purecrypter | c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b

General

Target

c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe
Size

1.3MB
MD5

f1c29ba01377c35e6f920f0aa626eaf5
SHA1

7b2c191bc2d5d549c5e65613f93d59ece1842f02
SHA256

c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b
SHA512

449a9d0ec42f83be09ef7a258f50f3d07728bb9f06361dc4aebdcbcce0ca010a3c894a5d27d98f197d6b4b85be4e3639656ae75a0216e8e169c54717ad2a85f0
SSDEEP

24576:hT+ua8m657w6ZBLmkitKqBCjC0PDgM5AVnipXD1Z+7:hcVV1BCjBG2

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

C2

https://cents-ability.org/loader/uploads/noicon_Ujizjydo.bmp

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1116	noicon.exe
1772	Stearler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	powershell.exe
1916	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	noicon.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 1116	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	27
PID 308 wrote to memory of 1116	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	27
PID 308 wrote to memory of 1116	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	27
PID 308 wrote to memory of 1116	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	27
PID 308 wrote to memory of 1772	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	28
PID 308 wrote to memory of 1772	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	28
PID 308 wrote to memory of 1772	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	28
PID 308 wrote to memory of 1772	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	28
PID 308 wrote to memory of 1900	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	29
PID 308 wrote to memory of 1900	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	29
PID 308 wrote to memory of 1900	308	c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe	29
PID 1772 wrote to memory of 1664	1772	Stearler.exe	31
PID 1772 wrote to memory of 1664	1772	Stearler.exe	31
PID 1772 wrote to memory of 1664	1772	Stearler.exe	31
PID 1772 wrote to memory of 1664	1772	Stearler.exe	31
PID 1664 wrote to memory of 1672	1664	cmd.exe	33
PID 1664 wrote to memory of 1672	1664	cmd.exe	33
PID 1664 wrote to memory of 1672	1664	cmd.exe	33
PID 1664 wrote to memory of 1672	1664	cmd.exe	33
PID 1664 wrote to memory of 1916	1664	cmd.exe	34
PID 1664 wrote to memory of 1916	1664	cmd.exe	34
PID 1664 wrote to memory of 1916	1664	cmd.exe	34
PID 1664 wrote to memory of 1916	1664	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe
"C:\Users\Admin\AppData\Local\Temp\c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:308
- C:\Users\Administrator\Desktop\DROP\noicon.exe
  "C:\Users\Administrator\Desktop\DROP\noicon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Users\Administrator\Desktop\DROP\Stearler.exe
  "C:\Users\Administrator\Desktop\DROP\Stearler.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS24D0.tmp\Testobfusc.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionExtension ".vbs"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1916
- C:\Windows\system32\cmd.exe
  "cmd.exe"
  2⤵
  PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS24D0.tmp\Testobfusc.bat

Filesize
14KB

MD5
40e65da3d99568737a62d30060539f23

SHA1
c5b616eb054a850b019da2d19e42b82575a269c1

SHA256
a9ea79963c53c3756fc752d4a2978a86de6038fc728fabc200bc87cd938406e5

SHA512
ef19c1001097545955c2d4c3de48bcda7633459577cf3f54653ae0c89fea5e61e763645bdcd2027c303522c98a02893df1f7195b3d26d38a808e7cc78a5c325d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS24D0.tmp\Testobfusc.bat

Filesize
14KB

MD5
40e65da3d99568737a62d30060539f23

SHA1
c5b616eb054a850b019da2d19e42b82575a269c1

SHA256
a9ea79963c53c3756fc752d4a2978a86de6038fc728fabc200bc87cd938406e5

SHA512
ef19c1001097545955c2d4c3de48bcda7633459577cf3f54653ae0c89fea5e61e763645bdcd2027c303522c98a02893df1f7195b3d26d38a808e7cc78a5c325d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NACMY9P75F59OJ522P1Q.temp

Filesize
7KB

MD5
884db6995397cb58a2367b6e2f67960d

SHA1
aec86319e3fa0dc1c1e58d2c9809a98bfb413299

SHA256
4c9972709a612ebfbb1106ea60e07dff60dcee841199d31eb3ad3c076cdd43b7

SHA512
5b8f696b9ed928222daf430ad810a395bc428eb18c19d9c3cdae522e9f64b6c8744747f8a47714b6c91a4b6cc6625fa5c1510263c9d1daa35303446816bbe7f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
884db6995397cb58a2367b6e2f67960d

SHA1
aec86319e3fa0dc1c1e58d2c9809a98bfb413299

SHA256
4c9972709a612ebfbb1106ea60e07dff60dcee841199d31eb3ad3c076cdd43b7

SHA512
5b8f696b9ed928222daf430ad810a395bc428eb18c19d9c3cdae522e9f64b6c8744747f8a47714b6c91a4b6cc6625fa5c1510263c9d1daa35303446816bbe7f9

Download Submit
C:\Users\Administrator\Desktop\DROP\Stearler.exe

Filesize
127KB

MD5
c07c33c5e7c12107f2788280ad31c391

SHA1
8e14f012e98c39d6b20fe14a7532f299e5c001a0

SHA256
389b207183e0ea0fbc4beac9155486c5e6641d20aebd49eeaaa360dde72b7967

SHA512
8109a67532de5e35036680b66e2bdf06aa5067f1e601c4cf46f4c21721dc9dc3b2a65fcb77e01b74fa4246e1121ee058d81e8ec20c71dd8a2d906a73af88b0a1

Download Submit
C:\Users\Administrator\Desktop\DROP\Stearler.exe

Filesize
127KB

MD5
c07c33c5e7c12107f2788280ad31c391

SHA1
8e14f012e98c39d6b20fe14a7532f299e5c001a0

SHA256
389b207183e0ea0fbc4beac9155486c5e6641d20aebd49eeaaa360dde72b7967

SHA512
8109a67532de5e35036680b66e2bdf06aa5067f1e601c4cf46f4c21721dc9dc3b2a65fcb77e01b74fa4246e1121ee058d81e8ec20c71dd8a2d906a73af88b0a1

Download Submit
C:\Users\Administrator\Desktop\DROP\noicon.exe

Filesize
16.0MB

MD5
fdd4cd11d278dab26c2c8551e006c4ed

SHA1
f0ef434d38fa11f8bc38cbc90874ca582867b214

SHA256
80d4414ca76e050007cb39c7fb598e1828ad168bea5725fb5466ee9388d6fa05

SHA512
9333eaba36a12bb0ab260c553bbed6ddb872fc42b05a2cf3552702c298b3d01d653467a00caa1b5232e9a828dce3810e67e08d1f2e245e4356248bf337fb96bb

Download Submit
C:\Users\Administrator\Desktop\DROP\noicon.exe

Filesize
16.0MB

MD5
fdd4cd11d278dab26c2c8551e006c4ed

SHA1
f0ef434d38fa11f8bc38cbc90874ca582867b214

SHA256
80d4414ca76e050007cb39c7fb598e1828ad168bea5725fb5466ee9388d6fa05

SHA512
9333eaba36a12bb0ab260c553bbed6ddb872fc42b05a2cf3552702c298b3d01d653467a00caa1b5232e9a828dce3810e67e08d1f2e245e4356248bf337fb96bb

Download Submit
memory/308-54-0x0000000000C80000-0x0000000000DC8000-memory.dmp

Filesize
1.3MB

Download
memory/308-57-0x000000001A770000-0x000000001A820000-memory.dmp

Filesize
704KB

Download
memory/308-55-0x00000000001C0000-0x0000000000204000-memory.dmp

Filesize
272KB

Download
memory/308-56-0x000000001AD20000-0x000000001ADA0000-memory.dmp

Filesize
512KB

Download
memory/1116-91-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1116-75-0x00000000000D0000-0x00000000000D8000-memory.dmp

Filesize
32KB

Download
memory/1116-117-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1664-115-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1672-92-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/1672-93-0x0000000002680000-0x00000000026C0000-memory.dmp

Filesize
256KB

Download
memory/1916-99-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1916-100-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing