Malware Analysis Report

2025-05-05 23:32

Sample ID 230127-pz1absaf22
Target 7034c12131cc2e28fcf9235850a36b08e9983dce
SHA256 f00982603a693995cf32649df28ac390ce839638751f04d11517454466061785
Tags
purecrypter remcos 28282 downloader loader persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f00982603a693995cf32649df28ac390ce839638751f04d11517454466061785

Threat Level: Known bad

The file 7034c12131cc2e28fcf9235850a36b08e9983dce was found to be: Known bad.

Malicious Activity Summary

purecrypter remcos 28282 downloader loader persistence rat

Detect PureCrypter injector

PureCrypter

Remcos

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-27 12:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-27 12:46

Reported

2023-01-27 12:49

Platform

win7-20220812-en

Max time kernel

149s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Remcos

rat remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Eesibjdz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gngrey\\Eesibjdz.exe\"" C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1284 set thread context of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 1284 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

"C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

Network

Country Destination Domain Proto
N/A 194.180.49.17:80 194.180.49.17 tcp
N/A 194.180.49.17:28282 tcp
N/A 8.8.8.8:53 geoplugin.net udp
N/A 178.237.33.50:80 geoplugin.net tcp

Files

memory/1284-54-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/1284-55-0x0000000075661000-0x0000000075663000-memory.dmp

memory/1284-56-0x0000000006410000-0x00000000066AC000-memory.dmp

memory/2020-57-0x0000000000000000-mapping.dmp

memory/2020-59-0x000000006F240000-0x000000006F7EB000-memory.dmp

memory/2020-60-0x000000006F240000-0x000000006F7EB000-memory.dmp

memory/2020-61-0x000000006F240000-0x000000006F7EB000-memory.dmp

memory/1284-62-0x00000000053C0000-0x0000000005440000-memory.dmp

memory/964-63-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-64-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-66-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-68-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-70-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-69-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-71-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-75-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-76-0x0000000000432C26-mapping.dmp

memory/964-79-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-80-0x0000000000400000-0x000000000047F000-memory.dmp

memory/964-81-0x0000000000400000-0x000000000047F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-27 12:46

Reported

2023-01-27 12:49

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eesibjdz = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gngrey\\Eesibjdz.exe\"" C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 976 set thread context of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 976 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe
PID 976 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

"C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

C:\Users\Admin\AppData\Local\Temp\7034c12131cc2e28fcf9235850a36b08e9983dce.exe

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 194.180.49.17:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 93.184.220.29:80 tcp
N/A 194.180.49.17:80 tcp
N/A 104.46.162.224:443 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp
N/A 194.180.49.17:80 194.180.49.17 tcp
N/A 209.197.3.8:80 tcp
N/A 194.180.49.17:28282 tcp
N/A 8.8.8.8:53 geoplugin.net udp
N/A 178.237.33.50:80 geoplugin.net tcp

Files

memory/976-132-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

memory/976-133-0x0000000006DC0000-0x0000000006DE2000-memory.dmp

memory/4232-134-0x0000000000000000-mapping.dmp

memory/4232-135-0x00000000028F0000-0x0000000002926000-memory.dmp

memory/4232-136-0x0000000005490000-0x0000000005AB8000-memory.dmp

memory/4232-137-0x0000000005400000-0x0000000005466000-memory.dmp

memory/4232-138-0x0000000005BF0000-0x0000000005C56000-memory.dmp

memory/4232-139-0x0000000006220000-0x000000000623E000-memory.dmp

memory/4232-140-0x0000000007A90000-0x000000000810A000-memory.dmp

memory/4232-141-0x0000000006700000-0x000000000671A000-memory.dmp

memory/976-142-0x0000000005FE0000-0x0000000006072000-memory.dmp

memory/976-143-0x0000000007CF0000-0x0000000008294000-memory.dmp

memory/4660-144-0x0000000000000000-mapping.dmp

memory/4660-145-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4660-146-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4660-147-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4660-148-0x0000000000400000-0x000000000047F000-memory.dmp

memory/4660-149-0x0000000000400000-0x000000000047F000-memory.dmp