Analysis

  • max time kernel
    155s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/01/2023, 15:00

General

  • Target

    Vietcombank_Ban Sao Thanh Toan_Pdf.exe

  • Size

    23KB

  • MD5

    357dc7fc40a74f7db969a2bd89188d6d

  • SHA1

    4afed0569b36c95f96bac367232cae88eb201e64

  • SHA256

    bc6b7187bcc579a4fd0e7ffc54bb1a5fb9fa47a3d781bce55a8c4d9ba4df0139

  • SHA512

    da23f8e01dfd78874bd274ae7cca8593ca7be0c12d3de0061630e6c737cbc87433451536ed992491568221b82548eff353bc19c7e3e6383a49d3e6a0ae261c8a

  • SSDEEP

    96:P99U6k5sBsdf2XLGMRE7ng2deOFVkAwGuTFKfEPfPNAgARricsGb7kvrBzNt:Pb6KLGMWkOMAluTFCEvNesG+D

Malware Config

Extracted

Family

purecrypter

C2

http://savory.com.bd/sav/Ezxucmj.bmp

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1244
    • C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:3600

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vietcombank_Ban Sao Thanh Toan_Pdf.exe.log

          Filesize

          1KB

          MD5

          2e49a0dc2cc777cf418322c4466c896e

          SHA1

          d1c48311da63a8124b58ca948b0d64409e927d2d

          SHA256

          b6e3216891c905bc01dfa776fb8f50aadd5b51b997551eb32ad5e21a53574041

          SHA512

          b03923994a5b5b0c8ea0905a19a820eda810ded3687e965ee280641eb6b9dd8bf36ce3984bb04712199fcaffc28cacbbadcc872e12b2bda7f491091aa656156a

        • memory/1244-144-0x00000000065B0000-0x00000000065CE000-memory.dmp

          Filesize

          120KB

        • memory/1244-146-0x0000000006A80000-0x0000000006A9A000-memory.dmp

          Filesize

          104KB

        • memory/1244-143-0x0000000005FA0000-0x0000000006006000-memory.dmp

          Filesize

          408KB

        • memory/1244-145-0x0000000007E00000-0x000000000847A000-memory.dmp

          Filesize

          6.5MB

        • memory/1244-141-0x00000000057C0000-0x0000000005DE8000-memory.dmp

          Filesize

          6.2MB

        • memory/1244-142-0x0000000005EC0000-0x0000000005F26000-memory.dmp

          Filesize

          408KB

        • memory/1244-140-0x0000000004FF0000-0x0000000005026000-memory.dmp

          Filesize

          216KB

        • memory/2572-134-0x0000000005210000-0x00000000052A2000-memory.dmp

          Filesize

          584KB

        • memory/2572-138-0x0000000006D60000-0x0000000006D82000-memory.dmp

          Filesize

          136KB

        • memory/2572-137-0x0000000006970000-0x0000000006A22000-memory.dmp

          Filesize

          712KB

        • memory/2572-132-0x0000000000800000-0x000000000080C000-memory.dmp

          Filesize

          48KB

        • memory/2572-136-0x0000000006720000-0x0000000006770000-memory.dmp

          Filesize

          320KB

        • memory/2572-135-0x00000000051B0000-0x00000000051BA000-memory.dmp

          Filesize

          40KB

        • memory/2572-133-0x0000000005900000-0x0000000005EA4000-memory.dmp

          Filesize

          5.6MB

        • memory/3600-148-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB