purecrypter | 4a61cb1c1eedce4c2c9eed252e2c19497761337b40afaabb7585adfc1d273915

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOC13161720230705091725.exe
Size

44KB
MD5

867251b45427c9c32a767b1fa8fbdd17
SHA1

f3fd541cd69d09b301c7d5c2770d2fab98fb3d36
SHA256

4a61cb1c1eedce4c2c9eed252e2c19497761337b40afaabb7585adfc1d273915
SHA512

26ab8808de16273ea60860337f156e81ac8845aa85ca9748551f628d8e9ec12d127ec4ae0b22fd6e2507597e2b6658e735ecca8b8a11f453ccce30d332950410
SSDEEP

768:tkkPfnjbxZkypwqxStQV81v8lLrEjRU4fXD0kpwY8q:fnnjAydSWV81vuLAjq4fDdpwFq

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://mahmoodonline.com/panel/uploads/Ebidr.wav

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 3 IoCs

pid	Process
228	Current.exe
1476	Current.exe
3848	Current.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3244 set thread context of 3048	3244	DOC13161720230705091725.exe	90
PID 228 set thread context of 3848	228	Current.exe	98
PID 3848 set thread context of 3872	3848	Current.exe	99
PID 3872 set thread context of 3128	3872	InstallUtil.exe	100

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3244	DOC13161720230705091725.exe
3244	DOC13161720230705091725.exe
4184	powershell.exe
4184	powershell.exe
228	Current.exe
228	Current.exe
3848	Current.exe
3848	Current.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	DOC13161720230705091725.exe
Token: SeDebugPrivilege	3048	DOC13161720230705091725.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	228	Current.exe
Token: SeDebugPrivilege	3848	Current.exe
Token: SeDebugPrivilege	3872	InstallUtil.exe
Token: SeDebugPrivilege	3128	InstallUtil.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 804	3244	DOC13161720230705091725.exe	89
PID 3244 wrote to memory of 804	3244	DOC13161720230705091725.exe	89
PID 3244 wrote to memory of 804	3244	DOC13161720230705091725.exe	89
PID 3244 wrote to memory of 3048	3244	DOC13161720230705091725.exe	90
PID 3244 wrote to memory of 3048	3244	DOC13161720230705091725.exe	90
PID 3244 wrote to memory of 3048	3244	DOC13161720230705091725.exe	90
PID 3244 wrote to memory of 3048	3244	DOC13161720230705091725.exe	90
PID 3244 wrote to memory of 3048	3244	DOC13161720230705091725.exe	90
PID 3244 wrote to memory of 3048	3244	DOC13161720230705091725.exe	90
PID 3244 wrote to memory of 3048	3244	DOC13161720230705091725.exe	90
PID 3244 wrote to memory of 3048	3244	DOC13161720230705091725.exe	90
PID 228 wrote to memory of 1476	228	Current.exe	97
PID 228 wrote to memory of 1476	228	Current.exe	97
PID 228 wrote to memory of 1476	228	Current.exe	97
PID 228 wrote to memory of 3848	228	Current.exe	98
PID 228 wrote to memory of 3848	228	Current.exe	98
PID 228 wrote to memory of 3848	228	Current.exe	98
PID 228 wrote to memory of 3848	228	Current.exe	98
PID 228 wrote to memory of 3848	228	Current.exe	98
PID 228 wrote to memory of 3848	228	Current.exe	98
PID 228 wrote to memory of 3848	228	Current.exe	98
PID 228 wrote to memory of 3848	228	Current.exe	98
PID 3848 wrote to memory of 3872	3848	Current.exe	99
PID 3848 wrote to memory of 3872	3848	Current.exe	99
PID 3848 wrote to memory of 3872	3848	Current.exe	99
PID 3848 wrote to memory of 3872	3848	Current.exe	99
PID 3848 wrote to memory of 3872	3848	Current.exe	99
PID 3848 wrote to memory of 3872	3848	Current.exe	99
PID 3848 wrote to memory of 3872	3848	Current.exe	99
PID 3848 wrote to memory of 3872	3848	Current.exe	99
PID 3872 wrote to memory of 3128	3872	InstallUtil.exe	100
PID 3872 wrote to memory of 3128	3872	InstallUtil.exe	100
PID 3872 wrote to memory of 3128	3872	InstallUtil.exe	100
PID 3872 wrote to memory of 3128	3872	InstallUtil.exe	100
PID 3872 wrote to memory of 3128	3872	InstallUtil.exe	100
PID 3872 wrote to memory of 3128	3872	InstallUtil.exe	100
PID 3872 wrote to memory of 3128	3872	InstallUtil.exe	100
PID 3872 wrote to memory of 3128	3872	InstallUtil.exe	100

C:\Users\Admin\AppData\Local\Temp\DOC13161720230705091725.exe
"C:\Users\Admin\AppData\Local\Temp\DOC13161720230705091725.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Users\Admin\AppData\Local\Temp\DOC13161720230705091725.exe
  C:\Users\Admin\AppData\Local\Temp\DOC13161720230705091725.exe
  2⤵
  PID:804
- C:\Users\Admin\AppData\Local\Temp\DOC13161720230705091725.exe
  C:\Users\Admin\AppData\Local\Temp\DOC13161720230705091725.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe
C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe
  C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe
  C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe

Filesize
44KB

MD5
867251b45427c9c32a767b1fa8fbdd17

SHA1
f3fd541cd69d09b301c7d5c2770d2fab98fb3d36

SHA256
4a61cb1c1eedce4c2c9eed252e2c19497761337b40afaabb7585adfc1d273915

SHA512
26ab8808de16273ea60860337f156e81ac8845aa85ca9748551f628d8e9ec12d127ec4ae0b22fd6e2507597e2b6658e735ecca8b8a11f453ccce30d332950410

Download Submit
C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe

Filesize
44KB

MD5
867251b45427c9c32a767b1fa8fbdd17

SHA1
f3fd541cd69d09b301c7d5c2770d2fab98fb3d36

SHA256
4a61cb1c1eedce4c2c9eed252e2c19497761337b40afaabb7585adfc1d273915

SHA512
26ab8808de16273ea60860337f156e81ac8845aa85ca9748551f628d8e9ec12d127ec4ae0b22fd6e2507597e2b6658e735ecca8b8a11f453ccce30d332950410

Download Submit
C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe

Filesize
44KB

MD5
867251b45427c9c32a767b1fa8fbdd17

SHA1
f3fd541cd69d09b301c7d5c2770d2fab98fb3d36

SHA256
4a61cb1c1eedce4c2c9eed252e2c19497761337b40afaabb7585adfc1d273915

SHA512
26ab8808de16273ea60860337f156e81ac8845aa85ca9748551f628d8e9ec12d127ec4ae0b22fd6e2507597e2b6658e735ecca8b8a11f453ccce30d332950410

Download Submit
C:\Users\Admin\AppData\Local\HResult\npickow\Current.exe

Filesize
44KB

MD5
867251b45427c9c32a767b1fa8fbdd17

SHA1
f3fd541cd69d09b301c7d5c2770d2fab98fb3d36

SHA256
4a61cb1c1eedce4c2c9eed252e2c19497761337b40afaabb7585adfc1d273915

SHA512
26ab8808de16273ea60860337f156e81ac8845aa85ca9748551f628d8e9ec12d127ec4ae0b22fd6e2507597e2b6658e735ecca8b8a11f453ccce30d332950410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Current.exe.log

Filesize
1KB

MD5
a13312e452bb67b8b110b6d7fbc6cf6f

SHA1
057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50

SHA256
d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b

SHA512
1e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOC13161720230705091725.exe.log

Filesize
1KB

MD5
a13312e452bb67b8b110b6d7fbc6cf6f

SHA1
057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50

SHA256
d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b

SHA512
1e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

Filesize
1KB

MD5
a13312e452bb67b8b110b6d7fbc6cf6f

SHA1
057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50

SHA256
d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b

SHA512
1e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fl03vsmb.bjw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/228-4937-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/3048-1465-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3048-3668-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/3048-3667-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/3048-1481-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/3128-8685-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3128-10744-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/3244-159-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-1460-0x00000000085D0000-0x0000000008B74000-memory.dmp

Filesize
5.6MB

Download
memory/3244-163-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-165-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-167-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-169-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-171-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-173-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-175-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-177-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-179-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-181-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-183-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-185-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-187-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-189-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-191-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-193-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-195-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-197-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-199-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-841-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3244-1459-0x0000000007A30000-0x0000000007A31000-memory.dmp

Filesize
4KB

Download
memory/3244-161-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-133-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/3244-157-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-155-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-153-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-151-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-149-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-134-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/3244-147-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-145-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-143-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-141-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-139-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-137-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3244-135-0x0000000007A40000-0x0000000007A62000-memory.dmp

Filesize
136KB

Download
memory/3244-136-0x00000000078B0000-0x0000000007A0D000-memory.dmp

Filesize
1.4MB

Download
memory/3848-7213-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3848-5028-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3872-7215-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/3872-8538-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/3872-8539-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/4184-3679-0x00000162F4C20000-0x00000162F4C42000-memory.dmp

Filesize
136KB

Download