purecrypter | 67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0

Analysis

max time kernel
0s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0.rtf
Size

35KB
MD5

56b4ddf6c247124f9bc633b06b169a84
SHA1

f6d0dfca950ccd1fcb92ed511afba92db7edc843
SHA256

67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0
SHA512

6b9e14c704e944b576091f0339e874ed679eeb6d2eba55bb65826fa66d7cb0856d20e1a99cb3cb40599b1065586a138aacf64617490c1c7a237e67ed61b980a3
SSDEEP

384:hWpJrekkBQCwF1YiQwB622Kfc51AD1BMulQGcCAnYuw:hWvSQ3F1YiQwMZFsAulQQAw

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://www1.militarydefensenow.com/Stay/Vdopcuygit.vdf

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Downloads MZ/PE file

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1988	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\67ad0f57895b9963fff217941c49d4eb97023d65fd5b3d36ab936c24fa35a6f0.rtf"
1⤵
- Modifies Internet Explorer settings
PID:2868
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2736

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Launches Equation Editor
PID:1988
- C:\Users\Admin\AppData\Roaming\igcc.exe
  "C:\Users\Admin\AppData\Roaming\igcc.exe"
  2⤵
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
c1b9166a01053397ed7fa58fa42c5814

SHA1
952dfd6d8cb4df52dc23676604c4e0d114ed2186

SHA256
2e3a74ec7ebc133c3a69f33b1539f8b571c3080da3823ec2726f115215050eff

SHA512
f62399e06b31309e79497a3db437aab9aa8235b00df0bd41300654c6ecce53476a56921a7b7508f517657ca04ac80881bd0cbee8b225095692005976029adaf1

Download Submit
C:\Users\Admin\AppData\Roaming\igcc.exe

Filesize
7KB

MD5
e0354350b177887076f4c89567e0af8d

SHA1
999fc3514c83f5b3bfaf899b656a194f7f60ed05

SHA256
584c91693287a0d6c66f27a8c0f1841aad3368bc48b9d36b1088548f9f370032

SHA512
5972d529569ad3aecd8a02de1b2150a3901e2fe09aa5223956d4fd9f77ec9acd308d938c5748b8e38b6090484d0ec6f288f2295f67a6fcc12b0dc770620600fd

Download Submit
memory/2516-15-0x0000000001330000-0x0000000001338000-memory.dmp

Filesize
32KB

Download
memory/2868-0-0x000000002FF71000-0x000000002FF72000-memory.dmp

Filesize
4KB

Download
memory/2868-2-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/2868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2868-22-0x000000007126D000-0x0000000071278000-memory.dmp

Filesize
44KB

Download
memory/2868-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download