purecrypter | c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685

Analysis

max time kernel
62s
max time network
58s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17/03/2023, 12:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Qhxujqkxtf.exe
Size

6KB
MD5

4fc2df99dcdbf2886d139b0f4dfad85c
SHA1

5c02c737e12540a6b5c56615b9b972ee171d2aa1
SHA256

c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685
SHA512

ae83119c6d47b6f6f06ab372cb584d88f01560c9847451faf00b61aa93373f492613b36dee83ae51ed2268ac9b553f70ec46522583d9636a91114f760abe14e5
SSDEEP

96:DgdesBVLuiDTgIlNtuL/A3/I63yPRZjXMRWV6xjtLEk9sl8jzNt:EYsd/jtuLIg6YT4Rd5t9y8l

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://wemodd.co/Anrwqjqr.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 1 IoCs

pid	Process
1416	Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
880	powershell.exe
1268	Qhxujqkxtf.exe
1268	Qhxujqkxtf.exe
1268	Qhxujqkxtf.exe
1968	powershell.exe
1968	powershell.exe
1968	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	Qhxujqkxtf.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1268	Qhxujqkxtf.exe
Token: SeDebugPrivilege	1968	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 880	1268	Qhxujqkxtf.exe	26
PID 1268 wrote to memory of 880	1268	Qhxujqkxtf.exe	26
PID 1268 wrote to memory of 880	1268	Qhxujqkxtf.exe	26
PID 1268 wrote to memory of 1416	1268	Qhxujqkxtf.exe	28
PID 1268 wrote to memory of 1416	1268	Qhxujqkxtf.exe	28
PID 1268 wrote to memory of 1416	1268	Qhxujqkxtf.exe	28
PID 1268 wrote to memory of 1416	1268	Qhxujqkxtf.exe	28
PID 1268 wrote to memory of 1968	1268	Qhxujqkxtf.exe	30
PID 1268 wrote to memory of 1968	1268	Qhxujqkxtf.exe	30
PID 1268 wrote to memory of 1968	1268	Qhxujqkxtf.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Qhxujqkxtf.exe
"C:\Users\Admin\AppData\Local\Temp\Qhxujqkxtf.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe
  "C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe"
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 5; Stop-Process 1268 -Force; Start-Sleep -Seconds 2; Remove-Item "C:\Users\Admin\AppData\Local\Temp\Qhxujqkxtf.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Filesize
292KB

MD5
65727c071543cc129d7476b1c4b15b6f

SHA1
d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5

SHA256
737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c

SHA512
0eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Filesize
292KB

MD5
65727c071543cc129d7476b1c4b15b6f

SHA1
d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5

SHA256
737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c

SHA512
0eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dc3159f8782a3a98897a43b77e5dcad5

SHA1
a0570216984674c940c2eb43ffdc3d13ca90cf68

SHA256
adae57044ab86d58dd0edea4a3afae46fda7855699146c1365c4ceffe23fa53c

SHA512
31824cf385f4acccf7211592694f0b13764c44d3ce2f2dbaddd227c209ba11b1b5a28a95090d6f36c9bcccac1258d3b22aaa7ad51ac011d72f01f97eb687ee8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7TUH7NGO8O99NB7LC5ZU.temp

Filesize
7KB

MD5
dc3159f8782a3a98897a43b77e5dcad5

SHA1
a0570216984674c940c2eb43ffdc3d13ca90cf68

SHA256
adae57044ab86d58dd0edea4a3afae46fda7855699146c1365c4ceffe23fa53c

SHA512
31824cf385f4acccf7211592694f0b13764c44d3ce2f2dbaddd227c209ba11b1b5a28a95090d6f36c9bcccac1258d3b22aaa7ad51ac011d72f01f97eb687ee8b

Download Submit
memory/880-69-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/880-66-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/880-67-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/880-64-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/880-65-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/880-62-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/880-63-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/880-70-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/880-71-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/880-72-0x0000000002830000-0x00000000028B0000-memory.dmp

Filesize
512KB

Download
memory/1268-109-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-123-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-68-0x000000001BAD0000-0x000000001BB50000-memory.dmp

Filesize
512KB

Download
memory/1268-79-0x000000001ACA0000-0x000000001ACA1000-memory.dmp

Filesize
4KB

Download
memory/1268-80-0x000000001D0B0000-0x000000001D143000-memory.dmp

Filesize
588KB

Download
memory/1268-81-0x000000001D150000-0x000000001D1DE000-memory.dmp

Filesize
568KB

Download
memory/1268-900-0x000000001BADC000-0x000000001BB13000-memory.dmp

Filesize
220KB

Download
memory/1268-83-0x000000001E380000-0x000000001E420000-memory.dmp

Filesize
640KB

Download
memory/1268-84-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-85-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-87-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-89-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-91-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-93-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-95-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-97-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-99-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-101-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-103-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-105-0x000000001BAD0000-0x000000001BB50000-memory.dmp

Filesize
512KB

Download
memory/1268-107-0x000000001BAD0000-0x000000001BB50000-memory.dmp

Filesize
512KB

Download
memory/1268-106-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-56-0x000000001C6B0000-0x000000001C7FE000-memory.dmp

Filesize
1.3MB

Download
memory/1268-111-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-113-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-115-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-117-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-119-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-121-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-57-0x000000001BED0000-0x000000001BF86000-memory.dmp

Filesize
728KB

Download
memory/1268-125-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-127-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-129-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-132-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-54-0x000000013FF20000-0x000000013FF26000-memory.dmp

Filesize
24KB

Download
memory/1268-134-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-136-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-138-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-140-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-142-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-144-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-146-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-148-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-150-0x000000001E380000-0x000000001E41C000-memory.dmp

Filesize
624KB

Download
memory/1268-883-0x000000001C230000-0x000000001C286000-memory.dmp

Filesize
344KB

Download
memory/1268-55-0x000000001BAD0000-0x000000001BB50000-memory.dmp

Filesize
512KB

Download
memory/1268-885-0x000000001BAD0000-0x000000001BB50000-memory.dmp

Filesize
512KB

Download
memory/1268-886-0x000000001BAD0000-0x000000001BB50000-memory.dmp

Filesize
512KB

Download
memory/1268-887-0x000000001BAD0000-0x000000001BB50000-memory.dmp

Filesize
512KB

Download
memory/1268-888-0x000000001C160000-0x000000001C1AC000-memory.dmp

Filesize
304KB

Download
memory/1268-889-0x000000001D1E0000-0x000000001D234000-memory.dmp

Filesize
336KB

Download
memory/1416-884-0x00000000041A0000-0x00000000041E0000-memory.dmp

Filesize
256KB

Download
memory/1416-131-0x0000000000290000-0x0000000000296000-memory.dmp

Filesize
24KB

Download
memory/1416-82-0x0000000000210000-0x0000000000260000-memory.dmp

Filesize
320KB

Download
memory/1968-895-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/1968-896-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/1968-897-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1968-898-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/1968-899-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download