Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2023 14:11
Static task
static1
Behavioral task
behavioral1
Sample
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
Resource
win10v2004-20221111-en
General
-
Target
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
-
Size
3.9MB
-
MD5
ecb41ffa4f12fbe99b2a53141ec9f240
-
SHA1
68c7c9a49c519319aba55bf686f2388ee782208d
-
SHA256
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2
-
SHA512
1b4f1b2225663e986be31d3aabe1491d443eb192e9b34e0aec6c7146a01bd0d350b3f417fa68a41ee3645a367175de59ebf66165cd718e4f1529f7fa3c6b6e89
-
SSDEEP
98304:x8vnvI2bIjGMWwAQ1cdLr3AG3cLMgs7T9/7AwCYyLb+P:Ung2QGMIxLEGMLMlx/7Zcv+P
Malware Config
Extracted
purecrypter
https://atomm.com.br/.well-known/acme-challenge/bo/Xmwlki.dll
Extracted
vidar
1.9
811
https://t.me/travelticketshop
https://steamcommunity.com/profiles/76561199469016299
-
profile_id
811
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 4 IoCs
Processes:
bebra.exesisterservice.exeaheaddecov.exeaheaddecov.exepid process 4240 bebra.exe 5088 sisterservice.exe 3152 aheaddecov.exe 4372 aheaddecov.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exeaheaddecov.exeaheaddecov.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation aheaddecov.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation aheaddecov.exe -
Loads dropped DLL 2 IoCs
Processes:
aheaddecov.exepid process 4372 aheaddecov.exe 4372 aheaddecov.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
sisterservice.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce sisterservice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" sisterservice.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
aheaddecov.exedescription pid process target process PID 3152 set thread context of 4372 3152 aheaddecov.exe aheaddecov.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
aheaddecov.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aheaddecov.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aheaddecov.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4952 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeaheaddecov.exepid process 3208 powershell.exe 3208 powershell.exe 4372 aheaddecov.exe 4372 aheaddecov.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aheaddecov.exepowershell.exedescription pid process Token: SeDebugPrivilege 3152 aheaddecov.exe Token: SeDebugPrivilege 3208 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exebebra.execmd.exesisterservice.exeaheaddecov.exeaheaddecov.execmd.exedescription pid process target process PID 5048 wrote to memory of 4240 5048 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe bebra.exe PID 5048 wrote to memory of 4240 5048 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe bebra.exe PID 4240 wrote to memory of 5004 4240 bebra.exe cmd.exe PID 4240 wrote to memory of 5004 4240 bebra.exe cmd.exe PID 5004 wrote to memory of 4968 5004 cmd.exe choice.exe PID 5004 wrote to memory of 4968 5004 cmd.exe choice.exe PID 5048 wrote to memory of 5088 5048 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe sisterservice.exe PID 5048 wrote to memory of 5088 5048 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe sisterservice.exe PID 5088 wrote to memory of 3152 5088 sisterservice.exe aheaddecov.exe PID 5088 wrote to memory of 3152 5088 sisterservice.exe aheaddecov.exe PID 5088 wrote to memory of 3152 5088 sisterservice.exe aheaddecov.exe PID 3152 wrote to memory of 3208 3152 aheaddecov.exe powershell.exe PID 3152 wrote to memory of 3208 3152 aheaddecov.exe powershell.exe PID 3152 wrote to memory of 3208 3152 aheaddecov.exe powershell.exe PID 3152 wrote to memory of 4372 3152 aheaddecov.exe aheaddecov.exe PID 3152 wrote to memory of 4372 3152 aheaddecov.exe aheaddecov.exe PID 3152 wrote to memory of 4372 3152 aheaddecov.exe aheaddecov.exe PID 3152 wrote to memory of 4372 3152 aheaddecov.exe aheaddecov.exe PID 3152 wrote to memory of 4372 3152 aheaddecov.exe aheaddecov.exe PID 3152 wrote to memory of 4372 3152 aheaddecov.exe aheaddecov.exe PID 3152 wrote to memory of 4372 3152 aheaddecov.exe aheaddecov.exe PID 3152 wrote to memory of 4372 3152 aheaddecov.exe aheaddecov.exe PID 3152 wrote to memory of 4372 3152 aheaddecov.exe aheaddecov.exe PID 4372 wrote to memory of 3312 4372 aheaddecov.exe cmd.exe PID 4372 wrote to memory of 3312 4372 aheaddecov.exe cmd.exe PID 4372 wrote to memory of 3312 4372 aheaddecov.exe cmd.exe PID 3312 wrote to memory of 4952 3312 cmd.exe timeout.exe PID 3312 wrote to memory of 4952 3312 cmd.exe timeout.exe PID 3312 wrote to memory of 4952 3312 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe"C:\Users\Admin\AppData\Local\Temp\740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵PID:4968
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe" & exit5⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\timeout.exetimeout /t 66⤵
- Delays execution with timeout.exe
PID:4952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exeFilesize
429.2MB
MD5360cf1b802c90daa515330c1a9e89518
SHA1183a21881ce1618f77862dff05240d19d604bbdc
SHA2568db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5
SHA512bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exeFilesize
429.2MB
MD5360cf1b802c90daa515330c1a9e89518
SHA1183a21881ce1618f77862dff05240d19d604bbdc
SHA2568db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5
SHA512bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exeFilesize
429.2MB
MD5360cf1b802c90daa515330c1a9e89518
SHA1183a21881ce1618f77862dff05240d19d604bbdc
SHA2568db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5
SHA512bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exeFilesize
3.4MB
MD59db7f8ba57214489f97c8c785b4c727c
SHA1968df2ab397063fcf6eb7720fa5ca24744230bc7
SHA256c9487cb734eaca9afb87d6f71614bdfca5f3f5e70568971391d53e369badf149
SHA5120fd530aeb633465bdffd134e4614ce9b3bbedd66537ce5edaeed93c2be00973029bd5f95c1a2733b192a2e9d18241af1cf9b5903a627af6012c8da22a40516c9
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exeFilesize
3.4MB
MD59db7f8ba57214489f97c8c785b4c727c
SHA1968df2ab397063fcf6eb7720fa5ca24744230bc7
SHA256c9487cb734eaca9afb87d6f71614bdfca5f3f5e70568971391d53e369badf149
SHA5120fd530aeb633465bdffd134e4614ce9b3bbedd66537ce5edaeed93c2be00973029bd5f95c1a2733b192a2e9d18241af1cf9b5903a627af6012c8da22a40516c9
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exeFilesize
695KB
MD53c2aa77bd20b3ffb687f11e7c5bbea79
SHA16a9570c0c4b5e0fd6c5dd851f65cebc703bc580d
SHA2567b477658201bcd770c3a07b1854c8d7fbb2c5535bb238954bda931f599455c31
SHA512afc5ed38a82fee7fc72d4b6c1b87fac348d9409b7ca94b9cc0ad197b7fd55ed491a912377352fd5e0416344116d316cc123f7a043c52c7d6d98bd3917c1b6422
-
memory/3152-153-0x0000000004D00000-0x0000000004D92000-memory.dmpFilesize
584KB
-
memory/3152-152-0x00000000053E0000-0x0000000005984000-memory.dmpFilesize
5.6MB
-
memory/3152-156-0x0000000008040000-0x0000000008062000-memory.dmpFilesize
136KB
-
memory/3152-148-0x0000000000000000-mapping.dmp
-
memory/3152-154-0x0000000004CE0000-0x0000000004CEA000-memory.dmpFilesize
40KB
-
memory/3152-151-0x0000000000330000-0x0000000000338000-memory.dmpFilesize
32KB
-
memory/3208-158-0x0000000002F70000-0x0000000002FA6000-memory.dmpFilesize
216KB
-
memory/3208-162-0x0000000006770000-0x000000000678E000-memory.dmpFilesize
120KB
-
memory/3208-164-0x0000000006D80000-0x0000000006D9A000-memory.dmpFilesize
104KB
-
memory/3208-163-0x00000000080E0000-0x000000000875A000-memory.dmpFilesize
6.5MB
-
memory/3208-159-0x0000000005BB0000-0x00000000061D8000-memory.dmpFilesize
6.2MB
-
memory/3208-157-0x0000000000000000-mapping.dmp
-
memory/3208-160-0x0000000005A50000-0x0000000005AB6000-memory.dmpFilesize
408KB
-
memory/3208-161-0x00000000061E0000-0x0000000006246000-memory.dmpFilesize
408KB
-
memory/3312-193-0x0000000000000000-mapping.dmp
-
memory/4240-143-0x0000027EC3110000-0x0000027EC316C000-memory.dmpFilesize
368KB
-
memory/4240-144-0x00000000003A0000-0x0000000000BA3000-memory.dmpFilesize
8.0MB
-
memory/4240-155-0x00000000003A0000-0x0000000000BA3000-memory.dmpFilesize
8.0MB
-
memory/4240-141-0x00007FF9EB090000-0x00007FF9EB12E000-memory.dmpFilesize
632KB
-
memory/4240-132-0x0000000000000000-mapping.dmp
-
memory/4372-168-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/4372-166-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/4372-165-0x0000000000000000-mapping.dmp
-
memory/4372-169-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/4372-170-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/4372-171-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/4372-172-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/4372-194-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/4952-195-0x0000000000000000-mapping.dmp
-
memory/4968-145-0x0000000000000000-mapping.dmp
-
memory/5004-142-0x0000000000000000-mapping.dmp
-
memory/5088-146-0x0000000000000000-mapping.dmp