purecrypter | 43b957e57a959571b4ee4dedf823b4122dd2774b1290daa5848a4ea830673124

General

Target

DHL_AWB_NO_#907853880911_pdf .exe
Size

18KB
MD5

16b03e4e5bc0ff1dbef3918cfad2b735
SHA1

fcba7690aa8b5fd59530018117c9a23d1d9479d8
SHA256

43b957e57a959571b4ee4dedf823b4122dd2774b1290daa5848a4ea830673124
SHA512

99e5980733a2c1416e0cd5d498549ef6dbc1b52ecbb7c9fdcd828dc1f3c14e3f9fd80bece1e393ae1b87a8084936c2356e213cb0771d25fd3c68eabf13de0c79
SSDEEP

192:HaTdQS53M58auD28GSALhtGfygJrBhIf3jdZ:6TuS53uuDV2LhtGfygJ8fTd

Score

10^/10

purecrypter collection downloader loader spyware stealer

Malware Config

Extracted

Family

purecrypter

C2

http://45.84.1.117/3478/Uwdznaoe.png

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	DHL_AWB_NO_#907853880911_pdf .exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
3	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1516	powershell.exe
1516	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	DHL_AWB_NO_#907853880911_pdf .exe
Token: SeDebugPrivilege	1516	powershell.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1516	1076	DHL_AWB_NO_#907853880911_pdf .exe	82
PID 1076 wrote to memory of 1516	1076	DHL_AWB_NO_#907853880911_pdf .exe	82
PID 1076 wrote to memory of 1516	1076	DHL_AWB_NO_#907853880911_pdf .exe	82

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	DHL_AWB_NO_#907853880911_pdf .exe

C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO_#907853880911_pdf .exe
"C:\Users\Admin\AppData\Local\Temp\DHL_AWB_NO_#907853880911_pdf .exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1076
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1t1fgmj.1lt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1076-133-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/1076-134-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/1076-135-0x0000000005F30000-0x0000000005F52000-memory.dmp

Filesize
136KB

Download
memory/1076-166-0x0000000007990000-0x0000000007B52000-memory.dmp

Filesize
1.8MB

Download
memory/1076-165-0x0000000007770000-0x00000000077C0000-memory.dmp

Filesize
320KB

Download
memory/1076-164-0x00000000074C0000-0x00000000074CA000-memory.dmp

Filesize
40KB

Download
memory/1076-163-0x0000000007530000-0x00000000075C2000-memory.dmp

Filesize
584KB

Download
memory/1076-162-0x0000000006CE0000-0x0000000007284000-memory.dmp

Filesize
5.6MB

Download
memory/1076-155-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/1516-151-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/1516-153-0x00000000069D0000-0x00000000069EA000-memory.dmp

Filesize
104KB

Download
memory/1516-152-0x0000000007B10000-0x000000000818A000-memory.dmp

Filesize
6.5MB

Download
memory/1516-154-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/1516-139-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/1516-157-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/1516-156-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/1516-158-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/1516-140-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/1516-141-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/1516-138-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/1516-137-0x0000000005780000-0x0000000005DA8000-memory.dmp

Filesize
6.2MB

Download
memory/1516-136-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing