purecrypter | c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685

Analysis

max time kernel
85s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2023, 12:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Qhxujqkxtf.exe
Size

6KB
MD5

4fc2df99dcdbf2886d139b0f4dfad85c
SHA1

5c02c737e12540a6b5c56615b9b972ee171d2aa1
SHA256

c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685
SHA512

ae83119c6d47b6f6f06ab372cb584d88f01560c9847451faf00b61aa93373f492613b36dee83ae51ed2268ac9b553f70ec46522583d9636a91114f760abe14e5
SSDEEP

96:DgdesBVLuiDTgIlNtuL/A3/I63yPRZjXMRWV6xjtLEk9sl8jzNt:EYsd/jtuLIg6YT4Rd5t9y8l

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://wemodd.co/Anrwqjqr.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Qhxujqkxtf.exe

Executes dropped EXE 1 IoCs

pid	Process
4668	Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
828	4668	WerFault.exe	94

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3992	powershell.exe
3992	powershell.exe
3784	Qhxujqkxtf.exe
3784	Qhxujqkxtf.exe
3784	Qhxujqkxtf.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe
728	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3784	Qhxujqkxtf.exe
Token: SeDebugPrivilege	3992	powershell.exe
Token: SeDebugPrivilege	3784	Qhxujqkxtf.exe
Token: SeDebugPrivilege	728	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 3992	3784	Qhxujqkxtf.exe	86
PID 3784 wrote to memory of 3992	3784	Qhxujqkxtf.exe	86
PID 3784 wrote to memory of 4668	3784	Qhxujqkxtf.exe	94
PID 3784 wrote to memory of 4668	3784	Qhxujqkxtf.exe	94
PID 3784 wrote to memory of 4668	3784	Qhxujqkxtf.exe	94
PID 3784 wrote to memory of 728	3784	Qhxujqkxtf.exe	106
PID 3784 wrote to memory of 728	3784	Qhxujqkxtf.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Qhxujqkxtf.exe
"C:\Users\Admin\AppData\Local\Temp\Qhxujqkxtf.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3992
- C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe
  "C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe"
  2⤵
  - Executes dropped EXE
  PID:4668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1056
    3⤵
    - Program crash
    PID:828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 5; Stop-Process 3784 -Force; Start-Sleep -Seconds 2; Remove-Item "C:\Users\Admin\AppData\Local\Temp\Qhxujqkxtf.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4668 -ip 4668
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e936ffde1732f536cc835ed3e6c83842

SHA1
05a7c09e599c32003ea21329932a032ace4f592c

SHA256
da9997a3db22d4c3b7900392af3d4a88d09de0df6c4a75d89ea1b271edbb2552

SHA512
35d49450a82c671843080c2ff2ff0d33aa5640234958b7e417a9c2f9e20e24b752a4793a99662253e7ad892dcd70904f6524d5e71c0d80333d7d01741c115870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Filesize
292KB

MD5
65727c071543cc129d7476b1c4b15b6f

SHA1
d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5

SHA256
737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c

SHA512
0eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Filesize
292KB

MD5
65727c071543cc129d7476b1c4b15b6f

SHA1
d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5

SHA256
737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c

SHA512
0eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Filesize
292KB

MD5
65727c071543cc129d7476b1c4b15b6f

SHA1
d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5

SHA256
737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c

SHA512
0eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zytxqorb.33a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/728-987-0x000002A06FDD0000-0x000002A06FDE0000-memory.dmp

Filesize
64KB

Download
memory/728-986-0x000002A06FDD0000-0x000002A06FDE0000-memory.dmp

Filesize
64KB

Download
memory/728-985-0x000002A06FDD0000-0x000002A06FDE0000-memory.dmp

Filesize
64KB

Download
memory/3784-194-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-198-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-134-0x000001F9D6C20000-0x000001F9D6C30000-memory.dmp

Filesize
64KB

Download
memory/3784-135-0x000001F9D7040000-0x000001F9D7062000-memory.dmp

Filesize
136KB

Download
memory/3784-164-0x000001F9D7190000-0x000001F9D7191000-memory.dmp

Filesize
4KB

Download
memory/3784-165-0x000001F9D71A0000-0x000001F9D7233000-memory.dmp

Filesize
588KB

Download
memory/3784-166-0x000001F9D6C20000-0x000001F9D6C30000-memory.dmp

Filesize
64KB

Download
memory/3784-148-0x000001F9D6C20000-0x000001F9D6C30000-memory.dmp

Filesize
64KB

Download
memory/3784-168-0x000001F9D6C20000-0x000001F9D6C30000-memory.dmp

Filesize
64KB

Download
memory/3784-169-0x000001F9D6C20000-0x000001F9D6C30000-memory.dmp

Filesize
64KB

Download
memory/3784-170-0x000001F9D6C20000-0x000001F9D6C30000-memory.dmp

Filesize
64KB

Download
memory/3784-171-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-172-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-174-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-176-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-178-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-180-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-182-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-184-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-186-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-188-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-190-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-192-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-133-0x000001F9BB040000-0x000001F9BB046000-memory.dmp

Filesize
24KB

Download
memory/3784-196-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-202-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-200-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-973-0x000001F9D6C20000-0x000001F9D6C30000-memory.dmp

Filesize
64KB

Download
memory/3784-206-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-204-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-208-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-210-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-212-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-214-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-218-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-216-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-220-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-222-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-224-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-226-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-228-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-230-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-232-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-234-0x000001F9D7580000-0x000001F9D761C000-memory.dmp

Filesize
624KB

Download
memory/3784-972-0x000001F9D6C20000-0x000001F9D6C30000-memory.dmp

Filesize
64KB

Download
memory/3784-971-0x000001F9D6C20000-0x000001F9D6C30000-memory.dmp

Filesize
64KB

Download
memory/3992-151-0x000001AAB5340000-0x000001AAB5350000-memory.dmp

Filesize
64KB

Download
memory/3992-147-0x000001AAB5340000-0x000001AAB5350000-memory.dmp

Filesize
64KB

Download
memory/3992-146-0x000001AAB5340000-0x000001AAB5350000-memory.dmp

Filesize
64KB

Download
memory/3992-145-0x000001AAB5340000-0x000001AAB5350000-memory.dmp

Filesize
64KB

Download
memory/3992-149-0x000001AAB5340000-0x000001AAB5350000-memory.dmp

Filesize
64KB

Download
memory/3992-150-0x000001AAB5340000-0x000001AAB5350000-memory.dmp

Filesize
64KB

Download
memory/4668-969-0x000000000AC40000-0x000000000B1E4000-memory.dmp

Filesize
5.6MB

Download
memory/4668-970-0x000000000A7A0000-0x000000000A832000-memory.dmp

Filesize
584KB

Download
memory/4668-968-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4668-967-0x00000000004D0000-0x0000000000520000-memory.dmp

Filesize
320KB

Download