purecrypter | 73d66c77945f6ff7fe5d62a4ba5efd4bbc2f8459eaf4722833e0df6cfd4c6309

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2023 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_00fce918b5cf447876a61f05978b2db0.exe
Size

74KB
MD5

00fce918b5cf447876a61f05978b2db0
SHA1

6dec21de3d9d4584e2200a117e6edf70ecfd5c11
SHA256

73d66c77945f6ff7fe5d62a4ba5efd4bbc2f8459eaf4722833e0df6cfd4c6309
SHA512

31b0801ad232b746493c073527bf238b4d6bbc929313109222ac7a4625e831dcbbaaac973f6a0c0f825aef14432dcb8968b08676f27cef14914842561da59206
SSDEEP

1536:aheb4mzLMaM68hD0BLX/yYiAst6C4bllDp7kXqXPtkrBZF7SzKHzUWhUzTrGtltD:Lb4mzLMaM68hD0BLX/yYiAst6C4bllDO

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://store2.gofile.io/download/5c283eeb-ee75-4585-ac23-386c6a3ea789/Jcafcgneb.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	VirusShare_00fce918b5cf447876a61f05978b2db0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1736	powershell.exe
1736	powershell.exe
4792	powershell.exe
4792	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3316	VirusShare_00fce918b5cf447876a61f05978b2db0.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeIncreaseQuotaPrivilege	1736	powershell.exe
Token: SeSecurityPrivilege	1736	powershell.exe
Token: SeTakeOwnershipPrivilege	1736	powershell.exe
Token: SeLoadDriverPrivilege	1736	powershell.exe
Token: SeSystemProfilePrivilege	1736	powershell.exe
Token: SeSystemtimePrivilege	1736	powershell.exe
Token: SeProfSingleProcessPrivilege	1736	powershell.exe
Token: SeIncBasePriorityPrivilege	1736	powershell.exe
Token: SeCreatePagefilePrivilege	1736	powershell.exe
Token: SeBackupPrivilege	1736	powershell.exe
Token: SeRestorePrivilege	1736	powershell.exe
Token: SeShutdownPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeSystemEnvironmentPrivilege	1736	powershell.exe
Token: SeRemoteShutdownPrivilege	1736	powershell.exe
Token: SeUndockPrivilege	1736	powershell.exe
Token: SeManageVolumePrivilege	1736	powershell.exe
Token: 33	1736	powershell.exe
Token: 34	1736	powershell.exe
Token: 35	1736	powershell.exe
Token: 36	1736	powershell.exe
Token: SeIncreaseQuotaPrivilege	1736	powershell.exe
Token: SeSecurityPrivilege	1736	powershell.exe
Token: SeTakeOwnershipPrivilege	1736	powershell.exe
Token: SeLoadDriverPrivilege	1736	powershell.exe
Token: SeSystemProfilePrivilege	1736	powershell.exe
Token: SeSystemtimePrivilege	1736	powershell.exe
Token: SeProfSingleProcessPrivilege	1736	powershell.exe
Token: SeIncBasePriorityPrivilege	1736	powershell.exe
Token: SeCreatePagefilePrivilege	1736	powershell.exe
Token: SeBackupPrivilege	1736	powershell.exe
Token: SeRestorePrivilege	1736	powershell.exe
Token: SeShutdownPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeSystemEnvironmentPrivilege	1736	powershell.exe
Token: SeRemoteShutdownPrivilege	1736	powershell.exe
Token: SeUndockPrivilege	1736	powershell.exe
Token: SeManageVolumePrivilege	1736	powershell.exe
Token: 33	1736	powershell.exe
Token: 34	1736	powershell.exe
Token: 35	1736	powershell.exe
Token: 36	1736	powershell.exe
Token: SeIncreaseQuotaPrivilege	1736	powershell.exe
Token: SeSecurityPrivilege	1736	powershell.exe
Token: SeTakeOwnershipPrivilege	1736	powershell.exe
Token: SeLoadDriverPrivilege	1736	powershell.exe
Token: SeSystemProfilePrivilege	1736	powershell.exe
Token: SeSystemtimePrivilege	1736	powershell.exe
Token: SeProfSingleProcessPrivilege	1736	powershell.exe
Token: SeIncBasePriorityPrivilege	1736	powershell.exe
Token: SeCreatePagefilePrivilege	1736	powershell.exe
Token: SeBackupPrivilege	1736	powershell.exe
Token: SeRestorePrivilege	1736	powershell.exe
Token: SeShutdownPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeSystemEnvironmentPrivilege	1736	powershell.exe
Token: SeRemoteShutdownPrivilege	1736	powershell.exe
Token: SeUndockPrivilege	1736	powershell.exe
Token: SeManageVolumePrivilege	1736	powershell.exe
Token: 33	1736	powershell.exe
Token: 34	1736	powershell.exe
Token: 35	1736	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1736	3316	VirusShare_00fce918b5cf447876a61f05978b2db0.exe	45
PID 3316 wrote to memory of 1736	3316	VirusShare_00fce918b5cf447876a61f05978b2db0.exe	45
PID 3316 wrote to memory of 4792	3316	VirusShare_00fce918b5cf447876a61f05978b2db0.exe	103
PID 3316 wrote to memory of 4792	3316	VirusShare_00fce918b5cf447876a61f05978b2db0.exe	103

C:\Users\Admin\AppData\Local\Temp\VirusShare_00fce918b5cf447876a61f05978b2db0.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_00fce918b5cf447876a61f05978b2db0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
9b839c896dee7cbef31e62d9130fe067

SHA1
20974f32005a641b3b7aae03b130f9a6fb0bd321

SHA256
970916b50c737053ae7dcdb13e84fe4786b7884a03e4486c10cabd6d9f00e573

SHA512
75d645562b621afe3735ab1e92664a27b27c93948c7edfa88299ea77ca5bec1d383c0f2eaa908f527dc22108beaf81dc7b31fa96e63ae7842966a34cd7f8fed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d065a8c23163f1a3a0e2de1c238afb9

SHA1
7cfcca7b1b49e6803368c4af01ae95f98c7969a6

SHA256
d475774c8e88c3403ef7b6c50979c1212d3acb08e7f34ef829c00fd006fe163e

SHA512
f379f3dacd8a4e28cf9db1f04c5c728907c3c71c8ba73ddc9a86a8bb0128f570bd3d1c26b86887fb374101110fbc50ea6b08853881173c63d52a50df8e294289

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgs2h5w2.bru.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1736-22-0x000001BD7FF10000-0x000001BD7FF20000-memory.dmp

Filesize
64KB

Download
memory/1736-32-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/1736-10-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/1736-15-0x000001BD7FF10000-0x000001BD7FF20000-memory.dmp

Filesize
64KB

Download
memory/1736-14-0x000001BD7FF10000-0x000001BD7FF20000-memory.dmp

Filesize
64KB

Download
memory/1736-16-0x000001BD7FF10000-0x000001BD7FF20000-memory.dmp

Filesize
64KB

Download
memory/1736-3-0x000001BD7FDC0000-0x000001BD7FDE2000-memory.dmp

Filesize
136KB

Download
memory/1736-29-0x000001BD7FF10000-0x000001BD7FF20000-memory.dmp

Filesize
64KB

Download
memory/1736-19-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/1736-20-0x000001BD7FF10000-0x000001BD7FF20000-memory.dmp

Filesize
64KB

Download
memory/1736-21-0x000001BD7FF10000-0x000001BD7FF20000-memory.dmp

Filesize
64KB

Download
memory/1736-28-0x000001BD67880000-0x000001BD6788E000-memory.dmp

Filesize
56KB

Download
memory/1736-23-0x000001BD67860000-0x000001BD67870000-memory.dmp

Filesize
64KB

Download
memory/1736-24-0x000001BD7FD90000-0x000001BD7FDAA000-memory.dmp

Filesize
104KB

Download
memory/1736-25-0x000001BD7FF10000-0x000001BD7FF20000-memory.dmp

Filesize
64KB

Download
memory/1736-26-0x000001BD7FE20000-0x000001BD7FE4A000-memory.dmp

Filesize
168KB

Download
memory/1736-27-0x000001BD7FE20000-0x000001BD7FE44000-memory.dmp

Filesize
144KB

Download
memory/3316-0-0x0000000000310000-0x0000000000326000-memory.dmp

Filesize
88KB

Download
memory/3316-18-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/3316-17-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3316-2-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/3316-1-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/3316-49-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4792-45-0x0000025ACBC00000-0x0000025ACBC10000-memory.dmp

Filesize
64KB

Download
memory/4792-44-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download
memory/4792-46-0x0000025ACBC00000-0x0000025ACBC10000-memory.dmp

Filesize
64KB

Download
memory/4792-48-0x00007FFEE9A40000-0x00007FFEEA501000-memory.dmp

Filesize
10.8MB

Download