purecrypter | 8cc440eff0de4c70b4427d2d0332dd8ccbadb36ead79bd1db5bc67b665bd3fe2

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2023 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ödeme 31722.exe
Size

19KB
MD5

63d5a76a6fa8e241653df907c8f048e7
SHA1

19d3f1f51eede4e7c9bedd6e3efbdeb39a2c0f55
SHA256

8cc440eff0de4c70b4427d2d0332dd8ccbadb36ead79bd1db5bc67b665bd3fe2
SHA512

a9863593ea942ca5cf257f00bb359e6e00245851ab38a6d8fdd818bf5c8a4760bf6dc6561cab3bfed93774fb5e9b4a183ab051526aaa8c83238d83f80175e6f2
SSDEEP

384:3TXhfwbvS+GPBXaJNM4smfzxmi/f4Fo1Y7rDfA:3dwYP4NMK3aU

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://onedrive.live.com/download?resid=969678C66048EAA5%21285&authkey=!AC3E8HxO1kVosi0

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tkzorblw.vbs	Ödeme 31722.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 1828	2888	Ödeme 31722.exe	91

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2888	Ödeme 31722.exe
2888	Ödeme 31722.exe
2888	Ödeme 31722.exe
2888	Ödeme 31722.exe
1828	MSBuild.exe
1828	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	Ödeme 31722.exe
Token: SeDebugPrivilege	1828	MSBuild.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2700	2888	Ödeme 31722.exe	89
PID 2888 wrote to memory of 2700	2888	Ödeme 31722.exe	89
PID 2888 wrote to memory of 2700	2888	Ödeme 31722.exe	89
PID 2888 wrote to memory of 4800	2888	Ödeme 31722.exe	90
PID 2888 wrote to memory of 4800	2888	Ödeme 31722.exe	90
PID 2888 wrote to memory of 4800	2888	Ödeme 31722.exe	90
PID 2888 wrote to memory of 1828	2888	Ödeme 31722.exe	91
PID 2888 wrote to memory of 1828	2888	Ödeme 31722.exe	91
PID 2888 wrote to memory of 1828	2888	Ödeme 31722.exe	91
PID 2888 wrote to memory of 1828	2888	Ödeme 31722.exe	91
PID 2888 wrote to memory of 1828	2888	Ödeme 31722.exe	91
PID 2888 wrote to memory of 1828	2888	Ödeme 31722.exe	91
PID 2888 wrote to memory of 1828	2888	Ödeme 31722.exe	91
PID 2888 wrote to memory of 1828	2888	Ödeme 31722.exe	91

C:\Users\Admin\AppData\Local\Temp\Ödeme 31722.exe
"C:\Users\Admin\AppData\Local\Temp\Ödeme 31722.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  PID:4800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-1225-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/1828-1226-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1828-1227-0x0000000004D20000-0x0000000004D30000-memory.dmp

Filesize
64KB

Download
memory/1828-1228-0x0000000004F20000-0x0000000004F86000-memory.dmp

Filesize
408KB

Download
memory/1828-1229-0x0000000005CD0000-0x0000000005D20000-memory.dmp

Filesize
320KB

Download
memory/1828-1230-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/2888-164-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-174-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-136-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/2888-137-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/2888-138-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/2888-139-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-140-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-142-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-144-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-146-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-148-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-150-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-152-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-154-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-156-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-158-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-160-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-162-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-134-0x0000000000FA0000-0x0000000000FAC000-memory.dmp

Filesize
48KB

Download
memory/2888-166-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-168-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-170-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-172-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-135-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/2888-176-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-178-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-180-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-182-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-184-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-186-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-188-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-190-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-192-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-194-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-196-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-198-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-200-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-202-0x00000000094D0000-0x0000000009595000-memory.dmp

Filesize
788KB

Download
memory/2888-937-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/2888-133-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download
memory/2888-1217-0x0000000008B50000-0x0000000008B51000-memory.dmp

Filesize
4KB

Download
memory/2888-1216-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/2888-1218-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/2888-1219-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/2888-1224-0x0000000074CD0000-0x0000000075480000-memory.dmp

Filesize
7.7MB

Download