purecrypter | d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e

General

Target

d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe
Size

700.0MB
MD5

9a2c573e882d31251e1bcd07ba90585f
SHA1

d46878f2ad28df08972371a617bce73ae623523c
SHA256

d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e
SHA512

40ac3d1cca6bb8eb7ccfb0d1ae0467423b0355ee5cded84b1095a284f08cecbd70325b808df933d47a7af60081470ad71ee1021e724759227379052302ff3894
SSDEEP

98304:h9eCUTzzphq1G/jxZIo0YYUOJimJJQYts5JcyTcvg6BtufkCJ:PefTzVhqpP9JvgpTcvf7ufz

Score

10^/10

purecrypter redline notepad_2 discovery downloader infostealer loader persistence

Malware Config

Extracted

Family

redline

Botnet

Notepad_2

C2

194.36.177.124:39456

Attributes

auth_value
37464cc4dd294b9925a8c1092e1c72a9

Signatures

Detect PureCrypter injector 1 IoCs

loader

Processes:

resource	yara_rule
behavioral1/memory/2072-12-0x0000000005670000-0x0000000005AFA000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Purecrypter family
purecrypter
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2400-27-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2400-31-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2400-33-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2400-30-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2400-25-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 2 IoCs

Processes:

DRIVER~1.EXEMppzqonpp.8.4.1.installer.x64.exe

pid process

2072 DRIVER~1.EXE
2612 Mppzqonpp.8.4.1.installer.x64.exe

Loads dropped DLL 6 IoCs

Processes:

DRIVER~1.EXEMppzqonpp.8.4.1.installer.x64.exe

pid	process
2072	DRIVER~1.EXE
2612	Mppzqonpp.8.4.1.installer.x64.exe
2612	Mppzqonpp.8.4.1.installer.x64.exe
2612	Mppzqonpp.8.4.1.installer.x64.exe
2612	Mppzqonpp.8.4.1.installer.x64.exe
2612	Mppzqonpp.8.4.1.installer.x64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

DRIVER~1.EXE

description pid process target process

PID 2072 set thread context of 2400 2072 DRIVER~1.EXE InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2072 set thread context of 2400	2072	DRIVER~1.EXE	InstallUtil.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

InstallUtil.exeDRIVER~1.EXEcmd.exetimeout.exeMppzqonpp.8.4.1.installer.x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DRIVER~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mppzqonpp.8.4.1.installer.x64.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2792 timeout.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

DRIVER~1.EXE

pid process

2072 DRIVER~1.EXE
2072 DRIVER~1.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Mppzqonpp.8.4.1.installer.x64.exe

pid process

2612 Mppzqonpp.8.4.1.installer.x64.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

DRIVER~1.EXE

description pid process

Token: SeDebugPrivilege 2072 DRIVER~1.EXE

pid	process
2792	timeout.exe

pid	process
2612	Mppzqonpp.8.4.1.installer.x64.exe

description	pid	process
Token: SeDebugPrivilege	2072	DRIVER~1.EXE

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exeDRIVER~1.EXEcmd.exe

description	pid	process	target process
PID 2124 wrote to memory of 2072	2124	d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe	DRIVER~1.EXE
PID 2124 wrote to memory of 2072	2124	d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe	DRIVER~1.EXE
PID 2124 wrote to memory of 2072	2124	d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe	DRIVER~1.EXE
PID 2124 wrote to memory of 2072	2124	d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe	DRIVER~1.EXE
PID 2072 wrote to memory of 2480	2072	DRIVER~1.EXE	cmd.exe
PID 2072 wrote to memory of 2480	2072	DRIVER~1.EXE	cmd.exe
PID 2072 wrote to memory of 2480	2072	DRIVER~1.EXE	cmd.exe
PID 2072 wrote to memory of 2480	2072	DRIVER~1.EXE	cmd.exe
PID 2480 wrote to memory of 2792	2480	cmd.exe	timeout.exe
PID 2480 wrote to memory of 2792	2480	cmd.exe	timeout.exe
PID 2480 wrote to memory of 2792	2480	cmd.exe	timeout.exe
PID 2480 wrote to memory of 2792	2480	cmd.exe	timeout.exe
PID 2072 wrote to memory of 2612	2072	DRIVER~1.EXE	Mppzqonpp.8.4.1.installer.x64.exe
PID 2072 wrote to memory of 2612	2072	DRIVER~1.EXE	Mppzqonpp.8.4.1.installer.x64.exe
PID 2072 wrote to memory of 2612	2072	DRIVER~1.EXE	Mppzqonpp.8.4.1.installer.x64.exe
PID 2072 wrote to memory of 2612	2072	DRIVER~1.EXE	Mppzqonpp.8.4.1.installer.x64.exe
PID 2072 wrote to memory of 2612	2072	DRIVER~1.EXE	Mppzqonpp.8.4.1.installer.x64.exe
PID 2072 wrote to memory of 2612	2072	DRIVER~1.EXE	Mppzqonpp.8.4.1.installer.x64.exe
PID 2072 wrote to memory of 2612	2072	DRIVER~1.EXE	Mppzqonpp.8.4.1.installer.x64.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe
PID 2072 wrote to memory of 2400	2072	DRIVER~1.EXE	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe
"C:\Users\Admin\AppData\Local\Temp\d7cd49477ad1b8c676dc3507372ca774a69af98280db45a1c9ad0c5f0a4c309e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout 10
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2792
- - C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nso3F82.tmp\ioSpecial.ini

Filesize
1KB

MD5
4111964458518aba78a005836fd71df0

SHA1
c5499db5e598647dee69758bd81f6733f4f02769

SHA256
020aaa2d2db7d0d138c4e7967c19621332379d99a2162d121dc33babc46edc82

SHA512
4a089c7a1b0a3b02fa3bdbf2fd7bfb4c1c683c003e42c9e25c5d1f36e3e2b766d24ab9e70ceaa0e8b846a9ef53791ae7b985db5f5daae795536abe0a030b9ef9

Download Submit
\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe

Filesize
4.3MB

MD5
542c0f910db312aa76c75d5cdbf76844

SHA1
18f608b6220c392ddde0194352b3faf7a10608d1

SHA256
6d80dcfdb5a979eb11de1ebbf5733a101fbe4cd8f7c1ac10f651e71fadf52e4a

SHA512
087f415c20d485cc322be24ae43f730ae7edfa6f64fe78828727a8cf47a0207d18a9b45769f9f3228cd5012c7d34244ccc7edb3e93ba0cc263c4370153fe4a0d

Download Submit
\Users\Admin\AppData\Local\Temp\nso3F82.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nso3F82.tmp\LangDLL.dll

Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nso3F82.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nso3F82.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
memory/2072-9-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-13-0x0000000000790000-0x00000000007DC000-memory.dmp

Filesize
304KB

Download
memory/2072-12-0x0000000005670000-0x0000000005AFA000-memory.dmp

Filesize
4.5MB

Download
memory/2072-11-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-6-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2072-10-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/2072-8-0x0000000004F00000-0x0000000005388000-memory.dmp

Filesize
4.5MB

Download
memory/2072-44-0x00000000747A0000-0x0000000074E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-7-0x0000000000890000-0x0000000000D3E000-memory.dmp

Filesize
4.7MB

Download
memory/2400-31-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-21-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-25-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-33-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2400-27-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads