purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/368-66-0x0000000006530000-0x00000000068D0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

1728 voiceadequovl.exe
368 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

1728 voiceadequovl.exe
1728 voiceadequovl.exe
1728 voiceadequovl.exe
1728 voiceadequovl.exe

pid	process
1728	voiceadequovl.exe
368	voiceadequovl.exe

pid	process
1728	voiceadequovl.exe
1728	voiceadequovl.exe
1728	voiceadequovl.exe
1728	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

892 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 368 voiceadequovl.exe
Token: SeDebugPrivilege 892 powershell.exe

pid	process
892	powershell.exe

description	pid	process
Token: SeDebugPrivilege	368	voiceadequovl.exe
Token: SeDebugPrivilege	892	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 1700 wrote to memory of 1728	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1700 wrote to memory of 1728	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1700 wrote to memory of 1728	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1700 wrote to memory of 1728	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1728 wrote to memory of 368	1728	voiceadequovl.exe	voiceadequovl.exe
PID 1728 wrote to memory of 368	1728	voiceadequovl.exe	voiceadequovl.exe
PID 1728 wrote to memory of 368	1728	voiceadequovl.exe	voiceadequovl.exe
PID 1728 wrote to memory of 368	1728	voiceadequovl.exe	voiceadequovl.exe
PID 368 wrote to memory of 892	368	voiceadequovl.exe	powershell.exe
PID 368 wrote to memory of 892	368	voiceadequovl.exe	powershell.exe
PID 368 wrote to memory of 892	368	voiceadequovl.exe	powershell.exe
PID 368 wrote to memory of 892	368	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
245.7MB

MD5
22818a5eafc0290cf06281e5824bd0ba

SHA1
37e437ea4e6eea70521b1e479e157772e88ad5e5

SHA256
2865446c38fe1958d177fa7706c1dfec9296d7749888d08af21d83e04ab3e04f

SHA512
30d3a4bdea4b77e11294c1ad017328e1ecb5310188e61f53bd8a53183a31331ce9fcf06256f1664cbe6ee06069aa38cf4cd12f0754e6953ec82540832b0df0b2

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
233.0MB

MD5
45d6ac8cbc12dc02852251e4fe1a6ccc

SHA1
4aa02d759d12fc9d57d436e86e60ebf012ce8a02

SHA256
b48b3b5eee41369dc624f33c3828cedff52ffd089f5d1819e07b39d6b430c135

SHA512
3a03efc7ac43b687c406dc12762968c53503e047329f7fa54293f00e27d92bf5a784aa4a8792843812565ebe8bc8d39334875f38f343234386be755b49d941ac

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
243.9MB

MD5
302bfe7274fcefc83971e0e13c6a1a69

SHA1
cff1faa03c68ebd081a7e6361b9b566eb768c984

SHA256
c7329c16a892ccc839bc1d70a4591e16dee026225d0af7e2878cdb6be505a511

SHA512
b30f2b615c1fe0045ecd5bb3d93f00b28597e60a6016d7d211e780b797d8f4ad9357c3c4c170862960273565cb7a235baeacb72947ef2c3753d72b1a8f2246e9

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
265.7MB

MD5
5bd576dc418879e5c4b36f03444c6faa

SHA1
bc160179af52918790ae84781c9cd796f007229a

SHA256
e9d6fe72219c64c03105bdadc127a176df77d03f712629af68b4bc089bdde4af

SHA512
070ef7e0280dfa0c160afe9a8cd5af208f93a56e063eb1126296f1e1127d30efb2bc8d91d7378e8caa52be37420c91e521c890782f5b9f339277a16b82388975

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
256.7MB

MD5
71fa9caf52e001c875eeacfea3dc5fd9

SHA1
2a61b5248eb52427ac053db2b949b728d150d3ee

SHA256
d9765a09ceb82b5684b2b28b9e0a249de0d29578d041c01125ddd622fb5cd3a0

SHA512
013c1229f25ec82ce116c3d26d08aa601bde554016e210ae8400b31ac28aae1ff1b75a7a8a0f98bffdd249b4b795077bab8dec1e75d0316e2018455f47978877

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Filesize
262.8MB

MD5
93d1c1a9f605336ce0b6a71165551815

SHA1
f0139158c784bbca539e466aa704916e3e82c753

SHA256
c540b9ec30f706915e32f6822f45d5202dcd456795bf718c55842a0358526837

SHA512
8305f5a76a211158cc2fabb108caf8b8243a6afc474a64b0c7dc81b61876b3cb02cc9a59a1ea44d06a5d8024f5c8d5027902d4b7e15bf8e8fc257c71bdea8960

Download Submit
memory/368-62-0x0000000000000000-mapping.dmp

Download
memory/368-65-0x0000000000060000-0x00000000007D4000-memory.dmp

Filesize
7.5MB

Download
memory/368-66-0x0000000006530000-0x00000000068D0000-memory.dmp

Filesize
3.6MB

Download
memory/892-67-0x0000000000000000-mapping.dmp

Download
memory/892-69-0x000000006FFC0000-0x000000007056B000-memory.dmp

Filesize
5.7MB

Download
memory/892-70-0x000000006FFC0000-0x000000007056B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-56-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1728-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads