purecrypter | 022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
Size

64KB
MD5

7615776c5da2f38b707f17c65748c8e4
SHA1

00e87d4ba8da7052c67d4f9099e469ed989425ea
SHA256

022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588
SHA512

7dbcc2e78894abe96ee09510a7c605a531034b459a41907071efb818e29721b8603d4b26c1141b115c8b256d1cfdd06dd26e692bb8978cbe9fd239bb87a46866
SSDEEP

1536:fnnjAydSWV81vuLAjq4fDdpwFqo+s487Cu72vJcj:fjAyzU9LdpwFqmaBcj

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://mahmoodonline.com/panel/uploads/Ebidr.wav

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
1112	Current.exe
2152	Current.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 976	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	88
PID 1112 set thread context of 2152	1112	Current.exe	95
PID 2152 set thread context of 3644	2152	Current.exe	96
PID 3644 set thread context of 4348	3644	MSBuild.exe	97

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3248	powershell.exe
3248	powershell.exe
2152	Current.exe
2152	Current.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
Token: SeDebugPrivilege	976	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	1112	Current.exe
Token: SeDebugPrivilege	2152	Current.exe
Token: SeDebugPrivilege	3644	MSBuild.exe
Token: SeDebugPrivilege	4348	MSBuild.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 976	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	88
PID 4028 wrote to memory of 976	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	88
PID 4028 wrote to memory of 976	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	88
PID 4028 wrote to memory of 976	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	88
PID 4028 wrote to memory of 976	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	88
PID 4028 wrote to memory of 976	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	88
PID 4028 wrote to memory of 976	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	88
PID 4028 wrote to memory of 976	4028	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	88
PID 1112 wrote to memory of 2152	1112	Current.exe	95
PID 1112 wrote to memory of 2152	1112	Current.exe	95
PID 1112 wrote to memory of 2152	1112	Current.exe	95
PID 1112 wrote to memory of 2152	1112	Current.exe	95
PID 1112 wrote to memory of 2152	1112	Current.exe	95
PID 1112 wrote to memory of 2152	1112	Current.exe	95
PID 1112 wrote to memory of 2152	1112	Current.exe	95
PID 1112 wrote to memory of 2152	1112	Current.exe	95
PID 2152 wrote to memory of 3644	2152	Current.exe	96
PID 2152 wrote to memory of 3644	2152	Current.exe	96
PID 2152 wrote to memory of 3644	2152	Current.exe	96
PID 2152 wrote to memory of 3644	2152	Current.exe	96
PID 2152 wrote to memory of 3644	2152	Current.exe	96
PID 2152 wrote to memory of 3644	2152	Current.exe	96
PID 2152 wrote to memory of 3644	2152	Current.exe	96
PID 2152 wrote to memory of 3644	2152	Current.exe	96
PID 3644 wrote to memory of 4348	3644	MSBuild.exe	97
PID 3644 wrote to memory of 4348	3644	MSBuild.exe	97
PID 3644 wrote to memory of 4348	3644	MSBuild.exe	97
PID 3644 wrote to memory of 4348	3644	MSBuild.exe	97
PID 3644 wrote to memory of 4348	3644	MSBuild.exe	97
PID 3644 wrote to memory of 4348	3644	MSBuild.exe	97
PID 3644 wrote to memory of 4348	3644	MSBuild.exe	97
PID 3644 wrote to memory of 4348	3644	MSBuild.exe	97

C:\Users\Admin\AppData\Local\Temp\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Users\Admin\AppData\Local\Temp\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
  C:\Users\Admin\AppData\Local\Temp\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Users\Admin\AppData\Local\HResult\ugnhenj\Current.exe
C:\Users\Admin\AppData\Local\HResult\ugnhenj\Current.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\HResult\ugnhenj\Current.exe
  C:\Users\Admin\AppData\Local\HResult\ugnhenj\Current.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HResult\ugnhenj\Current.exe

Filesize
64KB

MD5
7615776c5da2f38b707f17c65748c8e4

SHA1
00e87d4ba8da7052c67d4f9099e469ed989425ea

SHA256
022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588

SHA512
7dbcc2e78894abe96ee09510a7c605a531034b459a41907071efb818e29721b8603d4b26c1141b115c8b256d1cfdd06dd26e692bb8978cbe9fd239bb87a46866

Download Submit
C:\Users\Admin\AppData\Local\HResult\ugnhenj\Current.exe

Filesize
64KB

MD5
7615776c5da2f38b707f17c65748c8e4

SHA1
00e87d4ba8da7052c67d4f9099e469ed989425ea

SHA256
022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588

SHA512
7dbcc2e78894abe96ee09510a7c605a531034b459a41907071efb818e29721b8603d4b26c1141b115c8b256d1cfdd06dd26e692bb8978cbe9fd239bb87a46866

Download Submit
C:\Users\Admin\AppData\Local\HResult\ugnhenj\Current.exe

Filesize
64KB

MD5
7615776c5da2f38b707f17c65748c8e4

SHA1
00e87d4ba8da7052c67d4f9099e469ed989425ea

SHA256
022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588

SHA512
7dbcc2e78894abe96ee09510a7c605a531034b459a41907071efb818e29721b8603d4b26c1141b115c8b256d1cfdd06dd26e692bb8978cbe9fd239bb87a46866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe.log

Filesize
1KB

MD5
a13312e452bb67b8b110b6d7fbc6cf6f

SHA1
057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50

SHA256
d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b

SHA512
1e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Current.exe.log

Filesize
1KB

MD5
a13312e452bb67b8b110b6d7fbc6cf6f

SHA1
057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50

SHA256
d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b

SHA512
1e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3wd2vuj.d5q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/976-1463-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/976-3667-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/976-3666-0x0000000005560000-0x00000000055C6000-memory.dmp

Filesize
408KB

Download
memory/976-1660-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/1112-4966-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/1112-3684-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2152-5108-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/3248-3670-0x000001A5B6340000-0x000001A5B6362000-memory.dmp

Filesize
136KB

Download
memory/3644-7214-0x0000000004DC0000-0x0000000004DD0000-memory.dmp

Filesize
64KB

Download
memory/3644-8537-0x0000000007030000-0x0000000007031000-memory.dmp

Filesize
4KB

Download
memory/4028-157-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-1459-0x0000000008150000-0x00000000086F4000-memory.dmp

Filesize
5.6MB

Download
memory/4028-165-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-167-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-169-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-171-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-173-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-175-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-177-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-179-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-181-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-183-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-185-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-187-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-189-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-191-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-193-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-195-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-197-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-199-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-617-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4028-163-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-1464-0x0000000005F30000-0x0000000005F31000-memory.dmp

Filesize
4KB

Download
memory/4028-161-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-159-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-133-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/4028-155-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-153-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-151-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-149-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-147-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-143-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-145-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-141-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-139-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-137-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-136-0x0000000007550000-0x00000000076AD000-memory.dmp

Filesize
1.4MB

Download
memory/4028-135-0x00000000076E0000-0x0000000007702000-memory.dmp

Filesize
136KB

Download
memory/4028-134-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4348-8691-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/4348-10741-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download