{"description": "Enterprise techniques used by PureCrypter, ATT&CK software S9019 (v1.0)", "name": "PureCrypter (S9019)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can set multiple Registry Run keys to establish persistence.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can execute PowerShell commands to exclude files from EDR and to self-delete.(Citation: Zscaler PureCrypter JUN 2022)(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) has the ability to call `CheckRemoteDebuggerPresent`.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1678", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) has the ability to delay for a specified number of seconds before execution.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can decrypt downloaded resources and parse internal files to determine its settings.(Citation: Zscaler PureCrypter JUN 2022)(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) has executed `Set-MpPreference -ExclusionPath` to exclude files or folders from Windows Defender scans.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can use AES to encrypt system information sent to the C2.(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can send a TLS 1.2 encrypted infection message via Discord webhook.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) code contains an ExclusionRegionNames option where it can compare the results of `kernel32!GetGeoInfo` with a list of regions.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) code contains a global mutex.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": " [PureCrypter](https://attack.mitre.org/software/S9019) can set `ProcessWindowStyle.Hidden` to hide windows on victim machines.(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can execute a PowerShell command to self-delete.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can download additional payloads for execution on the compromised host.(Citation: Zscaler PureCrypter JUN 2022)(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) has used multiple file names to appear legitimate such as firefox\\firefox.exe, Google\\chrome.exe, and Taskmgr.exe.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) has used a .NET downloader named 63342221.BAT and has used .jpg, .png, and .log as false extensions for malicious files.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) has used SmartAssembly and NET-Reactor for string encryption and control flow obfuscation.(Citation: Zscaler PureCrypter JUN 2022)(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can insert junk code to avoid detection.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can enumerate processes on compromised hosts.(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can inject its final stage into another process on the targeted system.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can maintain persistence with scheduled tasks.(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can identify installed antivirus solutions.(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can enumerate a targeted system's SerialNumber and Version.(Citation: Zscaler PureCrypter JUN 2022)(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1614", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can use `kernel32!GetGeoInfo` to determine system location.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can retrieve the username from targeted machines.(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1673", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can identify virtual machines by querying the WMI object Win32_ComputerSystem for manufacturer and model and check it against the regular expression Microsoft|VMWare|Virtual.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "comment": "[PureCrypter](https://attack.mitre.org/software/S9019) can use Telegram or Discord to send infection status messages.(Citation: Zscaler PureCrypter JUN 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by PureCrypter", "color": "#66b1ff"}]}