purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1968-66-0x0000000006420000-0x00000000067C0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1192	voiceadequovl.exe
1968	voiceadequovl.exe

Loads dropped DLL 4 IoCs

pid	Process
1192	voiceadequovl.exe
1192	voiceadequovl.exe
1192	voiceadequovl.exe
1192	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1928	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	voiceadequovl.exe
Token: SeDebugPrivilege	1928	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1192	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1700 wrote to memory of 1192	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1700 wrote to memory of 1192	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1700 wrote to memory of 1192	1700	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	28
PID 1192 wrote to memory of 1968	1192	voiceadequovl.exe	29
PID 1192 wrote to memory of 1968	1192	voiceadequovl.exe	29
PID 1192 wrote to memory of 1968	1192	voiceadequovl.exe	29
PID 1192 wrote to memory of 1968	1192	voiceadequovl.exe	29
PID 1968 wrote to memory of 1928	1968	voiceadequovl.exe	30
PID 1968 wrote to memory of 1928	1968	voiceadequovl.exe	30
PID 1968 wrote to memory of 1928	1968	voiceadequovl.exe	30
PID 1968 wrote to memory of 1928	1968	voiceadequovl.exe	30

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
225.7MB

MD5
ba9b669562cb546341c7d4385fa9089d

SHA1
be1fef2af2c3f05a74c03c6d72d665dc049bfb86

SHA256
a0f106b61c99f2a1f855cd2ea8219c911b147272cbff355b617d7988d6962a72

SHA512
2c45213930221e29e35f888bb926513184bb4bc86ccb05810468bca97a1589e7c23c7e98a2cb9d2de33fb77c443f2a0ab0f7fba00009054df8f4c65d3403f96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
357.1MB

MD5
0d75b1fef9dd4f6a8174b7d088f3db56

SHA1
55f33cdb473e2f05005f617de12f5389ab20b233

SHA256
cad40cb715a3ecb6232b05f239e232d3b7c328128ee8a3cb8e5e862b503dfea6

SHA512
bca915e1ea9e0a54c91f335c62686846b4c09f0d6d415926deb3ec3d0dd5931ef5afc3fe4b3b69bdf7cf1ad0f6cebed1c57519304da1b2fe753385c2a3581b1d

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
247.6MB

MD5
5edcd39a21dc51b104cfa47768c14608

SHA1
cfb3c36f2a3642536eaa1914b75fc0b4e296f9ba

SHA256
5030e41d191b43c50d653ebd31efa9a84baa4000353cd858eac425f736171d8e

SHA512
0eba6e5a18f53e89c097947f1f8ca8720b4414153e4d68332def0ac211e95bcd3231827700047e204b8f316ee788fc628299316833405d1da289a9c183a66c06

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
271.8MB

MD5
18e22aeadea7679393d7ca47934dbc1f

SHA1
157de2a42aa246c6121a99bbe7b647bce57e62bd

SHA256
6fbaa68a70dea811b12b7a39a48ac448b0b1b411695caf032374a3ca5295bca2

SHA512
0966e5935bcf9ebcd7781ca72ffe3b3bdad6183ab706c80df35fb3e5ae806f3a9f11963d8f18b7ae9c1f9df58b1401f5e6d5b55b1114c90f454ac0fa0cc8512a

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
270.0MB

MD5
fe53929e92af69b3f4e63f5d22ba28a6

SHA1
9aa62aaa0555b638fe61c2df8c42ec6c425f47ba

SHA256
51c3b271012413afc929888a559f8fff0ce632e08356820895858ad9bd4747c9

SHA512
13728185ca5e9e6b24c5ab510b34ae35043a110fe790f739233b339efcbecc838f19b92e012103ba6c24e4dec1a9189de8c9be7d9154b88ee09224aaaade71e3

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.0MB

MD5
737903ce12ff87dc6dd0519440e35efa

SHA1
cbaa404d4b09ac3b7b1a8c2fb86271035bd9c890

SHA256
847308d56f259a7531acfb7436ba9e84e368ab314460ad257df816f92736a924

SHA512
18d51d9778dff9e72a076ecdb3f77f069a5f0b4c5726a2821a8b9a00461a16ca292a90c5f089b124d135e6d8983a93b85349a0805b420379327e19bb59da1748

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
262.7MB

MD5
4b6a9c8cebdb8049e8cdb13b0486a092

SHA1
69b2489b75cf63d5c39ece13162169e9450b1c3e

SHA256
737316c69474ab96ac81641d6270232eeb22265bb54435a6571942f151bedc17

SHA512
78bf2aa37c21cec0c2f9e4a0b7a2d29858115c2240924677cde54673d4b0c30c34f40acdc15c6255f3ffe39b2fd44aef204369af7498f2c13a1d3b35bd76a0e4

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
273.4MB

MD5
5721f444efba2950f71c9ac666d017e9

SHA1
c5c8ddeb62ff4334a5488d0a3c16b298c9679a7c

SHA256
f9eb1ba787edec568ba954d27317c139f9633b3408e50ebedcfd48f35d4f1ca2

SHA512
dc997ec98538e8f51988b3d39e2b3055aeb34d5e944dbdbb39bd2e0b423d271376fff5f79ac9a592bb87152e557c6be726d2774d1d845d957f508c20d6d54ccc

Download Submit
memory/1192-56-0x0000000075671000-0x0000000075673000-memory.dmp

Filesize
8KB

Download
memory/1928-69-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-71-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-70-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

Filesize
5.7MB

Download
memory/1968-66-0x0000000006420000-0x00000000067C0000-memory.dmp

Filesize
3.6MB

Download
memory/1968-65-0x0000000001080000-0x00000000017F4000-memory.dmp

Filesize
7.5MB

Download

Analysis

Sharing