Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    31-01-2023 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    2.7MB

  • MD5

    79f47ea1ffef2cbc356aaa87610d9168

  • SHA1

    3dfa9f0128fbcb080f2dd22ccd5917d2d57d06be

  • SHA256

    3d9599c4660790e2a9ec335ff9384efb10443eae67d22925697fd30d48f87414

  • SHA512

    4330bc516693b647da60de7e109d811321e98164362ca495bd0f4402c3f42f7eb1fb265cdae685655b51ef837909c895281587ab4f9af987e9550ab495433cb6

  • SSDEEP

    49152:X3VxHbk7Rv6msAP/RpWY23Y7MrKSmSejpe:Hbr/O/BO+SV

Score
10/10
purecrypterdownloaderloader

Malware Config

Signatures

  • Detect PureCrypter injector 1 IoCs
    loader
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:888
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      C:\Users\Admin\AppData\Local\Temp\tmp.exe
      2⤵
        PID:1580
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        C:\Users\Admin\AppData\Local\Temp\tmp.exe
        2⤵
          PID:336
        • C:\Users\Admin\AppData\Local\Temp\tmp.exe
          C:\Users\Admin\AppData\Local\Temp\tmp.exe
          2⤵
            PID:360
          • C:\Users\Admin\AppData\Local\Temp\tmp.exe
            C:\Users\Admin\AppData\Local\Temp\tmp.exe
            2⤵
              PID:1816
            • C:\Users\Admin\AppData\Local\Temp\tmp.exe
              C:\Users\Admin\AppData\Local\Temp\tmp.exe
              2⤵
                PID:884
              • C:\Users\Admin\AppData\Local\Temp\tmp.exe
                C:\Users\Admin\AppData\Local\Temp\tmp.exe
                2⤵
                  PID:1368
                • C:\Users\Admin\AppData\Local\Temp\tmp.exe
                  C:\Users\Admin\AppData\Local\Temp\tmp.exe
                  2⤵
                    PID:2040
                  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
                    C:\Users\Admin\AppData\Local\Temp\tmp.exe
                    2⤵
                      PID:1060
                    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
                      C:\Users\Admin\AppData\Local\Temp\tmp.exe
                      2⤵
                        PID:1812
                      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
                        C:\Users\Admin\AppData\Local\Temp\tmp.exe
                        2⤵
                          PID:1544

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Privilege Escalation

                      Defense Evasion

                      Credential Access

                      Discovery

                      System Information Discovery

                      1
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/888-57-0x0000000000000000-mapping.dmp
                        Download
                      • memory/888-59-0x000000006FAA0000-0x000000007004B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/888-60-0x000000006FAA0000-0x000000007004B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/888-61-0x000000006FAA0000-0x000000007004B000-memory.dmp
                        Filesize

                        5.7MB

                        Download
                      • memory/2024-54-0x0000000000190000-0x0000000000448000-memory.dmp
                        Filesize

                        2.7MB

                        Download
                      • memory/2024-55-0x0000000004B00000-0x0000000004DA6000-memory.dmp
                        Filesize

                        2.6MB

                        Download
                      • memory/2024-56-0x00000000759F1000-0x00000000759F3000-memory.dmp
                        Filesize

                        8KB

                        Download
                      • memory/2024-62-0x00000000045D0000-0x0000000004650000-memory.dmp
                        Filesize

                        512KB

                        Download