Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
27-01-2023 11:31
Static task
static1
Behavioral task
behavioral1
Sample
0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe
Resource
win10-20220812-en
General
-
Target
0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe
-
Size
4.1MB
-
MD5
e1668320cc4cade25d81b798190725c1
-
SHA1
2e260a1b3f1bcd26f00d8d6e850812c740b11d3b
-
SHA256
0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c
-
SHA512
18060d1e3be8b139863e46b3e77dc5d7e8b7629f0768fbaa1e4090acef065d04f6108036369b7c4b8fff7d1fcd7b74093f787c5d05f15bab38e5a1c4ea7f2242
-
SSDEEP
98304:yAgqXSO7ZI0UxEcxtGya6JfjUV+2E3Szfj4bCBj4:yVqXTWxV7Jf6DbzrpB
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2752-121-0x000000001CEF0000-0x000000001D30A000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 icanhazip.com 12 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exe0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exepid process 3784 powershell.exe 3784 powershell.exe 3784 powershell.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
powershell.exe0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3784 powershell.exe Token: SeIncreaseQuotaPrivilege 3784 powershell.exe Token: SeSecurityPrivilege 3784 powershell.exe Token: SeTakeOwnershipPrivilege 3784 powershell.exe Token: SeLoadDriverPrivilege 3784 powershell.exe Token: SeSystemProfilePrivilege 3784 powershell.exe Token: SeSystemtimePrivilege 3784 powershell.exe Token: SeProfSingleProcessPrivilege 3784 powershell.exe Token: SeIncBasePriorityPrivilege 3784 powershell.exe Token: SeCreatePagefilePrivilege 3784 powershell.exe Token: SeBackupPrivilege 3784 powershell.exe Token: SeRestorePrivilege 3784 powershell.exe Token: SeShutdownPrivilege 3784 powershell.exe Token: SeDebugPrivilege 3784 powershell.exe Token: SeSystemEnvironmentPrivilege 3784 powershell.exe Token: SeRemoteShutdownPrivilege 3784 powershell.exe Token: SeUndockPrivilege 3784 powershell.exe Token: SeManageVolumePrivilege 3784 powershell.exe Token: 33 3784 powershell.exe Token: 34 3784 powershell.exe Token: 35 3784 powershell.exe Token: 36 3784 powershell.exe Token: SeDebugPrivilege 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe Token: SeSecurityPrivilege 4548 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exepid process 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.execmd.execmd.execmd.exedescription pid process target process PID 2752 wrote to memory of 1952 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe cmd.exe PID 2752 wrote to memory of 1952 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe cmd.exe PID 1952 wrote to memory of 3784 1952 cmd.exe powershell.exe PID 1952 wrote to memory of 3784 1952 cmd.exe powershell.exe PID 2752 wrote to memory of 4608 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe cmd.exe PID 2752 wrote to memory of 4608 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe cmd.exe PID 4608 wrote to memory of 4848 4608 cmd.exe chcp.com PID 4608 wrote to memory of 4848 4608 cmd.exe chcp.com PID 4608 wrote to memory of 4252 4608 cmd.exe netsh.exe PID 4608 wrote to memory of 4252 4608 cmd.exe netsh.exe PID 4608 wrote to memory of 3884 4608 cmd.exe findstr.exe PID 4608 wrote to memory of 3884 4608 cmd.exe findstr.exe PID 2752 wrote to memory of 5116 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe cmd.exe PID 2752 wrote to memory of 5116 2752 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe cmd.exe PID 5116 wrote to memory of 4532 5116 cmd.exe chcp.com PID 5116 wrote to memory of 4532 5116 cmd.exe chcp.com PID 5116 wrote to memory of 3548 5116 cmd.exe netsh.exe PID 5116 wrote to memory of 3548 5116 cmd.exe netsh.exe -
outlook_office_path 1 IoCs
Processes:
0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe -
outlook_win_path 1 IoCs
Processes:
0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe"C:\Users\Admin\AppData\Local\Temp\0ef43bfbcf7566727359acd6ab88590c1cbcdd25c913e2ea8c111118493f8e7c.exe"1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵
-
C:\Windows\system32\findstr.exefindstr All3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid3⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1952-123-0x0000000000000000-mapping.dmp
-
memory/2752-153-0x000000001D710000-0x000000001D8D0000-memory.dmpFilesize
1.8MB
-
memory/2752-171-0x000000001FEE0000-0x000000001FF90000-memory.dmpFilesize
704KB
-
memory/2752-121-0x000000001CEF0000-0x000000001D30A000-memory.dmpFilesize
4.1MB
-
memory/2752-124-0x000000001D510000-0x000000001D70C000-memory.dmpFilesize
2.0MB
-
memory/2752-120-0x0000000000C90000-0x00000000010A8000-memory.dmpFilesize
4.1MB
-
memory/2752-170-0x000000001FDA0000-0x000000001FE1A000-memory.dmpFilesize
488KB
-
memory/2752-122-0x0000000001A10000-0x0000000001A32000-memory.dmpFilesize
136KB
-
memory/2752-155-0x000000001D50A000-0x000000001D50F000-memory.dmpFilesize
20KB
-
memory/2752-137-0x000000001FA60000-0x000000001FC1C000-memory.dmpFilesize
1.7MB
-
memory/2752-172-0x0000000020A00000-0x0000000020A82000-memory.dmpFilesize
520KB
-
memory/3548-169-0x0000000000000000-mapping.dmp
-
memory/3784-132-0x0000017DB2680000-0x0000017DB26F6000-memory.dmpFilesize
472KB
-
memory/3784-125-0x0000000000000000-mapping.dmp
-
memory/3884-164-0x0000000000000000-mapping.dmp
-
memory/4252-163-0x0000000000000000-mapping.dmp
-
memory/4532-168-0x0000000000000000-mapping.dmp
-
memory/4608-161-0x0000000000000000-mapping.dmp
-
memory/4848-162-0x0000000000000000-mapping.dmp
-
memory/5116-167-0x0000000000000000-mapping.dmp