purecrypter | 022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588

Analysis

max time kernel
128s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-07-2023 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
Size

64KB
MD5

7615776c5da2f38b707f17c65748c8e4
SHA1

00e87d4ba8da7052c67d4f9099e469ed989425ea
SHA256

022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588
SHA512

7dbcc2e78894abe96ee09510a7c605a531034b459a41907071efb818e29721b8603d4b26c1141b115c8b256d1cfdd06dd26e692bb8978cbe9fd239bb87a46866
SSDEEP

1536:fnnjAydSWV81vuLAjq4fDdpwFqo+s487Cu72vJcj:fjAyzU9LdpwFqmaBcj

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://mahmoodonline.com/panel/uploads/Ebidr.wav

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
4444	Current.exe
2564	Current.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{24F89F30-4EC5-49D5-A0B2-C43337FED474}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 572 set thread context of 3808	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	87
PID 4444 set thread context of 2564	4444	Current.exe	94
PID 2564 set thread context of 1652	2564	Current.exe	95
PID 1652 set thread context of 1500	1652	MSBuild.exe	96

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1420	powershell.exe
1420	powershell.exe
2564	Current.exe
2564	Current.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
Token: SeDebugPrivilege	3808	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	4444	Current.exe
Token: SeDebugPrivilege	2564	Current.exe
Token: SeDebugPrivilege	1652	MSBuild.exe
Token: SeDebugPrivilege	1500	MSBuild.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 3808	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	87
PID 572 wrote to memory of 3808	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	87
PID 572 wrote to memory of 3808	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	87
PID 572 wrote to memory of 3808	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	87
PID 572 wrote to memory of 3808	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	87
PID 572 wrote to memory of 3808	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	87
PID 572 wrote to memory of 3808	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	87
PID 572 wrote to memory of 3808	572	3848-7213-0x0000000005440000-0x0000000005450000-memory.exe	87
PID 4444 wrote to memory of 2564	4444	Current.exe	94
PID 4444 wrote to memory of 2564	4444	Current.exe	94
PID 4444 wrote to memory of 2564	4444	Current.exe	94
PID 4444 wrote to memory of 2564	4444	Current.exe	94
PID 4444 wrote to memory of 2564	4444	Current.exe	94
PID 4444 wrote to memory of 2564	4444	Current.exe	94
PID 4444 wrote to memory of 2564	4444	Current.exe	94
PID 4444 wrote to memory of 2564	4444	Current.exe	94
PID 2564 wrote to memory of 1652	2564	Current.exe	95
PID 2564 wrote to memory of 1652	2564	Current.exe	95
PID 2564 wrote to memory of 1652	2564	Current.exe	95
PID 2564 wrote to memory of 1652	2564	Current.exe	95
PID 2564 wrote to memory of 1652	2564	Current.exe	95
PID 2564 wrote to memory of 1652	2564	Current.exe	95
PID 2564 wrote to memory of 1652	2564	Current.exe	95
PID 2564 wrote to memory of 1652	2564	Current.exe	95
PID 1652 wrote to memory of 1500	1652	MSBuild.exe	96
PID 1652 wrote to memory of 1500	1652	MSBuild.exe	96
PID 1652 wrote to memory of 1500	1652	MSBuild.exe	96
PID 1652 wrote to memory of 1500	1652	MSBuild.exe	96
PID 1652 wrote to memory of 1500	1652	MSBuild.exe	96
PID 1652 wrote to memory of 1500	1652	MSBuild.exe	96
PID 1652 wrote to memory of 1500	1652	MSBuild.exe	96
PID 1652 wrote to memory of 1500	1652	MSBuild.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
"C:\Users\Admin\AppData\Local\Temp\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572
- C:\Users\Admin\AppData\Local\Temp\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
  C:\Users\Admin\AppData\Local\Temp\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\HResult\chpbaygur\Current.exe
C:\Users\Admin\AppData\Local\HResult\chpbaygur\Current.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\HResult\chpbaygur\Current.exe
  C:\Users\Admin\AppData\Local\HResult\chpbaygur\Current.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HResult\chpbaygur\Current.exe

