purecrypter | a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2023 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe
Size

25KB
MD5

86c6c06fd51675e02aabb7495b8b246a
SHA1

8172fadead654638516fbfd7c5d6749b8860c19b
SHA256

a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755
SHA512

5f6bd33af5b9d43cc9ff082d18aee64c20f160de539fa365650c735300e1d5d132d460c86235e476b3dc2311b412b5a3af05de55f701d183b9f8d25bfcad42bb
SSDEEP

384:L0naGdVvqqnKCgFwWR3mnNFawrXebqnlF2xJ8v+jyOc35+c:idVyiKC2wMmjF6u2xagyOq5+c

Score

10^/10

purecrypter collection downloader loader persistence

Malware Config

Extracted

Family

purecrypter

https://qu.ax/lrae.dat

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key opened	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	aspnet_compiler.exe
Key created	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wwkypyjwasp = "C:\\Users\\Admin\\AppData\\Roaming\\Wwkypyjwasp.exe"	a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 1248	1996	a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe	90

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1248	aspnet_compiler.exe
1248	aspnet_compiler.exe
1248	aspnet_compiler.exe
1248	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe
Token: SeDebugPrivilege	1248	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1248	1996	a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe	90
PID 1996 wrote to memory of 1248	1996	a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe	90
PID 1996 wrote to memory of 1248	1996	a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe	90
PID 1996 wrote to memory of 1248	1996	a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe	90
PID 1996 wrote to memory of 1248	1996	a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe	90
PID 1996 wrote to memory of 1248	1996	a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe	90

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a1e082c6ac81c7787edc8a751f079c70c7a28b86a6c40bb66f11c066a00bd755_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1248-42-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-68-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-13-0x00007FF96BB70000-0x00007FF96C631000-memory.dmp

Filesize
10.8MB

Download
memory/1248-15-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-16-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-48-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-44-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-2259-0x00007FF96BB70000-0x00007FF96C631000-memory.dmp

Filesize
10.8MB

Download
memory/1248-2231-0x000001E2D8C10000-0x000001E2D8C8A000-memory.dmp

Filesize
488KB

Download
memory/1248-2212-0x000001E2BFF10000-0x000001E2BFF36000-memory.dmp

Filesize
152KB

Download
memory/1248-2211-0x000001E2D8920000-0x000001E2D89BE000-memory.dmp

Filesize
632KB

Download
memory/1248-14-0x000001E2BFF00000-0x000001E2BFF10000-memory.dmp

Filesize
64KB

Download
memory/1248-18-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-20-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-22-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-24-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-26-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-28-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-9-0x0000000140000000-0x00000001400D0000-memory.dmp

Filesize
832KB

Download
memory/1248-32-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-34-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-36-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-38-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-40-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-30-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-815-0x000001E2BFF00000-0x000001E2BFF10000-memory.dmp

Filesize
64KB

Download
memory/1248-648-0x00007FF96BB70000-0x00007FF96C631000-memory.dmp

Filesize
10.8MB

Download
memory/1248-46-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-50-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-52-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-54-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-56-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-58-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-60-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-62-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-64-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-66-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-11-0x000001E2D8810000-0x000001E2D8918000-memory.dmp

Filesize
1.0MB

Download
memory/1248-72-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-70-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-74-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1248-76-0x000001E2D8810000-0x000001E2D8914000-memory.dmp

Filesize
1.0MB

Download
memory/1996-7-0x00000271EC260000-0x00000271EC2AC000-memory.dmp

Filesize
304KB

Download
memory/1996-1-0x00007FF96BB70000-0x00007FF96C631000-memory.dmp

Filesize
10.8MB

Download
memory/1996-5-0x00000271ECE70000-0x00000271ECF78000-memory.dmp

Filesize
1.0MB

Download
memory/1996-4-0x00000271ECC20000-0x00000271ECC30000-memory.dmp

Filesize
64KB

Download
memory/1996-3-0x00007FF96BB70000-0x00007FF96C631000-memory.dmp

Filesize
10.8MB

Download
memory/1996-2-0x00000271ECC20000-0x00000271ECC30000-memory.dmp

Filesize
64KB

Download
memory/1996-6-0x00000271ED080000-0x00000271ED176000-memory.dmp

Filesize
984KB

Download
memory/1996-0-0x00000271EA5F0000-0x00000271EA5FA000-memory.dmp

Filesize
40KB

Download
memory/1996-12-0x00007FF96BB70000-0x00007FF96C631000-memory.dmp

Filesize
10.8MB

Download