Overview

overview

10

Static

static

1

5e243f79ec...48.exe

windows7-x64

10

5e243f79ec...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    05-02-2023 13:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

  • Size

    3.6MB

  • MD5

    36fd273ea7607d3a203f257f4e2649ed

  • SHA1

    5e243f79ecb539d0d1f75fce7ddfedeccee70a48

  • SHA256

    471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

  • SHA512

    cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d

  • SSDEEP

    98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score
10/10
purecrypterdownloaderloaderpersistence

Malware Config

Signatures

  • Detect PureCrypter injector 1 IoCs
    loader
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
    "C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
        "C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1696
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1488
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1160
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:1636
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:1936
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:1960
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:1912
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:1816
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:780
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:1884
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:640
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:1948
        • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
          4⤵
          • Executes dropped EXE
          PID:816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
    Filesize

    189.4MB

    MD5

    ef5f4f29baabbf4ee16f3bfc3b9ad877

    SHA1

    a942211fa49f79010f3ab781f81c177ff62295f5

    SHA256

    8273e553d97c82fa0c860c361e940c087c771a492c00147cdf75e11b47ce4203

    SHA512

    d6647a97c86663ef6e78540a354d6c855fabbb1db257d4964090137111161068cef29147748a5391682f976266479647088f7d24fa683cefb3d84cb2a8eb37a4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
    Filesize

    186.0MB

    MD5

    d95bb5633dc64b7a0f06ab402ad96dfd

    SHA1

    0a9e1978310fb6ef3adfc92ef944ab635af2c58f

    SHA256

    939613cb1a2802dae07523e3f72ae5225e4caeb2e3495ef73536e718bff3437c

    SHA512

    76a1a20a85067c15a5d9047feb690c834026db6d84d8b68e4525fff7f7874f77cb8bd9d5ad2819d6b7b0e433038b386803d042935ab82529441d658ff06cdc37

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    476657ff21e34580bb2ee77ee79927d3

    SHA1

    921d1ecd24eaf41ad4d23aaca4206588f3357b07

    SHA256

    357f68a57c23df93b28043c766d850e791c5982422ed8a3b1357ea23b0a2bfb6

    SHA512

    c07761f92182b6771a92911a3633eb82a61c43dd150a63d45b0d31c9b8d9ed40a66a7f21f9be44b1f84367b6e0cf312393747e9c5b61b28c6b11b29c0ebfd1d4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    140.0MB

    MD5

    28386819554e119caa278b23694fa920

    SHA1

    53f29c0293c76eb56b68c06ac26bb4cc861711c8

    SHA256

    9c96b304ea1346d7ba01950ac8a815d1d7f356c1b1fc3761a0247a68437134da

    SHA512

    389125c82c448489b7021c10cac28365abba9e93377c6229dcd41e22f4d20816da27e2187e4f1fae210394d370caec2293b2c67ed30a6966169b5243aada260e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    138.1MB

    MD5

    1fa0e82f068c64220d73fcfae25e5e75

    SHA1

    f8bb13ec314c85f59196736aebb1e531f26701e5

    SHA256

    4a295384783a0a2da3fe71e3e32e90c570c96250fffc34b9a45c5f2e3d1de28c

    SHA512

    41188917c6b5e6680c9a18e4a7fc59fa3210192f81a490286c23cfdbc04098bdc0f5c752885f3e8934eeb1dd6598b4366dd384b5a9b4a14e20cf5969c7d9b431

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    56.4MB

    MD5

    f5d4a17968d54b3d7e344127df4d47f9

    SHA1

    52546e8653921100797ef10522e9fcd5a29a29a6

    SHA256

    574c2ba4baa79a1374ffdfb225a6f4931f2f4d4a1739dbfa91cd0f82a765f8fe

    SHA512

    82727978b1b94bf7d7f0587fe335fda8fc2c34734ee6ba81717381c62bc1521931f1217bc6d436c482ffa6fab35d902c3edb948ee3fcdde3c8a31a459286e251

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    59.2MB

    MD5

    620d65e16991ce0641e59297120fa63d

    SHA1

    367e6174e01002148bccfe49718445356fb7273c

    SHA256

    49f9f8231723f684119b4e59761f721d28d9e781d37779d369be3d38c9a7fa26

    SHA512

    db5f03080477e5134a0b169826a2849c15751c8f75b48c3820cabfdc63bf46910cbaf1ea011911de07df5bb18c8e4ee0ef37cb595867354045800202e33a7282

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    56.2MB

    MD5

    066ddbff582c40d6710315d7e5da5e1a

    SHA1

    fba27a32722693b3cb495f5aea9d27e874984e4e

    SHA256

    df34a6174a8dc8e07efd8b230d807752cbbad241e2ca9bf3b59d13373fdc9f0d

    SHA512

    79013c34e13065690fdabbb1e00961e318a66faea8ab0a51ff094af913c245337aeb751c52d158186a796b5373fe9c868fa16714c70bdfd30e7960f6d6e628ca

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    56.9MB

    MD5

    b5e0fa6fbd6da3d35c578dac47eaedc9

    SHA1

    c548b72aef6e1594cc831fcef4216090a441a02e

    SHA256

    1bde924b65cf1d0afd51073aa30d9d3e297c67a2e722b2e8d43ff32c6f787557

    SHA512

    e6469541a886f12a625c47ceea4daaa603aff019a5d820fde766f2246cb3f5f4dbe195e1bca75f116f4ee3eac09c801f01ab129adcfc39f1d4efcfa964e925ac

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    57.4MB

    MD5

    b9b710354c62b81502cc0e8a6bb42ae0

    SHA1

    4380e60c029216d1d1bbed567f3bec3673aae1ab

    SHA256

    62d2c343b799507a9a69412012f560360078677342e466b47a4413124005c049

    SHA512

    ec202b98e91fda022530152f3e96dc4d7b0764967af7e2ae9f36176bd3d85a4c2dbadb8e1226a3b6d32269348e75310c19ae3d9e41b7196477d7235b65286239

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    58.4MB

    MD5

    ad9248a6a9a28b34c3555c1435187a32

    SHA1

    4c492dc8d200e3e04c4b6201b72b82cc43580b17

    SHA256

    ca0e4d6af71d3f411ad255ae0e713810a103388b37a238d635ce6c54250b6f5d

    SHA512

    7cf976279c41e0caf99ae5a4b2c0a2807a35ef632253f9e2e09979dde4f05b77ba1fa350739439af661543ef91d0a05765b21e14fa701d34ed0b7c7906f7f27d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    55.7MB

    MD5

    938cfc5ba6c322f6d4f1d6c61cfd19ac

    SHA1

    3fc750baa039d27e906b45f5d2223ef1ab136be5

    SHA256

    ccdb33f46b1a560b6cee92aa47f32d9a4f572b8689d76cc4af4d82cc8f15502e

    SHA512

    282cc662c71d2a9e66dcdbb438fffbfea02322cc999ab48bac74231bd40582497705ec70fef8a10cb009553acbd5eed807ee66027ec4e454abc9ce051473f999

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    55.8MB

    MD5

    1b7f1466b1e158945581f67b04a382b0

    SHA1

    183d2c3e5f7c06bda87cb4d7fe3738c0b9151142

    SHA256

    038614248c0fef3aebde46d5e52bb5e46fae70b9fb2e5fdc860c3877944de1bc

    SHA512

    294db2b73648c327a84e336968aea98180754aeb6fca25b714e7dee791ebf7d9536110b3d4bfe99fb9cb7bf363a3ca83c24ca64fb0a1e960b0e84e4cebdfa077