Filesize
64KB

MD5
7615776c5da2f38b707f17c65748c8e4

SHA1
00e87d4ba8da7052c67d4f9099e469ed989425ea

SHA256
022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588

SHA512
7dbcc2e78894abe96ee09510a7c605a531034b459a41907071efb818e29721b8603d4b26c1141b115c8b256d1cfdd06dd26e692bb8978cbe9fd239bb87a46866

Download Submit
C:\Users\Admin\AppData\Local\HResult\chpbaygur\Current.exe

Filesize
64KB

MD5
7615776c5da2f38b707f17c65748c8e4

SHA1
00e87d4ba8da7052c67d4f9099e469ed989425ea

SHA256
022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588

SHA512
7dbcc2e78894abe96ee09510a7c605a531034b459a41907071efb818e29721b8603d4b26c1141b115c8b256d1cfdd06dd26e692bb8978cbe9fd239bb87a46866

Download Submit
C:\Users\Admin\AppData\Local\HResult\chpbaygur\Current.exe

Filesize
64KB

MD5
7615776c5da2f38b707f17c65748c8e4

SHA1
00e87d4ba8da7052c67d4f9099e469ed989425ea

SHA256
022399fc4eed2289be4159f4ce1e7c268c72c01cad3c164c3b7f3f7c152d7588

SHA512
7dbcc2e78894abe96ee09510a7c605a531034b459a41907071efb818e29721b8603d4b26c1141b115c8b256d1cfdd06dd26e692bb8978cbe9fd239bb87a46866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3848-7213-0x0000000005440000-0x0000000005450000-memory.exe.log

Filesize
1KB

MD5
a13312e452bb67b8b110b6d7fbc6cf6f

SHA1
057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50

SHA256
d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b

SHA512
1e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Current.exe.log

Filesize
1KB

MD5
a13312e452bb67b8b110b6d7fbc6cf6f

SHA1
057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50

SHA256
d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b

SHA512
1e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Filesize
1KB

MD5
a13312e452bb67b8b110b6d7fbc6cf6f

SHA1
057c5cc1d9b4c48eb1cb78463d8d7599f8fd8a50

SHA256
d5e1315b62697659a967e9aaac291e96ab9cc7d90bab47bc30e6c338a81f479b

SHA512
1e60ceb2af03e9eb8a347bf0ae2e57601ca82e51ec14962eba368393da46f939ff0429d54d59c8a90fbc8f32ed71c880634e0239ccc26c86c40496acdac7b9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t1j1sio4.51e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/572-192-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-200-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-150-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-152-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-154-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-156-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-158-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-160-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-162-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-164-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-166-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-168-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-170-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-172-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-174-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-176-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-178-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-180-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-182-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-184-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-186-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-188-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-190-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-146-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-194-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-196-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-198-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-148-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-202-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-204-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-206-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-880-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/572-1466-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/572-1467-0x00000000080F0000-0x0000000008694000-memory.dmp

Filesize
5.6MB

Download
memory/572-133-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/572-134-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/572-140-0x0000000007540000-0x0000000007562000-memory.dmp

Filesize
136KB

Download
memory/572-144-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/572-143-0x00000000073B0000-0x000000000750D000-memory.dmp

Filesize
1.4MB

Download
memory/1420-3678-0x0000027228C10000-0x0000027228C20000-memory.dmp

Filesize
64KB

Download
memory/1420-3676-0x00000272436C0000-0x00000272436E2000-memory.dmp

Filesize
136KB

Download
memory/1420-3677-0x0000027228C10000-0x0000027228C20000-memory.dmp

Filesize
64KB

Download
memory/1500-10752-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1500-8600-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1652-8490-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/1652-7224-0x00000000057E0000-0x00000000057F0000-memory.dmp

Filesize
64KB

Download
memory/2564-5155-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/2564-7222-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3808-1471-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3808-3674-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/3808-3673-0x00000000052B0000-0x0000000005316000-memory.dmp

Filesize
408KB

Download
memory/3808-1480-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4444-5016-0x0000000007510000-0x0000000007511000-memory.dmp

Filesize
4KB

Download
memory/4444-5015-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/4444-3692-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download