purecrypter | c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685

Analysis

max time kernel
76s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17/03/2023, 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe
Size

6KB
MD5

4fc2df99dcdbf2886d139b0f4dfad85c
SHA1

5c02c737e12540a6b5c56615b9b972ee171d2aa1
SHA256

c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685
SHA512

ae83119c6d47b6f6f06ab372cb584d88f01560c9847451faf00b61aa93373f492613b36dee83ae51ed2268ac9b553f70ec46522583d9636a91114f760abe14e5
SSDEEP

96:DgdesBVLuiDTgIlNtuL/A3/I63yPRZjXMRWV6xjtLEk9sl8jzNt:EYsd/jtuLIg6YT4Rd5t9y8l

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://wemodd.co/Anrwqjqr.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe

Executes dropped EXE 1 IoCs

pid	Process
3368	Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4872	3368	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4328	powershell.exe
4328	powershell.exe
2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe
2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe
2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe
3940	powershell.exe
3940	powershell.exe
3940	powershell.exe
3940	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe
Token: SeDebugPrivilege	3940	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 4328	2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe	85
PID 2612 wrote to memory of 4328	2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe	85
PID 2612 wrote to memory of 3368	2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe	93
PID 2612 wrote to memory of 3368	2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe	93
PID 2612 wrote to memory of 3368	2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe	93
PID 2612 wrote to memory of 3940	2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe	104
PID 2612 wrote to memory of 3940	2612	c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe
"C:\Users\Admin\AppData\Local\Temp\c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4328
- C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe
  "C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe"
  2⤵
  - Executes dropped EXE
  PID:3368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 1048
    3⤵
    - Program crash
    PID:4872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 5; Stop-Process 2612 -Force; Start-Sleep -Seconds 2; Remove-Item "C:\Users\Admin\AppData\Local\Temp\c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3368 -ip 3368
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e936ffde1732f536cc835ed3e6c83842

SHA1
05a7c09e599c32003ea21329932a032ace4f592c

SHA256
da9997a3db22d4c3b7900392af3d4a88d09de0df6c4a75d89ea1b271edbb2552

SHA512
35d49450a82c671843080c2ff2ff0d33aa5640234958b7e417a9c2f9e20e24b752a4793a99662253e7ad892dcd70904f6524d5e71c0d80333d7d01741c115870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Filesize
292KB

MD5
65727c071543cc129d7476b1c4b15b6f

SHA1
d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5

SHA256
737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c

SHA512
0eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Filesize
292KB

MD5
65727c071543cc129d7476b1c4b15b6f

SHA1
d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5

SHA256
737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c

SHA512
0eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe

Filesize
292KB

MD5
65727c071543cc129d7476b1c4b15b6f

SHA1
d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5

SHA256
737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c

SHA512
0eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gxqq2pmb.hy5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2612-193-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-181-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-134-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-135-0x00000262BF590000-0x00000262BF5B2000-memory.dmp

Filesize
136KB

Download
memory/2612-147-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-973-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-971-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-972-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-165-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-166-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-168-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-170-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-172-0x00000262BF6B0000-0x00000262BF6B1000-memory.dmp

Filesize
4KB

Download
memory/2612-173-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-174-0x00000262BF6C0000-0x00000262BF753000-memory.dmp

Filesize
588KB

Download
memory/2612-177-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-178-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-176-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-199-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-180-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-182-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-970-0x00000262A44E0000-0x00000262A44F0000-memory.dmp

Filesize
64KB

Download
memory/2612-237-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-186-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-188-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-235-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-191-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-133-0x00000262A40E0000-0x00000262A40E6000-memory.dmp

Filesize
24KB

Download
memory/2612-233-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-215-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-195-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-201-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-203-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-205-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-207-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-209-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-211-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-213-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-197-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-217-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-219-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-221-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-223-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-225-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-227-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-229-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/2612-231-0x00000262BFAA0000-0x00000262BFB3C000-memory.dmp

Filesize
624KB

Download
memory/3368-189-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/3368-184-0x0000000009C80000-0x000000000A224000-memory.dmp

Filesize
5.6MB

Download
memory/3368-185-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/3368-164-0x0000000000560000-0x00000000005B0000-memory.dmp

Filesize
320KB

Download
memory/3940-975-0x0000018FA0080000-0x0000018FA0090000-memory.dmp

Filesize
64KB

Download
memory/3940-987-0x0000018FA0080000-0x0000018FA0090000-memory.dmp

Filesize
64KB

Download
memory/4328-148-0x0000013C6F880000-0x0000013C6F890000-memory.dmp

Filesize
64KB

Download
memory/4328-145-0x0000013C6F880000-0x0000013C6F890000-memory.dmp

Filesize
64KB

Download
memory/4328-146-0x0000013C6F880000-0x0000013C6F890000-memory.dmp

Filesize
64KB

Download
memory/4328-150-0x0000013C6F880000-0x0000013C6F890000-memory.dmp

Filesize
64KB

Download
memory/4328-149-0x0000013C6F880000-0x0000013C6F890000-memory.dmp

Filesize
64KB

Download