purecrypter | 471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747

General

Target

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Size

3.6MB
MD5

36fd273ea7607d3a203f257f4e2649ed
SHA1

5e243f79ecb539d0d1f75fce7ddfedeccee70a48
SHA256

471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
SHA512

cf81163bc6d1f1141130fbe70944387b97d322afe837ad21a88a0be8f9fd87615bd7022cc572b1783871cc99f224258bae75855e805c733793b723ba0483597d
SSDEEP

98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4:VSSzMGS26x1MUTM+/Fh

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/1520-66-0x0000000006450000-0x00000000067F0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Executes dropped EXE 2 IoCs

Processes:

voiceadequovl.exevoiceadequovl.exe

pid process

976 voiceadequovl.exe
1520 voiceadequovl.exe
Loads dropped DLL 4 IoCs

Processes:

voiceadequovl.exe

pid process

976 voiceadequovl.exe
976 voiceadequovl.exe
976 voiceadequovl.exe
976 voiceadequovl.exe

pid	process
976	voiceadequovl.exe
1520	voiceadequovl.exe

pid	process
976	voiceadequovl.exe
976	voiceadequovl.exe
976	voiceadequovl.exe
976	voiceadequovl.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

1740 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

voiceadequovl.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1520 voiceadequovl.exe
Token: SeDebugPrivilege 1740 powershell.exe

pid	process
1740	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1520	voiceadequovl.exe
Token: SeDebugPrivilege	1740	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exevoiceadequovl.exevoiceadequovl.exe

description	pid	process	target process
PID 1916 wrote to memory of 976	1916	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1916 wrote to memory of 976	1916	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1916 wrote to memory of 976	1916	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 1916 wrote to memory of 976	1916	5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe	voiceadequovl.exe
PID 976 wrote to memory of 1520	976	voiceadequovl.exe	voiceadequovl.exe
PID 976 wrote to memory of 1520	976	voiceadequovl.exe	voiceadequovl.exe
PID 976 wrote to memory of 1520	976	voiceadequovl.exe	voiceadequovl.exe
PID 976 wrote to memory of 1520	976	voiceadequovl.exe	voiceadequovl.exe
PID 1520 wrote to memory of 1740	1520	voiceadequovl.exe	powershell.exe
PID 1520 wrote to memory of 1740	1520	voiceadequovl.exe	powershell.exe
PID 1520 wrote to memory of 1740	1520	voiceadequovl.exe	powershell.exe
PID 1520 wrote to memory of 1740	1520	voiceadequovl.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe

Filesize
365.5MB

MD5
ba50f2bca86ba947a8d2035bb9b35123

SHA1
a542b5c5d41174dc2475a219978123b7d14f958f

SHA256
17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5

SHA512
08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
247.5MB

MD5
24e56541f863b3425ee342fdeb1fa9d6

SHA1
0b6cda9b618ac4f9c9c59ac50849552d9a55d2be

SHA256
649683fce740a3a8b61ecb227d22da051d1b014710e6c932c5b4d7f056c84e1f

SHA512
aa327fd41a26e68c993afcb2e665ec498b36542beb6924495edc84051b60132253ab15b37de0ee66f8476bf3af6017b9fb72cae434dc94eb90402bf1c8c61ffc

Download Submit
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
237.1MB

MD5
69acf52b98e54723f8e9654456f26a76

SHA1
b90ec07466ad17fd3e5aae0cbf10416b2c40f522

SHA256
e10643095e20dbba531f2ddb1f9f7d811ef320023eb360346f36b7f57df44944

SHA512
e9e417949d53a699a69f448f72bb3b346bb73516ae9708c5e20653680ac36cd0ed3ba06402e551a1c79e794f9913720b133177c4ba2f38b1b47a04dfde7533b0

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
242.4MB

MD5
70ca98f6b6e2f19d58fd88341aaf4373

SHA1
58d77cb1b50f819cd1b20d742f83481638cc1cd6

SHA256
085fed4f510b09d3f804dc663024ac190bde5c0c2db1922c8223435e4ee5d84d

SHA512
754f558e1cc2273aaa011b530d67cbac682d6b5a94c14e4c6b2ba978730e6155a975b6f1eff6420d7f45b220ab66a5e2a65994de84dca8afe140aee4535c61b2

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
228.8MB

MD5
25ec587592d75b44f6d7106b7b206788

SHA1
c55e27e0700ba61e31495d60b692975549d6fca7

SHA256
fd7a0a53d63a3e3a2af1c4c44d01df27d9a775db51e005af2f95abc9333e8cde

SHA512
1c36f1aa3f33ec4d7949a882a3724d630d2ab3ae5e00988676951cfd92b800e63e6371706c002628856983704629805107ec1f4c50e276616a83c2e27c082480

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
238.7MB

MD5
ab62da9cf1f6aac48c79866376f134a4

SHA1
4d944d80cb465ac2dfef5045d7651b1e286ec352

SHA256
a9441308bfbfccd79b1240b4f44a09ea132fed07c2d8caeee56f4b3a1a66d682

SHA512
0a330772aebdc75ffb90cc8d3c18e486c940764671cb3393e98e76d412c7421f9c15806ac5d6a664ef7e3ebfb4d7fcc76380009c68e667a0423caa144964673c

Download Submit
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe

Filesize
207.6MB

MD5
819e52f78d32ed5456091b1476c8c9bc

SHA1
fcb172d81b2bf3bca6b35a67a214b420d015ccb9

SHA256
750b1fdc3460234f43055f9990fac114e431e1f5d96a17556e8adbc29501527a

SHA512
8e6b2349043a52b481701ef5c24ff8afdd96db9a908cde4ee19fbfa71c461dd9cc807234687f12ddb5cc991b88412a4c33e7a1efd671c91eca1f933526f931f3

Download Submit
memory/976-56-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/976-54-0x0000000000000000-mapping.dmp

Download
memory/1520-62-0x0000000000000000-mapping.dmp

Download
memory/1520-65-0x0000000000BF0000-0x0000000001364000-memory.dmp

Filesize
7.5MB

Download
memory/1520-66-0x0000000006450000-0x00000000067F0000-memory.dmp

Filesize
3.6MB

Download
memory/1740-67-0x0000000000000000-mapping.dmp

Download
memory/1740-69-0x000000006F570000-0x000000006FB1B000-memory.dmp

Filesize
5.7MB

Download
memory/1740-70-0x000000006F570000-0x000000006FB1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads