purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1920-66-0x0000000006380000-0x0000000006720000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1348	voiceadequovl.exe
1920	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1348	voiceadequovl.exe
1348	voiceadequovl.exe
1348	voiceadequovl.exe
1348	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
812	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	voiceadequovl.exe
Token: SeDebugPrivilege	812	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1348	1808	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1808 wrote to memory of 1348	1808	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1808 wrote to memory of 1348	1808	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1808 wrote to memory of 1348	1808	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1348 wrote to memory of 1920	1348	voiceadequovl.exe	29
PID 1348 wrote to memory of 1920	1348	voiceadequovl.exe	29
PID 1348 wrote to memory of 1920	1348	voiceadequovl.exe	29
PID 1348 wrote to memory of 1920	1348	voiceadequovl.exe	29
PID 1920 wrote to memory of 812	1920	voiceadequovl.exe	30
PID 1920 wrote to memory of 812	1920	voiceadequovl.exe	30
PID 1920 wrote to memory of 812	1920	voiceadequovl.exe	30
PID 1920 wrote to memory of 812	1920	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      PID:960
  - - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
      4⤵
      PID:304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
247.8MB

MD5
f580ae4f52d50675a416c06ddc76e7e2

SHA1
fcbf8abffc071fef56604a3f7b056dc1504cc8ac

SHA256
b0fe4dc11d8daec1638b70150526930d8c6f9f37bd667e1570d748360ae5ab84

SHA512
2faa37de4d966b74b56a88e3d4b93725874123c3c112f5ed0527c1f260e2e93dd483f58553d53432fefe7082136ae2244aa3be9429ca3e4d1a42beb9f4c2fb9a

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
270.4MB

MD5
bf3db2e9927582ffef71c73971c1e1f5

SHA1
5a363066472077fcc5cbcf44a8f59f7f5d658718

SHA256
b3b1644f8b88bb46b52ff24e981b6e147b4d1e44b93ee59487c3e8479ebe4337

SHA512
a5648d89216ea1d7d5b52d1b2da32043a21c2f3d1f77f3c380fc8618c6421f7bb1c63474981439901f4c744d7dbd9c380fbe51e88573b38eb150c1ffd3716fb0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
266.4MB

MD5
3126aeea44fc047cda1a8692682ffbe9

SHA1
f3b99953b063e98d1c9e87dc40dbce26e366f546

SHA256
432ec4678a667f5e381ad7b24bee3a0794327455c307a271b4d8d59a72539126

SHA512
061098b8911d14589ab945cf6f99f3b31e30cf07061518de93766c15401a400eecb752f716b17957d3a7b61976bafbfb54dcd94f100d4696ed42277f220b9471

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.0MB

MD5
d9b638d8871fdd7212f34b2c281f4394

SHA1
572cb1bf459e57618cabdcef0545bb864e68dca9

SHA256
0da5cc14c8250268a0060f217ce9c7ffa314695d6d84e26cc8b2cf2156026c88

SHA512
5b01a7c74c4866f0b72383499bc3cdad4fad22f6f2840ace5cbea2c62c8d32a68ee231fcabbb08c58e00c6aec037f46d92aa28c67ca908b6150d42188008fa80

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
256.4MB

MD5
6175cf92c8b53e7178a0e756e5395926

SHA1
3f5156c37613bb3b56bb98bd6f26c5867cf2d138

SHA256
1268d6a4e92805fbbc38151295ff9542654fd077ccc0e01165f3b3417af155d4

SHA512
4edcdc27ca3daeb41d6d6aadca05a6c3ec401722457f223024edc923aab206a3d9aef3041b62bce4882170caa0a9a4a7b6108dc611709b4c89411000648282fc

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
284.6MB

MD5
20d6a2d41b5fdf8ef904f3593fa0a7c8

SHA1
d89b7d11f5e2bc10602e81becdedaf0f8e3079bd

SHA256
061935701ec0ecda4c437e6a441309afe3c3bb746eb776f550d5f873b2ca5eab

SHA512
0df9db5a283530713c56ce938392131d128a03822172372a6ef2e47e060f3b4231810f7e3383772da3fbb409eb58d732ed1977394b200d6a4bdd5e2ad5137561

Download Submit
memory/812-70-0x00000000701F0000-0x000000007079B000-memory.dmp

Filesize
5.7MB

Download
memory/812-71-0x00000000701F0000-0x000000007079B000-memory.dmp

Filesize
5.7MB

Download
memory/812-69-0x00000000701F0000-0x000000007079B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-56-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1920-66-0x0000000006380000-0x0000000006720000-memory.dmp

Filesize
3.6MB

Download
memory/1920-65-0x0000000000CE0000-0x0000000001454000-memory.dmp

Filesize
7.5MB

Download
memory/1920-73-0x0000000005370000-0x00000000054E2000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing