Analysis
-
max time kernel
167s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
05/11/2022, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
PurifySoulsBeta.exe
Resource
win10-20220812-en
windows10-1703-x64
12 signatures
600 seconds
Behavioral task
behavioral2
Sample
PurifySoulsBeta.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
10 signatures
600 seconds
General
-
Target
PurifySoulsBeta.exe
-
Size
40.0MB
-
MD5
295a42d42e80370d44417e81b3244f28
-
SHA1
a4080cf54ea3d4114eedd850e8c37e8aaa88562d
-
SHA256
b61225d3b3cebd16bded2d3c8cd53f0bdbe8562b3a4ea3ee2829adc0c6dba67f
-
SHA512
b02df6c66dcaa0e11415743c1b72f106d9b9dc39c1fb00ab2155a8fc2cfc75ca4ce3ec253e83261cb5e824d79b151e2514f4957763513de3528f5645df523f1b
-
SSDEEP
393216:p1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfT:pMguj8Q4VfvvqFTrYvI
Score
7/10
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4820 PurifySoulsBeta.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1524 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4872 WMIC.exe Token: SeSecurityPrivilege 4872 WMIC.exe Token: SeTakeOwnershipPrivilege 4872 WMIC.exe Token: SeLoadDriverPrivilege 4872 WMIC.exe Token: SeSystemProfilePrivilege 4872 WMIC.exe Token: SeSystemtimePrivilege 4872 WMIC.exe Token: SeProfSingleProcessPrivilege 4872 WMIC.exe Token: SeIncBasePriorityPrivilege 4872 WMIC.exe Token: SeCreatePagefilePrivilege 4872 WMIC.exe Token: SeBackupPrivilege 4872 WMIC.exe Token: SeRestorePrivilege 4872 WMIC.exe Token: SeShutdownPrivilege 4872 WMIC.exe Token: SeDebugPrivilege 4872 WMIC.exe Token: SeSystemEnvironmentPrivilege 4872 WMIC.exe Token: SeRemoteShutdownPrivilege 4872 WMIC.exe Token: SeUndockPrivilege 4872 WMIC.exe Token: SeManageVolumePrivilege 4872 WMIC.exe Token: 33 4872 WMIC.exe Token: 34 4872 WMIC.exe Token: 35 4872 WMIC.exe Token: 36 4872 WMIC.exe Token: SeIncreaseQuotaPrivilege 4872 WMIC.exe Token: SeSecurityPrivilege 4872 WMIC.exe Token: SeTakeOwnershipPrivilege 4872 WMIC.exe Token: SeLoadDriverPrivilege 4872 WMIC.exe Token: SeSystemProfilePrivilege 4872 WMIC.exe Token: SeSystemtimePrivilege 4872 WMIC.exe Token: SeProfSingleProcessPrivilege 4872 WMIC.exe Token: SeIncBasePriorityPrivilege 4872 WMIC.exe Token: SeCreatePagefilePrivilege 4872 WMIC.exe Token: SeBackupPrivilege 4872 WMIC.exe Token: SeRestorePrivilege 4872 WMIC.exe Token: SeShutdownPrivilege 4872 WMIC.exe Token: SeDebugPrivilege 4872 WMIC.exe Token: SeSystemEnvironmentPrivilege 4872 WMIC.exe Token: SeRemoteShutdownPrivilege 4872 WMIC.exe Token: SeUndockPrivilege 4872 WMIC.exe Token: SeManageVolumePrivilege 4872 WMIC.exe Token: 33 4872 WMIC.exe Token: 34 4872 WMIC.exe Token: 35 4872 WMIC.exe Token: 36 4872 WMIC.exe Token: SeIncreaseQuotaPrivilege 4456 WMIC.exe Token: SeSecurityPrivilege 4456 WMIC.exe Token: SeTakeOwnershipPrivilege 4456 WMIC.exe Token: SeLoadDriverPrivilege 4456 WMIC.exe Token: SeSystemProfilePrivilege 4456 WMIC.exe Token: SeSystemtimePrivilege 4456 WMIC.exe Token: SeProfSingleProcessPrivilege 4456 WMIC.exe Token: SeIncBasePriorityPrivilege 4456 WMIC.exe Token: SeCreatePagefilePrivilege 4456 WMIC.exe Token: SeBackupPrivilege 4456 WMIC.exe Token: SeRestorePrivilege 4456 WMIC.exe Token: SeShutdownPrivilege 4456 WMIC.exe Token: SeDebugPrivilege 4456 WMIC.exe Token: SeSystemEnvironmentPrivilege 4456 WMIC.exe Token: SeRemoteShutdownPrivilege 4456 WMIC.exe Token: SeUndockPrivilege 4456 WMIC.exe Token: SeManageVolumePrivilege 4456 WMIC.exe Token: 33 4456 WMIC.exe Token: 34 4456 WMIC.exe Token: 35 4456 WMIC.exe Token: 36 4456 WMIC.exe Token: SeIncreaseQuotaPrivilege 4456 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe 1524 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4820 wrote to memory of 2144 4820 PurifySoulsBeta.exe 68 PID 4820 wrote to memory of 2144 4820 PurifySoulsBeta.exe 68 PID 2144 wrote to memory of 4872 2144 cmd.exe 69 PID 2144 wrote to memory of 4872 2144 cmd.exe 69 PID 4820 wrote to memory of 4384 4820 PurifySoulsBeta.exe 71 PID 4820 wrote to memory of 4384 4820 PurifySoulsBeta.exe 71 PID 4384 wrote to memory of 4456 4384 cmd.exe 72 PID 4384 wrote to memory of 4456 4384 cmd.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\PurifySoulsBeta.exe"C:\Users\Admin\AppData\Local\Temp\PurifySoulsBeta.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory"2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1524
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4412
-
C:\Windows\System32\itnv73.exe"C:\Windows\System32\itnv73.exe"1⤵PID:4988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\pkg\fe93f655e0ef6e1e3fae45bb1477caa14c81e96977357e94c304fa07e8e833b1\node-dpapi.node
Filesize141KB
MD529da91584b19ce6261534e0e26dd2484
SHA1b0c74b6911436196f3404762e2e9f1e4dbfd73ca
SHA256fe93f655e0ef6e1e3fae45bb1477caa14c81e96977357e94c304fa07e8e833b1
SHA51227199dfb5304ecd24d2da4de3acf0237cf80910afe3f4c7593f9c0a13a91d488bcccbb13af0d0993c61e8f4d928d4621eaa911cfc3a5ffa9203dc1817aca5f7c