purecrypter | 029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e

Analysis

max time kernel
134s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2023 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Minecraft Checker by xRisky.exe
Size

5.6MB
MD5

682fcac2b949bc9fcb3b039b2ddb5ff2
SHA1

94eb1e61b975c65f95c5519d0bfb128906c3dcbb
SHA256

029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e
SHA512

c2ebcff22f15873cf2f119e025eeeb081210ea07de4271758676490f1eb1dde82afd5750a800a8dbbde408ac7a6dc8f54e448fb4180bc4205ab67dc6ba1abd28
SSDEEP

98304:MQsAE8NRnJFKRhwnA8K8s0n2uiR3dN1mnRsMEZQ8kSZvIgi+1RWQ:zNVJFKP98K8sVR37knuWSpli+y

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

http://botnetlogs.com/PureCrypter/panel/uploads/Gxjkiikrv.pdf

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
908	Tags.exe
1228	Tags.exe
5060	arkbxus.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2220 set thread context of 3964	2220	Minecraft Checker by xRisky.exe	84
PID 908 set thread context of 1228	908	Tags.exe	90
PID 1228 set thread context of 1156	1228	Tags.exe	91
PID 1156 set thread context of 4016	1156	InstallUtil.exe	92

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2220	Minecraft Checker by xRisky.exe
3648	powershell.exe
3648	powershell.exe
908	Tags.exe
1228	Tags.exe
1228	Tags.exe
1156	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	Minecraft Checker by xRisky.exe
Token: SeDebugPrivilege	3964	Minecraft Checker by xRisky.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	908	Tags.exe
Token: SeDebugPrivilege	1228	Tags.exe
Token: SeDebugPrivilege	1156	InstallUtil.exe
Token: SeDebugPrivilege	4016	InstallUtil.exe
Token: SeDebugPrivilege	5060	arkbxus.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3964	2220	Minecraft Checker by xRisky.exe	84
PID 2220 wrote to memory of 3964	2220	Minecraft Checker by xRisky.exe	84
PID 2220 wrote to memory of 3964	2220	Minecraft Checker by xRisky.exe	84
PID 2220 wrote to memory of 3964	2220	Minecraft Checker by xRisky.exe	84
PID 2220 wrote to memory of 3964	2220	Minecraft Checker by xRisky.exe	84
PID 2220 wrote to memory of 3964	2220	Minecraft Checker by xRisky.exe	84
PID 2220 wrote to memory of 3964	2220	Minecraft Checker by xRisky.exe	84
PID 2220 wrote to memory of 3964	2220	Minecraft Checker by xRisky.exe	84
PID 908 wrote to memory of 1228	908	Tags.exe	90
PID 908 wrote to memory of 1228	908	Tags.exe	90
PID 908 wrote to memory of 1228	908	Tags.exe	90
PID 908 wrote to memory of 1228	908	Tags.exe	90
PID 908 wrote to memory of 1228	908	Tags.exe	90
PID 908 wrote to memory of 1228	908	Tags.exe	90
PID 908 wrote to memory of 1228	908	Tags.exe	90
PID 908 wrote to memory of 1228	908	Tags.exe	90
PID 1228 wrote to memory of 1156	1228	Tags.exe	91
PID 1228 wrote to memory of 1156	1228	Tags.exe	91
PID 1228 wrote to memory of 1156	1228	Tags.exe	91
PID 1228 wrote to memory of 1156	1228	Tags.exe	91
PID 1228 wrote to memory of 1156	1228	Tags.exe	91
PID 1228 wrote to memory of 1156	1228	Tags.exe	91
PID 1228 wrote to memory of 1156	1228	Tags.exe	91
PID 1228 wrote to memory of 1156	1228	Tags.exe	91
PID 1156 wrote to memory of 4016	1156	InstallUtil.exe	92
PID 1156 wrote to memory of 4016	1156	InstallUtil.exe	92
PID 1156 wrote to memory of 4016	1156	InstallUtil.exe	92
PID 1156 wrote to memory of 4016	1156	InstallUtil.exe	92
PID 1156 wrote to memory of 4016	1156	InstallUtil.exe	92
PID 1156 wrote to memory of 4016	1156	InstallUtil.exe	92
PID 1156 wrote to memory of 4016	1156	InstallUtil.exe	92
PID 1156 wrote to memory of 4016	1156	InstallUtil.exe	92

C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe
  "C:\Users\Admin\AppData\Local\Temp\Minecraft Checker by xRisky.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Users\Admin\AppData\Local\SecurityZone\gzzlwjue\Tags.exe
C:\Users\Admin\AppData\Local\SecurityZone\gzzlwjue\Tags.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\SecurityZone\gzzlwjue\Tags.exe
  C:\Users\Admin\AppData\Local\SecurityZone\gzzlwjue\Tags.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4016

C:\Users\Admin\AppData\Local\Temp\arkbxus.exe
C:\Users\Admin\AppData\Local\Temp\arkbxus.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Minecraft Checker by xRisky.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tags.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\SecurityZone\gzzlwjue\Tags.exe

Filesize
5.6MB

MD5
682fcac2b949bc9fcb3b039b2ddb5ff2

SHA1
94eb1e61b975c65f95c5519d0bfb128906c3dcbb

SHA256
029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e

SHA512
c2ebcff22f15873cf2f119e025eeeb081210ea07de4271758676490f1eb1dde82afd5750a800a8dbbde408ac7a6dc8f54e448fb4180bc4205ab67dc6ba1abd28

Download Submit
C:\Users\Admin\AppData\Local\SecurityZone\gzzlwjue\Tags.exe

Filesize
5.6MB

MD5
682fcac2b949bc9fcb3b039b2ddb5ff2

SHA1
94eb1e61b975c65f95c5519d0bfb128906c3dcbb

SHA256
029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e

SHA512
c2ebcff22f15873cf2f119e025eeeb081210ea07de4271758676490f1eb1dde82afd5750a800a8dbbde408ac7a6dc8f54e448fb4180bc4205ab67dc6ba1abd28

Download Submit
C:\Users\Admin\AppData\Local\SecurityZone\gzzlwjue\Tags.exe

Filesize
5.6MB

MD5
682fcac2b949bc9fcb3b039b2ddb5ff2

SHA1
94eb1e61b975c65f95c5519d0bfb128906c3dcbb

SHA256
029efceb46ffeaefe413209d52c458e22d444c6a67514ac6b0f015caa6e27c9e

SHA512
c2ebcff22f15873cf2f119e025eeeb081210ea07de4271758676490f1eb1dde82afd5750a800a8dbbde408ac7a6dc8f54e448fb4180bc4205ab67dc6ba1abd28

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p1kmhzty.o32.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\arkbxus.exe

Filesize
12KB

MD5
61c8bf88ad858f628e6bb7bc4d90d70d

SHA1
9ef1d96888677b60c903d311baeef2ad6fb17dcc

SHA256
f1cabf40754437cd92f0c671b2a62c019f2f3e6279fbcf00eee60f9722561747

SHA512
5fef6dff1d3ff2112e2e4db7115c4c12a364423e83363f0030f2ef2a4c57410e586f359f92cc2f53692f7ab26d4a3a49961890acd80234d3e4780da0fed2b385

Download Submit
C:\Users\Admin\AppData\Local\Temp\arkbxus.exe

Filesize
12KB

MD5
61c8bf88ad858f628e6bb7bc4d90d70d

SHA1
9ef1d96888677b60c903d311baeef2ad6fb17dcc

SHA256
f1cabf40754437cd92f0c671b2a62c019f2f3e6279fbcf00eee60f9722561747

SHA512
5fef6dff1d3ff2112e2e4db7115c4c12a364423e83363f0030f2ef2a4c57410e586f359f92cc2f53692f7ab26d4a3a49961890acd80234d3e4780da0fed2b385

Download Submit
memory/908-4205-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/908-3415-0x00000000058A0000-0x00000000058B0000-memory.dmp

Filesize
64KB

Download
memory/1156-7716-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/1228-4473-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/1228-6670-0x0000000005520000-0x0000000005530000-memory.dmp

Filesize
64KB

Download
memory/2220-162-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-148-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-133-0x0000000000920000-0x0000000000EB6000-memory.dmp

Filesize
5.6MB

Download
memory/2220-164-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-166-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-168-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-170-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-172-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-174-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-176-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-178-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-180-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-182-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-184-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-186-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-188-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-190-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-192-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-194-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-196-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-198-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-510-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/2220-1180-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/2220-1181-0x00000000067B0000-0x0000000006D54000-memory.dmp

Filesize
5.6MB

Download
memory/2220-134-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/2220-158-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-136-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-138-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-135-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-156-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-140-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-142-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-144-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-146-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-154-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-152-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-150-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/2220-160-0x00000000059F0000-0x0000000005D17000-memory.dmp

Filesize
3.2MB

Download
memory/3648-3408-0x0000028426E20000-0x0000028426E30000-memory.dmp

Filesize
64KB

Download
memory/3648-3406-0x0000028426E20000-0x0000028426E30000-memory.dmp

Filesize
64KB

Download
memory/3648-3407-0x0000028426E20000-0x0000028426E30000-memory.dmp

Filesize
64KB

Download
memory/3648-3405-0x0000028426E60000-0x0000028426E82000-memory.dmp

Filesize
136KB

Download
memory/3964-1185-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3964-3393-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/3964-1389-0x0000000001BD0000-0x0000000001BE0000-memory.dmp

Filesize
64KB

Download
memory/3964-3394-0x0000000001BD0000-0x0000000001BE0000-memory.dmp

Filesize
64KB

Download
memory/4016-7894-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/4016-9927-0x0000000005700000-0x0000000005710000-memory.dmp

Filesize
64KB

Download
memory/5060-9932-0x0000016909D70000-0x0000016909D7A000-memory.dmp

Filesize
40KB

Download
memory/5060-9933-0x000001690B920000-0x000001690B930000-memory.dmp

Filesize
64KB

Download
memory/5060-10856-0x000001690B930000-0x000001690B931000-memory.dmp

Filesize
4KB

Download
memory/5060-10857-0x000001690B920000-0x000001690B930000-memory.dmp

Filesize
64KB

Download