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    56.2MB

    MD5

    066ddbff582c40d6710315d7e5da5e1a

    SHA1

    fba27a32722693b3cb495f5aea9d27e874984e4e

    SHA256

    df34a6174a8dc8e07efd8b230d807752cbbad241e2ca9bf3b59d13373fdc9f0d

    SHA512

    79013c34e13065690fdabbb1e00961e318a66faea8ab0a51ff094af913c245337aeb751c52d158186a796b5373fe9c868fa16714c70bdfd30e7960f6d6e628ca

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    57.9MB

    MD5

    af80b22f25afe2826610e2b1fc22e348

    SHA1

    5d29d382a8867631abea2a592e939e5b5f8e2dfc

    SHA256

    51fc6135138864b512cd0503ab22127bfa82165584e4de6a01ea222517042764

    SHA512

    6d20275a4d78f59ae8f3af090bab7650da968c88470a75f9666dac43b61ad2ff7bcd74f670653d09a6a4357949bb315a024410d802efd43c339da9bd95eb73cc

    Download Submit
  • \Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    140.2MB

    MD5

    34766932e0dac7010613bab774335777

    SHA1

    e1052a28c7de3eaccfdaa5dade1b090b1c0539a6

    SHA256

    0260721ad82d31a4e0e1bab1b3fa3fae9f7f50e7d08097431720aaea8b412e02

    SHA512

    8c5ea7533d4259dc45c2ef3f25170a609f6bd7139c776d01ad651e57f78d2fef5e11d6487ca2a4ecc93f143bf03eea65927161fdf7ffbff2c33679650995991c

    Download Submit
  • \Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    139.1MB

    MD5

    39d51367326347172731aa011d177093

    SHA1

    8e3d61ff1ab82cc04ffada4d4f7435802709c1d3

    SHA256

    0501dfc214e4564ff7d3a41334d26025cdfa513e1a811b6cd55f9ceab15d5f95

    SHA512

    db4da9c06deb0f47eb3355ec31cb33628402d6e66c39184fcced61a82c0c3aba43b3f3ce63c8fe0181866703ee523ae1cbda7a0a13c90960fb0f784bf03198f1

    Download Submit
  • \Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    140.8MB

    MD5

    0588b89796dca544fc74111e9bef3a2d

    SHA1

    967e3ab7d71591540e11ab2f9d5083b00cbd2cdb

    SHA256

    228cf8ce7a0547e5bcbf276505e11c61f032875b8550c975f95969a93e5603a3

    SHA512

    a54f028711788c7677f64815873f07ba8e7ec8bc85b02a81819d983c5a440180107996ad7fb56d36de7172f30a997f80d7b6905042ad4a2bdb2783ce59c07e33

    Download Submit
  • \Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
    Filesize

    143.3MB

    MD5

    9d2a5acc611bc6560368d9548adb9574

    SHA1

    ce3aac4df559175c197a687f4c729a4a35e7b259

    SHA256

    efac29090a98abb3fc50eaf2dcf8aed38955452b94b69a286ac681765fad32fe

    SHA512

    01803f40d6d2fb03c9edd6475b873c4ac6c9be4606c2b0530ebd6ea5bfdf8fc6c4d08dc7a4982f6f5836181cc75ea1b1d85fac34f33ed7a20c1d7fbf55034ed3

    Download Submit
  • memory/940-74-0x0000000005420000-0x0000000005592000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/940-66-0x00000000064C0000-0x0000000006860000-memory.dmp
    Filesize

    3.6MB

    Download
  • memory/940-65-0x00000000003D0000-0x0000000000B44000-memory.dmp
    Filesize

    7.5MB

    Download
  • memory/940-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1104-56-0x0000000075A71000-0x0000000075A73000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1104-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1160-85-0x000000006FE40000-0x00000000703EB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1160-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1160-88-0x000000006FE40000-0x00000000703EB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1488-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1696-71-0x0000000070100000-0x00000000706AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1696-70-0x0000000070100000-0x00000000706AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1696-69-0x0000000070100000-0x00000000706AB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1696-67-0x0000000000000000-mapping.dmp
    Download