Analysis

  • max time kernel
    145s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15/01/2023, 17:11

General

  • Target

    infected/Installer.exe

  • Size

    677.9MB

  • MD5

    3709aaf7e625bfd4dfef3ceba18ccc4a

  • SHA1

    17fcf830d2cf2c4a016fb438cae8bf065cc55b24

  • SHA256

    9440450e86e40c1116742e77b3e97ddb5c4d4d149d9c36d0e1e5c156ddb85cd1

  • SHA512

    4ea3c2ef3226b7ed9adb966708b70dd79d6295ea603a23f34b6cada7346ce08bb2f95b2ff686ee922060ab387c5a22b34ee082d23f1d69ccf3fc46036c04c000

  • SSDEEP

    3072:gahKyd2n31z5vWp1icKAArDZz4N9GhbkENEkYg6Au/TXlbodEgY:gahOCp0yN90vEXgMrXleEd

Malware Config

Extracted

Family

purecrypter

C2

https://falcaoliderfm.com.br/wp-admin/images/css/cover/bo/Jvizg.dll

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1120

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

          Filesize

          391.0MB

          MD5

          d57db4d9896f6a1b0f72e4503ba94ed0

          SHA1

          e4dc13b4c7ee490bd268e2241f8812cb3e3d5744

          SHA256

          6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d

          SHA512

          ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

          Filesize

          391.0MB

          MD5

          d57db4d9896f6a1b0f72e4503ba94ed0

          SHA1

          e4dc13b4c7ee490bd268e2241f8812cb3e3d5744

          SHA256

          6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d

          SHA512

          ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52

        • memory/1120-57-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

          Filesize

          32KB

        • memory/1120-58-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

          Filesize

          8KB

        • memory/1120-59-0x0000000004855000-0x0000000004866000-memory.dmp

          Filesize

          68KB