purecrypter | 7cacaad3643b262cb7da178b8c85ea6c1ee6bea5ecbb2fddcb44b66f42731ff8

Analysis

max time kernel
36s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-02-2023 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe
Size

772KB
MD5

66d87580c3b91f7d3e7220bc25d227d9
SHA1

0f3363152110789a9808eefaeedb3f9ece505d14
SHA256

29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff
SHA512

d34cadd2ebf2a78bd3fea3fd188f6b585cdbbba6eda79e089ff5ef12d1360bb71b87e93e031e317b962bd334e8ab76e117450d7425145467a200a350673b7483
SSDEEP

3072:iahKyd2n31Kl58fVwCRt++Ny1Nat3xpGc8rApo04Ya9veML:iahOomVwSt++AatKL9x

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Extracted

Family

purecrypter

http://comicmaster.org.uk/img/css/design/fabric/bo/Qzxoye.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 1 IoCs

pid	Process
1860	ablenetwov.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	ablenetwov.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1860	1388	29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe	28
PID 1388 wrote to memory of 1860	1388	29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe	28
PID 1388 wrote to memory of 1860	1388	29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe	28
PID 1388 wrote to memory of 1860	1388	29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe	28

C:\Users\Admin\AppData\Local\Temp\29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe
"C:\Users\Admin\AppData\Local\Temp\29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ablenetwov.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ablenetwov.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ablenetwov.exe

Filesize
362.4MB

MD5
c76628c221d17449f218d24dffcc46fb

SHA1
da69708dc81a6650c221d031b69d311c9edd5aca

SHA256
56f98dd6efd31b7a2b5e3a6c865c3eeb1ed29ef7230afb862e9f67cd64e14517

SHA512
52dee8568bc544fde88dc9d365f2a6aef223227d100eb819c936896a5f3e443b3d69206fd3c719e5cbda2a7e82692430e8021585ec0ff029cd4fc09c38a2cb1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ablenetwov.exe

Filesize
362.4MB

MD5
c76628c221d17449f218d24dffcc46fb

SHA1
da69708dc81a6650c221d031b69d311c9edd5aca

SHA256
56f98dd6efd31b7a2b5e3a6c865c3eeb1ed29ef7230afb862e9f67cd64e14517

SHA512
52dee8568bc544fde88dc9d365f2a6aef223227d100eb819c936896a5f3e443b3d69206fd3c719e5cbda2a7e82692430e8021585ec0ff029cd4fc09c38a2cb1c

Download Submit
memory/1860-60-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1860-61-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download
memory/1860-62-0x00000000060A0000-0x000000000614C000-memory.dmp

Filesize
688KB

Download
memory/1860-63-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1860-64-0x00000000049F0000-0x0000000004A30000-memory.dmp

Filesize
256KB

Download