Overview
overview
10Static
static
infected/F...98.exe
windows7-x64
8infected/F...98.exe
windows10-2004-x64
8infected/I...er.exe
windows7-x64
10infected/I...er.exe
windows10-2004-x64
10infected/R...ed.exe
windows7-x64
10infected/R...ed.exe
windows10-2004-x64
10infected/S...64.exe
windows7-x64
10infected/S...64.exe
windows10-2004-x64
10infected/b...kO.exe
windows7-x64
10infected/b...kO.exe
windows10-2004-x64
10Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
15/01/2023, 17:11
Static task
static1
Behavioral task
behavioral1
Sample
infected/Furk Ultra_10298.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
infected/Furk Ultra_10298.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
infected/Installer.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
infected/Installer.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
infected/RobloxSynapceX Cracked.exe
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
infected/RobloxSynapceX Cracked.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
infected/Setup x64.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
infected/Setup x64.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
infected/best-setup_FLc4rckO.exe
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
infected/best-setup_FLc4rckO.exe
Resource
win10v2004-20220812-en
General
-
Target
infected/Installer.exe
-
Size
677.9MB
-
MD5
3709aaf7e625bfd4dfef3ceba18ccc4a
-
SHA1
17fcf830d2cf2c4a016fb438cae8bf065cc55b24
-
SHA256
9440450e86e40c1116742e77b3e97ddb5c4d4d149d9c36d0e1e5c156ddb85cd1
-
SHA512
4ea3c2ef3226b7ed9adb966708b70dd79d6295ea603a23f34b6cada7346ce08bb2f95b2ff686ee922060ab387c5a22b34ee082d23f1d69ccf3fc46036c04c000
-
SSDEEP
3072:gahKyd2n31z5vWp1icKAArDZz4N9GhbkENEkYg6Au/TXlbodEgY:gahOCp0yN90vEXgMrXleEd
Malware Config
Extracted
purecrypter
https://falcaoliderfm.com.br/wp-admin/images/css/cover/bo/Jvizg.dll
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 1 IoCs
pid Process 1120 dienetwoov.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Installer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1120 dienetwoov.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1940 wrote to memory of 1120 1940 Installer.exe 27 PID 1940 wrote to memory of 1120 1940 Installer.exe 27 PID 1940 wrote to memory of 1120 1940 Installer.exe 27 PID 1940 wrote to memory of 1120 1940 Installer.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe"C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
391.0MB
MD5d57db4d9896f6a1b0f72e4503ba94ed0
SHA1e4dc13b4c7ee490bd268e2241f8812cb3e3d5744
SHA2566a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d
SHA512ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52
-
Filesize
391.0MB
MD5d57db4d9896f6a1b0f72e4503ba94ed0
SHA1e4dc13b4c7ee490bd268e2241f8812cb3e3d5744
SHA2566a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d
SHA512ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52