Analysis Overview
SHA256
bc6b7187bcc579a4fd0e7ffc54bb1a5fb9fa47a3d781bce55a8c4d9ba4df0139
Threat Level: Known bad
The file Vietcombank_Ban Sao Thanh Toan_Pdf.exe was found to be: Known bad.
Malicious Activity Summary
PureCrypter
Purecrypter family
Reads user/profile data of local email clients
Checks computer location settings
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-13 15:00
Signatures
Purecrypter family
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-13 15:00
Reported
2023-01-13 15:02
Platform
win7-20221111-en
Max time kernel
52s
Max time network
114s
Command Line
Signatures
PureCrypter
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 960 set thread context of 1112 | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"
C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | savory.com.bd | udp |
| N/A | 45.56.99.101:80 | savory.com.bd | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 64.185.227.155:443 | api.ipify.org | tcp |
Files
memory/960-54-0x0000000001190000-0x000000000119C000-memory.dmp
memory/960-55-0x00000000757C1000-0x00000000757C3000-memory.dmp
memory/960-56-0x0000000005BA0000-0x0000000005C7C000-memory.dmp
memory/960-57-0x0000000004B50000-0x0000000004BA2000-memory.dmp
memory/960-58-0x0000000005760000-0x00000000057F2000-memory.dmp
memory/568-59-0x0000000000000000-mapping.dmp
memory/568-61-0x000000006E180000-0x000000006E72B000-memory.dmp
memory/568-62-0x000000006E180000-0x000000006E72B000-memory.dmp
memory/568-63-0x000000006E180000-0x000000006E72B000-memory.dmp
memory/1112-64-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1112-65-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1112-67-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1112-68-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1112-69-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1112-70-0x000000000042A27E-mapping.dmp
memory/1112-72-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1112-74-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-13 15:00
Reported
2023-01-13 15:03
Platform
win10v2004-20221111-en
Max time kernel
155s
Max time network
158s
Command Line
Signatures
PureCrypter
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc\\vlc.exe\"" | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2572 set thread context of 3600 | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Vietcombank_Ban Sao Thanh Toan_Pdf.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | savory.com.bd | udp |
| N/A | 45.56.99.101:80 | savory.com.bd | tcp |
| N/A | 51.105.71.136:443 | tcp | |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 64.185.227.155:443 | api.ipify.org | tcp |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/2572-132-0x0000000000800000-0x000000000080C000-memory.dmp
memory/2572-133-0x0000000005900000-0x0000000005EA4000-memory.dmp
memory/2572-134-0x0000000005210000-0x00000000052A2000-memory.dmp
memory/2572-135-0x00000000051B0000-0x00000000051BA000-memory.dmp
memory/2572-136-0x0000000006720000-0x0000000006770000-memory.dmp
memory/2572-137-0x0000000006970000-0x0000000006A22000-memory.dmp
memory/2572-138-0x0000000006D60000-0x0000000006D82000-memory.dmp
memory/1244-139-0x0000000000000000-mapping.dmp
memory/1244-140-0x0000000004FF0000-0x0000000005026000-memory.dmp
memory/1244-141-0x00000000057C0000-0x0000000005DE8000-memory.dmp
memory/1244-142-0x0000000005EC0000-0x0000000005F26000-memory.dmp
memory/1244-143-0x0000000005FA0000-0x0000000006006000-memory.dmp
memory/1244-144-0x00000000065B0000-0x00000000065CE000-memory.dmp
memory/1244-145-0x0000000007E00000-0x000000000847A000-memory.dmp
memory/1244-146-0x0000000006A80000-0x0000000006A9A000-memory.dmp
memory/3600-147-0x0000000000000000-mapping.dmp
memory/3600-148-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vietcombank_Ban Sao Thanh Toan_Pdf.exe.log
| MD5 | 2e49a0dc2cc777cf418322c4466c896e |
| SHA1 | d1c48311da63a8124b58ca948b0d64409e927d2d |
| SHA256 | b6e3216891c905bc01dfa776fb8f50aadd5b51b997551eb32ad5e21a53574041 |
| SHA512 | b03923994a5b5b0c8ea0905a19a820eda810ded3687e965ee280641eb6b9dd8bf36ce3984bb04712199fcaffc28cacbbadcc872e12b2bda7f491091aa656156a |