Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2023, 14:11
Static task
static1
Behavioral task
behavioral1
Sample
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
Resource
win10v2004-20221111-en
General
-
Target
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe
-
Size
3.9MB
-
MD5
ecb41ffa4f12fbe99b2a53141ec9f240
-
SHA1
68c7c9a49c519319aba55bf686f2388ee782208d
-
SHA256
740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2
-
SHA512
1b4f1b2225663e986be31d3aabe1491d443eb192e9b34e0aec6c7146a01bd0d350b3f417fa68a41ee3645a367175de59ebf66165cd718e4f1529f7fa3c6b6e89
-
SSDEEP
98304:x8vnvI2bIjGMWwAQ1cdLr3AG3cLMgs7T9/7AwCYyLb+P:Ung2QGMIxLEGMLMlx/7Zcv+P
Malware Config
Extracted
purecrypter
https://atomm.com.br/.well-known/acme-challenge/bo/Xmwlki.dll
Extracted
vidar
1.9
811
https://t.me/travelticketshop
https://steamcommunity.com/profiles/76561199469016299
-
profile_id
811
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 4 IoCs
pid Process 4240 bebra.exe 5088 sisterservice.exe 3152 aheaddecov.exe 4372 aheaddecov.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation aheaddecov.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation aheaddecov.exe -
Loads dropped DLL 2 IoCs
pid Process 4372 aheaddecov.exe 4372 aheaddecov.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce sisterservice.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" sisterservice.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3152 set thread context of 4372 3152 aheaddecov.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aheaddecov.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aheaddecov.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4952 timeout.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3208 powershell.exe 3208 powershell.exe 4372 aheaddecov.exe 4372 aheaddecov.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3152 aheaddecov.exe Token: SeDebugPrivilege 3208 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5048 wrote to memory of 4240 5048 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe 81 PID 5048 wrote to memory of 4240 5048 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe 81 PID 4240 wrote to memory of 5004 4240 bebra.exe 83 PID 4240 wrote to memory of 5004 4240 bebra.exe 83 PID 5004 wrote to memory of 4968 5004 cmd.exe 85 PID 5004 wrote to memory of 4968 5004 cmd.exe 85 PID 5048 wrote to memory of 5088 5048 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe 86 PID 5048 wrote to memory of 5088 5048 740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe 86 PID 5088 wrote to memory of 3152 5088 sisterservice.exe 87 PID 5088 wrote to memory of 3152 5088 sisterservice.exe 87 PID 5088 wrote to memory of 3152 5088 sisterservice.exe 87 PID 3152 wrote to memory of 3208 3152 aheaddecov.exe 97 PID 3152 wrote to memory of 3208 3152 aheaddecov.exe 97 PID 3152 wrote to memory of 3208 3152 aheaddecov.exe 97 PID 3152 wrote to memory of 4372 3152 aheaddecov.exe 99 PID 3152 wrote to memory of 4372 3152 aheaddecov.exe 99 PID 3152 wrote to memory of 4372 3152 aheaddecov.exe 99 PID 3152 wrote to memory of 4372 3152 aheaddecov.exe 99 PID 3152 wrote to memory of 4372 3152 aheaddecov.exe 99 PID 3152 wrote to memory of 4372 3152 aheaddecov.exe 99 PID 3152 wrote to memory of 4372 3152 aheaddecov.exe 99 PID 3152 wrote to memory of 4372 3152 aheaddecov.exe 99 PID 3152 wrote to memory of 4372 3152 aheaddecov.exe 99 PID 4372 wrote to memory of 3312 4372 aheaddecov.exe 100 PID 4372 wrote to memory of 3312 4372 aheaddecov.exe 100 PID 4372 wrote to memory of 3312 4372 aheaddecov.exe 100 PID 3312 wrote to memory of 4952 3312 cmd.exe 102 PID 3312 wrote to memory of 4952 3312 cmd.exe 102 PID 3312 wrote to memory of 4952 3312 cmd.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe"C:\Users\Admin\AppData\Local\Temp\740f7721beb9b54af9948a8b6876547e298891984275c68ad0d2ef421feb0ef2.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\RarSFX0\bebra.exe3⤵
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 04⤵PID:4968
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\sisterservice.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\aheaddecov.exe" & exit5⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\timeout.exetimeout /t 66⤵
- Delays execution with timeout.exe
PID:4952
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
Filesize
429.2MB
MD5360cf1b802c90daa515330c1a9e89518
SHA1183a21881ce1618f77862dff05240d19d604bbdc
SHA2568db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5
SHA512bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c
-
Filesize
429.2MB
MD5360cf1b802c90daa515330c1a9e89518
SHA1183a21881ce1618f77862dff05240d19d604bbdc
SHA2568db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5
SHA512bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c
-
Filesize
429.2MB
MD5360cf1b802c90daa515330c1a9e89518
SHA1183a21881ce1618f77862dff05240d19d604bbdc
SHA2568db8e5c52bc6d502f1566f12525d3ec4d1f4ee60a52e8a9b6f4fdf35358d67e5
SHA512bcbcdd1d965d1dffc548c1c22011c154919b1fefd3d1a5b2379cd95807fa8de5c575b27512adc8fd97e8d8ce8587f3637eb3f4cd79a9063922c29de742c74d9c
-
Filesize
3.4MB
MD59db7f8ba57214489f97c8c785b4c727c
SHA1968df2ab397063fcf6eb7720fa5ca24744230bc7
SHA256c9487cb734eaca9afb87d6f71614bdfca5f3f5e70568971391d53e369badf149
SHA5120fd530aeb633465bdffd134e4614ce9b3bbedd66537ce5edaeed93c2be00973029bd5f95c1a2733b192a2e9d18241af1cf9b5903a627af6012c8da22a40516c9
-
Filesize
3.4MB
MD59db7f8ba57214489f97c8c785b4c727c
SHA1968df2ab397063fcf6eb7720fa5ca24744230bc7
SHA256c9487cb734eaca9afb87d6f71614bdfca5f3f5e70568971391d53e369badf149
SHA5120fd530aeb633465bdffd134e4614ce9b3bbedd66537ce5edaeed93c2be00973029bd5f95c1a2733b192a2e9d18241af1cf9b5903a627af6012c8da22a40516c9
-
Filesize
695KB
MD53c2aa77bd20b3ffb687f11e7c5bbea79
SHA16a9570c0c4b5e0fd6c5dd851f65cebc703bc580d
SHA2567b477658201bcd770c3a07b1854c8d7fbb2c5535bb238954bda931f599455c31
SHA512afc5ed38a82fee7fc72d4b6c1b87fac348d9409b7ca94b9cc0ad197b7fd55ed491a912377352fd5e0416344116d316cc123f7a043c52c7d6d98bd3917c1b6422