purecrypter | 3cc08755e17790f6152c50cf98ae474e49011e2407fd3f327ac3919d1b503f14

General

Target

setupov16.exe
Size

271.7MB
MD5

afc107122f9018050f0a1201e6d096a2
SHA1

97a56e7492d86791e8d880fb3c530f0812c04244
SHA256

3cc08755e17790f6152c50cf98ae474e49011e2407fd3f327ac3919d1b503f14
SHA512

417cc8614bd4f4d9d450d6a497b0e69cb98b21c3b4a95bb46b8fa08983be6842c9ac1c7af48b23734d42fc5cdaa21c4e0fe335dcb5918b7905ebe51eae8f6f4f
SSDEEP

96:LmJQaxddLegL2RZBz+4O0OFKqWZkr8lGDwaYz2N924vBM4zNt:LmJJdLD2TNp3q1YQDDYzi9faa

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

C2

http://comicmaster.org.uk/img/css/design/fabric/bo/Kvxut.dat

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1172 set thread context of 1988	1172	setupov16.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1388	powershell.exe
864	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	setupov16.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 1388	1172	setupov16.exe	27
PID 1172 wrote to memory of 1388	1172	setupov16.exe	27
PID 1172 wrote to memory of 1388	1172	setupov16.exe	27
PID 1172 wrote to memory of 1388	1172	setupov16.exe	27
PID 1172 wrote to memory of 1740	1172	setupov16.exe	29
PID 1172 wrote to memory of 1740	1172	setupov16.exe	29
PID 1172 wrote to memory of 1740	1172	setupov16.exe	29
PID 1172 wrote to memory of 1740	1172	setupov16.exe	29
PID 1740 wrote to memory of 864	1740	cmd.exe	31
PID 1740 wrote to memory of 864	1740	cmd.exe	31
PID 1740 wrote to memory of 864	1740	cmd.exe	31
PID 1740 wrote to memory of 864	1740	cmd.exe	31
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32
PID 1172 wrote to memory of 1988	1172	setupov16.exe	32

C:\Users\Admin\AppData\Local\Temp\setupov16.exe
"C:\Users\Admin\AppData\Local\Temp\setupov16.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- C:\Users\Admin\AppData\Local\Temp\setupov16.exe
  C:\Users\Admin\AppData\Local\Temp\setupov16.exe
  2⤵
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ab3643d7e53bfad2dd8b0c815da5e435

SHA1
269da63cdec68ac8f715003fa6b384e358efc767

SHA256
9489bf222795ec092c9e52cc0c17979c09d619aeb1144f34f39e53e40b23fa5c

SHA512
99b292f4de58da8b01987c0f819db4c88a636c755ca43040cf13d367df61f00b711a747969e920378d903df46b018c9abec48a95151e85e24dbe78b3c0896211

Download Submit
memory/864-76-0x000000006EE00000-0x000000006F3AB000-memory.dmp

Filesize
5.7MB

Download
memory/1172-55-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1172-56-0x0000000005EC0000-0x0000000005F6A000-memory.dmp

Filesize
680KB

Download
memory/1172-57-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/1172-54-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/1388-60-0x000000006EE30000-0x000000006F3DB000-memory.dmp

Filesize
5.7MB

Download
memory/1388-61-0x000000006EE30000-0x000000006F3DB000-memory.dmp

Filesize
5.7MB

Download
memory/1388-62-0x000000006EE30000-0x000000006F3DB000-memory.dmp

Filesize
5.7MB

Download
memory/1988-68-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1988-70-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1988-72-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1988-73-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1988-66-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing