purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1520-66-0x0000000006610000-0x00000000069B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

880 voiceadequovl.exe
1520 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

880 voiceadequovl.exe
880 voiceadequovl.exe
880 voiceadequovl.exe
880 voiceadequovl.exe

pid	process
880	voiceadequovl.exe
1520	voiceadequovl.exe

pid	process
880	voiceadequovl.exe
880	voiceadequovl.exe
880	voiceadequovl.exe
880	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

636 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1520 voiceadequovl.exe
Token: SeDebugPrivilege 636 powershell.exe

pid	process
636	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1520	voiceadequovl.exe
Token: SeDebugPrivilege	636	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 960 wrote to memory of 880	960	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 960 wrote to memory of 880	960	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 960 wrote to memory of 880	960	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 960 wrote to memory of 880	960	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 880 wrote to memory of 1520	880	voiceadequovl.exe	voiceadequovl.exe
PID 880 wrote to memory of 1520	880	voiceadequovl.exe	voiceadequovl.exe
PID 880 wrote to memory of 1520	880	voiceadequovl.exe	voiceadequovl.exe
PID 880 wrote to memory of 1520	880	voiceadequovl.exe	voiceadequovl.exe
PID 1520 wrote to memory of 636	1520	voiceadequovl.exe	powershell.exe
PID 1520 wrote to memory of 636	1520	voiceadequovl.exe	powershell.exe
PID 1520 wrote to memory of 636	1520	voiceadequovl.exe	powershell.exe
PID 1520 wrote to memory of 636	1520	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
226.4MB

MD5
f1f43f2d783500d814097de5f254f285

SHA1
c1cde86349a00b5014d661baa2b4719db5aa79cd

SHA256
a60d51b5b3ffce32dc18529eb1f6da4598f45ab7ba5a33c9ee2f2ff5d9688d22

SHA512
0ed441c266b576e42b4beb0ab2f81ad8a35707c50286a4f15020bba2d60eeed2999b8e9693b37925b677b501b39bb3337d1fe2a5fc6fcb3a745cdd95bee1aed8

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
228.7MB

MD5
23911db7c22df976d1f6cf5b7368a3ea

SHA1
fd2cb2944adc520d2e3b013c1800b74aa797c231

SHA256
b8c48db744c06e0a8498e65ccca875c568d857ee5b38bc3e8b45250453a8552f

SHA512
7db86fbd00b145a414d134a1cb0e5c044e50a75321071ec17fa1976bf2238694216935a6b5f54dc27412e99d5e83fb02568febc44d692d5a28b2a14519d381ed

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
232.6MB

MD5
b962ba4b520e9c0428b74a379b57a164

SHA1
159c7416b3e93e22964a918cbc8a99289392ed81

SHA256
8893107a72f6b30bf5ef99fb5cab8e7adbc8f60a8fdb51bc299b7567e5cbf4e4

SHA512
1a4ad9a8e94e798994aa805981aa3a6a30316ad8d4fb2dbf579e6bce2e1a64868b81ce26364d65da033e3672894834a223f361343f3866b4d7d71980933116ba

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
244.6MB

MD5
3da027f7651afd68af397458748c324a

SHA1
672398295ef4221abd574d28e77db588c3e6db47

SHA256
fbcab7c3924c867ee263d5c86c41f04c93aaa41b09766b081610286df3158a41

SHA512
98352fb825b751fc4fe96f2f30d246e8dd8ecce5d1f001da15b3bc2f96cf273813ad114f4f286ab7225a8990f4b25506f8f0f9398370922e560b3bea5dc6fe69

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
239.2MB

MD5
dd6347f6cbdb716d1f349d006211b186

SHA1
7ed52731779fcfeba1e5e5ccb9ac356874275db9

SHA256
0993a664820ce6c1974c264bd515e7bc0b5171cdc07f430055daa79347b35860

SHA512
fdf6af282c3359bcd6346b6fa35dbd4bec81b8df6d2426f79228e357cd30cbdbbdb985adfd38b2dd771fbd01369e4aaaa47dc5a66c96f56f3a8ccae6be398874

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
226.3MB

MD5
8594f5b69c6e88150a86beaa456e74a6

SHA1
4f2ca01c37381494f547b7e8f915bab450e4b61d

SHA256
088a474e61cb61dea884589e8b161c87102b4f531d89ecd16a7ddbd9dd1dbf5e

SHA512
093402b503790998de21b5ecaf77085e3c974ff4ef1db65870c108c8f9df3a71c671b99fd40e13b554ae115e03c7e343abc51a167f42f6caa0066f23cde46fff

Download Submit
memory/636-67-0x0000000000000000-mapping.dmp

Download
memory/636-70-0x000000006FC80000-0x000000007022B000-memory.dmp

Filesize
5.7MB

Download
memory/636-69-0x000000006FC80000-0x000000007022B000-memory.dmp

Filesize
5.7MB

Download
memory/880-56-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/880-54-0x0000000000000000-mapping.dmp

Download
memory/1520-62-0x0000000000000000-mapping.dmp

Download
memory/1520-66-0x0000000006610000-0x00000000069B0000-memory.dmp

Filesize
3.6MB

Download
memory/1520-65-0x0000000001380000-0x0000000001AF4000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads