Malware Analysis Report

2024-11-30 21:51

Sample ID 230205-qpsyyahf88
Target 5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Tags
aurora persistence stealer purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

Threat Level: Known bad

The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.

Malicious Activity Summary

aurora persistence stealer purecrypter downloader loader

PureCrypter

Detect PureCrypter injector

Aurora

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 13:26

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 13:26

Reported

2023-02-05 13:29

Platform

win10v2004-20220812-en

Max time kernel

136s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1520 set thread context of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 3044 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 3044 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1116 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1116 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1116 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2096 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1520 wrote to memory of 972 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 972 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 972 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 972 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 972 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 3140 wrote to memory of 3652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3140 wrote to memory of 3652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3140 wrote to memory of 3652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 972 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
NL 95.101.78.82:80 tcp
NL 95.101.78.82:80 tcp
NL 104.80.225.205:443 tcp
US 52.152.108.96:443 tcp
FR 51.11.192.48:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
DE 45.9.74.11:8081 tcp

Files

memory/1116-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba50f2bca86ba947a8d2035bb9b35123
SHA1 a542b5c5d41174dc2475a219978123b7d14f958f
SHA256 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA512 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

memory/1520-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 14a9737eb666769fee7c28a00eb14e82
SHA1 ab8f2279f13a546fc32233a4da0855660fb07ec0
SHA256 a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a
SHA512 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7

memory/1520-138-0x0000000000540000-0x0000000000CB4000-memory.dmp

memory/1520-139-0x0000000006C00000-0x0000000006C22000-memory.dmp

memory/3408-140-0x0000000000000000-mapping.dmp

memory/3408-141-0x00000000048C0000-0x00000000048F6000-memory.dmp

memory/3408-142-0x0000000005030000-0x0000000005658000-memory.dmp

memory/3408-143-0x00000000057D0000-0x0000000005836000-memory.dmp

memory/3408-144-0x0000000005840000-0x00000000058A6000-memory.dmp

memory/3408-145-0x0000000005E40000-0x0000000005E5E000-memory.dmp

memory/3408-146-0x00000000074D0000-0x0000000007B4A000-memory.dmp

memory/3408-147-0x00000000063B0000-0x00000000063CA000-memory.dmp

memory/2096-148-0x0000000000000000-mapping.dmp

memory/4024-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

memory/972-151-0x0000000000000000-mapping.dmp

memory/972-152-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 e2b04059ec1f9af389790512f6d61674
SHA1 41e843a820d7afa5665d2effaf8c8cbe341a72e0
SHA256 c2a2399725d50f1ae447ebac131cf80c6fc8df1d6220f472a09bb947fb9cda3e
SHA512 027768ba7ecede5cb8f313f6598f1f60b1dab306741141995e5c9b13c9a8ebb303c7984c9d7e8797d404fab4976a364f98d59866d63e1102a0dc1f7873b9ceec

memory/972-155-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 98c20d2300f2c23d286d322c3fa36f16
SHA1 1b0c3011660d9ffa4012dfaf76897c7810353898
SHA256 f9e88987e7933aff48a5a72382dcb70875e207d587e69aba40a44af5ac4bc147
SHA512 f366fbabf8fd250b6cf7a95f26552d046d01bac693c218b99ade0dcefb97962f86d5d4dd6dd241d3d8ab1dcb278590ddd893ebb0e6ee0d746aab5e8f3f48a9d8

memory/972-157-0x0000000000400000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/1824-159-0x0000000000000000-mapping.dmp

memory/4024-160-0x00000000064A0000-0x00000000064D2000-memory.dmp

memory/4024-161-0x00000000752A0000-0x00000000752EC000-memory.dmp

memory/4024-162-0x0000000006480000-0x000000000649E000-memory.dmp

memory/4024-163-0x0000000007290000-0x000000000729A000-memory.dmp

memory/3140-164-0x0000000000000000-mapping.dmp

memory/3652-165-0x0000000000000000-mapping.dmp

memory/4024-166-0x00000000074C0000-0x0000000007556000-memory.dmp

memory/4484-167-0x0000000000000000-mapping.dmp

memory/3324-168-0x0000000000000000-mapping.dmp

memory/4024-169-0x0000000005D40000-0x0000000005D4E000-memory.dmp

memory/4024-170-0x0000000007420000-0x000000000743A000-memory.dmp

memory/4024-171-0x0000000007400000-0x0000000007408000-memory.dmp

memory/972-172-0x0000000000400000-0x0000000000731000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 13:26

Reported

2023-02-05 13:29

Platform

win7-20221111-en

Max time kernel

149s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1700 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1700 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1700 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
PID 1192 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1192 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1192 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1192 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
PID 1968 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

Network

N/A

Files

memory/1192-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 ba9b669562cb546341c7d4385fa9089d
SHA1 be1fef2af2c3f05a74c03c6d72d665dc049bfb86
SHA256 a0f106b61c99f2a1f855cd2ea8219c911b147272cbff355b617d7988d6962a72
SHA512 2c45213930221e29e35f888bb926513184bb4bc86ccb05810468bca97a1589e7c23c7e98a2cb9d2de33fb77c443f2a0ab0f7fba00009054df8f4c65d3403f96c

memory/1192-56-0x0000000075671000-0x0000000075673000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

MD5 0d75b1fef9dd4f6a8174b7d088f3db56
SHA1 55f33cdb473e2f05005f617de12f5389ab20b233
SHA256 cad40cb715a3ecb6232b05f239e232d3b7c328128ee8a3cb8e5e862b503dfea6
SHA512 bca915e1ea9e0a54c91f335c62686846b4c09f0d6d415926deb3ec3d0dd5931ef5afc3fe4b3b69bdf7cf1ad0f6cebed1c57519304da1b2fe753385c2a3581b1d

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 fe53929e92af69b3f4e63f5d22ba28a6
SHA1 9aa62aaa0555b638fe61c2df8c42ec6c425f47ba
SHA256 51c3b271012413afc929888a559f8fff0ce632e08356820895858ad9bd4747c9
SHA512 13728185ca5e9e6b24c5ab510b34ae35043a110fe790f739233b339efcbecc838f19b92e012103ba6c24e4dec1a9189de8c9be7d9154b88ee09224aaaade71e3

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 737903ce12ff87dc6dd0519440e35efa
SHA1 cbaa404d4b09ac3b7b1a8c2fb86271035bd9c890
SHA256 847308d56f259a7531acfb7436ba9e84e368ab314460ad257df816f92736a924
SHA512 18d51d9778dff9e72a076ecdb3f77f069a5f0b4c5726a2821a8b9a00461a16ca292a90c5f089b124d135e6d8983a93b85349a0805b420379327e19bb59da1748

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 5721f444efba2950f71c9ac666d017e9
SHA1 c5c8ddeb62ff4334a5488d0a3c16b298c9679a7c
SHA256 f9eb1ba787edec568ba954d27317c139f9633b3408e50ebedcfd48f35d4f1ca2
SHA512 dc997ec98538e8f51988b3d39e2b3055aeb34d5e944dbdbb39bd2e0b423d271376fff5f79ac9a592bb87152e557c6be726d2774d1d845d957f508c20d6d54ccc

\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 4b6a9c8cebdb8049e8cdb13b0486a092
SHA1 69b2489b75cf63d5c39ece13162169e9450b1c3e
SHA256 737316c69474ab96ac81641d6270232eeb22265bb54435a6571942f151bedc17
SHA512 78bf2aa37c21cec0c2f9e4a0b7a2d29858115c2240924677cde54673d4b0c30c34f40acdc15c6255f3ffe39b2fd44aef204369af7498f2c13a1d3b35bd76a0e4

memory/1968-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 5edcd39a21dc51b104cfa47768c14608
SHA1 cfb3c36f2a3642536eaa1914b75fc0b4e296f9ba
SHA256 5030e41d191b43c50d653ebd31efa9a84baa4000353cd858eac425f736171d8e
SHA512 0eba6e5a18f53e89c097947f1f8ca8720b4414153e4d68332def0ac211e95bcd3231827700047e204b8f316ee788fc628299316833405d1da289a9c183a66c06

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

MD5 18e22aeadea7679393d7ca47934dbc1f
SHA1 157de2a42aa246c6121a99bbe7b647bce57e62bd
SHA256 6fbaa68a70dea811b12b7a39a48ac448b0b1b411695caf032374a3ca5295bca2
SHA512 0966e5935bcf9ebcd7781ca72ffe3b3bdad6183ab706c80df35fb3e5ae806f3a9f11963d8f18b7ae9c1f9df58b1401f5e6d5b55b1114c90f454ac0fa0cc8512a

memory/1968-65-0x0000000001080000-0x00000000017F4000-memory.dmp

memory/1968-66-0x0000000006420000-0x00000000067C0000-memory.dmp

memory/1928-67-0x0000000000000000-mapping.dmp

memory/1928-69-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

memory/1928-70-0x000000006F4E0000-0x000000006FA8B000-memory.dmp

memory/1928-71-0x000000006F4E0000-0x000000006FA8B000-memory.dmp