHA512
4c591527048e2924efd5a15dd88350085cf47a1b1cc7d85772ebab3f70e54394210a3be97663d6773520bf99bd19501e0ad5edf477ef964e201a9b16149adfd7

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
226.3MB

MD5
8594f5b69c6e88150a86beaa456e74a6

SHA1
4f2ca01c37381494f547b7e8f915bab450e4b61d

SHA256
088a474e61cb61dea884589e8b161c87102b4f531d89ecd16a7ddbd9dd1dbf5e

SHA512
093402b503790998de21b5ecaf77085e3c974ff4ef1db65870c108c8f9df3a71c671b99fd40e13b554ae115e03c7e343abc51a167f42f6caa0066f23cde46fff

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
253.9MB

MD5
b193bd6f1fc077a192bdd9537a5c426d

SHA1
5026f88d719200e5a46f93b0aab53d84d939b16d

SHA256
d620ece026a5b89b1a8ffe2d511695d88d6d43a9e907a0ebc86d1e28c4d359e0

SHA512
1fe147aead35a41e8cef4b5b2ac4785934c36d1b01f7d91d21ba6258641bfafdae990a79325dc880d5a17669f7c15f71e91a2e383706b9908199c83761673fd3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
207.3MB

MD5
156d7736d84951c831c55868d161b8a1

SHA1
63ab65b5351942ca1460723947338b66fee2fd3f

SHA256
c1caf638dc56db139efc413bfa858f21c3893584e1b19d27141ad9092c803ab9

SHA512
696c6626d93f3077263cfdbe1e0c170e88e52762c42428404ae15dc88e21efa0c38f0d7bbe1c37e744f0081a601fe0d7be68eb330d807d12da8db345a3e3b85c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
252.9MB

MD5
a58e7414480d0ba2faee62e8e765db12

SHA1
2f605d8279d76c0ad744ee50e06b0c0ddddd21a9

SHA256
8c0aeae7d4f9ac3796aaafad78918fc916e6d700d48bf828cf84241aa3c458e8

SHA512
dc3ce0b1a2136f119076805f802272f45367cceffebb2c94a5935adc69c9618af81d822d92459f320619bdaf80bcb8188e8198748c1ef6104889bb523edebe05

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
253.2MB

MD5
6c0fd2ed5c59b4a11d0367ae09208051

SHA1
778879ed722cb56ff82236c9c8041f3aaa9d99ab

SHA256
f31001c939e65e5756240932922a867630f1596d65fe1d65e0af46d95c8b0ab9

SHA512
69f860aaa2b32bac59e4377272f826acd21a1bd83b261a3ae32e609451d2f8790b27ae0c1d7587396aecdbb5af8f394e22ddef5aa8c81669765894f7f8e8f17a

Download Submit
memory/884-56-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1700-65-0x00000000000B0000-0x0000000000824000-memory.dmp

Filesize
7.5MB

Download
memory/1700-66-0x0000000006510000-0x00000000068B0000-memory.dmp

Filesize
3.6MB

Download
memory/2040-69-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download
memory/2040-70-0x000000006FC70000-0x000000007021B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing