purecrypter | 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120

General

Target

36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
Size

6KB
MD5

4f0d3017e1d6e4c39f83a3e550e26c11
SHA1

6f6c966cf3465b48f86ce3b9befb47a209dbd1dd
SHA256

36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120
SHA512

2a1fb15339f192d05b958daa36da0e2f20aefeb396148a98696b8c2d4c15ed6d036b304f1fb4078fe12a257b774b8fc74131c3ac420d548f29ec5582076943fa
SSDEEP

96:eFU+v1uy+5tHd/xR5JNtG1KKqYDal+5zNt:G7653/xfhHRgE+7

Score

10^/10

purecrypter collection downloader loader

Malware Config

Extracted

Family

purecrypter

C2

http://cleaning.homesecuritypc.com/packages/Ikucx.dat

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe

description pid process target process

PID 1952 created 784 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe Explorer.EXE

description	pid	process	target process
PID 1952 created 784	1952	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	Explorer.EXE

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exeYnpbjslfjs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation	Ynpbjslfjs.exe

Executes dropped EXE 2 IoCs

Processes:

Ynpbjslfjs.exeEstei.exe

pid process

1384 Ynpbjslfjs.exe
1136 Estei.exe

pid	process
1384	Ynpbjslfjs.exe
1136	Estei.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe

description	pid	process	target process
PID 4296 set thread context of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

certreq.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.execertreq.exe

pid	process
1952	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
1952	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
1952	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
1952	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
5072	certreq.exe
5072	certreq.exe
5072	certreq.exe
5072	certreq.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exeYnpbjslfjs.exeEstei.exe

description	pid	process
Token: SeDebugPrivilege	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
Token: SeDebugPrivilege	1384	Ynpbjslfjs.exe
Token: SeDebugPrivilege	1136	Estei.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exeYnpbjslfjs.exe

description	pid	process	target process
PID 4296 wrote to memory of 1384	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	Ynpbjslfjs.exe
PID 4296 wrote to memory of 1384	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	Ynpbjslfjs.exe
PID 4296 wrote to memory of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
PID 4296 wrote to memory of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
PID 4296 wrote to memory of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
PID 4296 wrote to memory of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
PID 4296 wrote to memory of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
PID 4296 wrote to memory of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
PID 4296 wrote to memory of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
PID 4296 wrote to memory of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
PID 4296 wrote to memory of 1952	4296	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
PID 1952 wrote to memory of 5072	1952	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	certreq.exe
PID 1952 wrote to memory of 5072	1952	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	certreq.exe
PID 1952 wrote to memory of 5072	1952	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	certreq.exe
PID 1952 wrote to memory of 5072	1952	36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe	certreq.exe
PID 1384 wrote to memory of 1136	1384	Ynpbjslfjs.exe	Estei.exe
PID 1384 wrote to memory of 1136	1384	Ynpbjslfjs.exe	Estei.exe

outlook_office_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

Processes:

certreq.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:784

C:\Users\Admin\AppData\Local\Temp\36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
"C:\Users\Admin\AppData\Local\Temp\36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Users\Admin\AppData\Local\Temp\Ynpbjslfjs.exe
"C:\Users\Admin\AppData\Local\Temp\Ynpbjslfjs.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\Estei.exe
"C:\Users\Admin\AppData\Local\Temp\Estei.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Users\Admin\AppData\Local\Temp\36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
C:\Users\Admin\AppData\Local\Temp\36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:5072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Email Collection

1

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Estei.exe
Filesize
6KB

MD5
1e60442ffe8d9d91919bf2506e3efc68

SHA1
908bd34c30f2baf73245541b9b18bd89d06c8d79

SHA256
cf2e48859602e7f7b3a7006a952bd1e3c75f0c6220d9803c10b4220dbd6c1d06

SHA512
ae221b72839e01c68cf9b0266d58413a43f8e365f9f455d274099e17ccb6883a23513f0f10d3b3e2b3771c5b09a0fcd5331dad6d2a1e088383188536cd81ef63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Estei.exe
Filesize
6KB

MD5
1e60442ffe8d9d91919bf2506e3efc68

SHA1
908bd34c30f2baf73245541b9b18bd89d06c8d79

SHA256
cf2e48859602e7f7b3a7006a952bd1e3c75f0c6220d9803c10b4220dbd6c1d06

SHA512
ae221b72839e01c68cf9b0266d58413a43f8e365f9f455d274099e17ccb6883a23513f0f10d3b3e2b3771c5b09a0fcd5331dad6d2a1e088383188536cd81ef63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Estei.exe
Filesize
6KB

MD5
1e60442ffe8d9d91919bf2506e3efc68

SHA1
908bd34c30f2baf73245541b9b18bd89d06c8d79

SHA256
cf2e48859602e7f7b3a7006a952bd1e3c75f0c6220d9803c10b4220dbd6c1d06

SHA512
ae221b72839e01c68cf9b0266d58413a43f8e365f9f455d274099e17ccb6883a23513f0f10d3b3e2b3771c5b09a0fcd5331dad6d2a1e088383188536cd81ef63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ynpbjslfjs.exe
Filesize
6KB

MD5
8af1d478704d9528f08b2fffa5f47440

SHA1
c140a7ac7eed24afd65adca65d930553c481602e

SHA256
ceff3cbf74efe2ddbb8faa4a651d5d0a8bed637774e7c755e467cb5dc0174c48

SHA512
d6c1677a35b35dd0994b2a8e2970fa59351a0a0f1a1bf43448ee1fe694e825d63d1bfadab7b723d1d76984aa0b9ea3994b6442686264ade67005b0754ec63855

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ynpbjslfjs.exe
Filesize
6KB

MD5
8af1d478704d9528f08b2fffa5f47440

SHA1
c140a7ac7eed24afd65adca65d930553c481602e

SHA256
ceff3cbf74efe2ddbb8faa4a651d5d0a8bed637774e7c755e467cb5dc0174c48

SHA512
d6c1677a35b35dd0994b2a8e2970fa59351a0a0f1a1bf43448ee1fe694e825d63d1bfadab7b723d1d76984aa0b9ea3994b6442686264ade67005b0754ec63855

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ynpbjslfjs.exe
Filesize
6KB

MD5
8af1d478704d9528f08b2fffa5f47440

SHA1
c140a7ac7eed24afd65adca65d930553c481602e

SHA256
ceff3cbf74efe2ddbb8faa4a651d5d0a8bed637774e7c755e467cb5dc0174c48

SHA512
d6c1677a35b35dd0994b2a8e2970fa59351a0a0f1a1bf43448ee1fe694e825d63d1bfadab7b723d1d76984aa0b9ea3994b6442686264ade67005b0754ec63855

Download Submit
memory/1136-2041-0x00000179A3FC0000-0x00000179A3FC6000-memory.dmp

Filesize
24KB

Download
memory/1136-2506-0x00000179BE460000-0x00000179BE470000-memory.dmp

Filesize
64KB

Download
memory/1136-2043-0x00000179BE460000-0x00000179BE470000-memory.dmp

Filesize
64KB

Download
memory/1136-3929-0x00000179A4360000-0x00000179A4361000-memory.dmp

Filesize
4KB

Download
memory/1384-2557-0x000002B6157F0000-0x000002B615800000-memory.dmp

Filesize
64KB

Download
memory/1384-2067-0x000002B6157F0000-0x000002B615800000-memory.dmp

Filesize
64KB

Download
memory/1384-2554-0x000002B6157F0000-0x000002B615800000-memory.dmp

Filesize
64KB

Download
memory/1384-2065-0x000002B6157F0000-0x000002B615800000-memory.dmp

Filesize
64KB

Download
memory/1384-2015-0x000002B613F60000-0x000002B613F61000-memory.dmp

Filesize
4KB

Download
memory/1384-1974-0x000002B6157F0000-0x000002B615800000-memory.dmp

Filesize
64KB

Download
memory/1384-1079-0x000002B6157F0000-0x000002B615800000-memory.dmp

Filesize
64KB

Download
memory/1384-1073-0x000002B613BF0000-0x000002B613BF6000-memory.dmp

Filesize
24KB

Download
memory/1384-2560-0x000002B6157F0000-0x000002B615800000-memory.dmp

Filesize
64KB

Download
memory/1384-2042-0x000002B62E660000-0x000002B62E710000-memory.dmp

Filesize
704KB

Download
memory/1952-1753-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1952-1078-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4296-158-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-170-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-176-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-178-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-180-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-182-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-184-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-186-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-188-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-192-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-190-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-194-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-198-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-196-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-200-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-1059-0x00000000069F0000-0x0000000006A56000-memory.dmp

Filesize
408KB

Download
memory/4296-1060-0x0000000005ED0000-0x0000000005ED1000-memory.dmp

Filesize
4KB

Download
memory/4296-1061-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4296-172-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-174-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-168-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-166-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-164-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-162-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-160-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-133-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/4296-156-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-154-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-152-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-150-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-148-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-146-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-144-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-142-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-140-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-138-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-137-0x00000000065A0000-0x0000000006678000-memory.dmp

Filesize
864KB

Download
memory/4296-136-0x0000000006790000-0x0000000006822000-memory.dmp

Filesize
584KB

Download
memory/4296-135-0x0000000006C40000-0x00000000071E4000-memory.dmp

Filesize
5.6MB

Download
memory/4296-134-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads