Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-02-2023 13:13
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
General
-
Target
file.exe
-
Size
2.7MB
-
MD5
79f47ea1ffef2cbc356aaa87610d9168
-
SHA1
3dfa9f0128fbcb080f2dd22ccd5917d2d57d06be
-
SHA256
3d9599c4660790e2a9ec335ff9384efb10443eae67d22925697fd30d48f87414
-
SHA512
4330bc516693b647da60de7e109d811321e98164362ca495bd0f4402c3f42f7eb1fb265cdae685655b51ef837909c895281587ab4f9af987e9550ab495433cb6
-
SSDEEP
49152:X3VxHbk7Rv6msAP/RpWY23Y7MrKSmSejpe:Hbr/O/BO+SV
Score
10/10
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
Processes:
resource yara_rule behavioral1/memory/752-55-0x0000000004A00000-0x0000000004CA6000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exefile.exepid process 940 powershell.exe 752 file.exe 752 file.exe 752 file.exe 752 file.exe 752 file.exe 752 file.exe 752 file.exe 752 file.exe 752 file.exe 752 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
file.exepowershell.exedescription pid process Token: SeDebugPrivilege 752 file.exe Token: SeDebugPrivilege 940 powershell.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
file.exedescription pid process target process PID 752 wrote to memory of 940 752 file.exe powershell.exe PID 752 wrote to memory of 940 752 file.exe powershell.exe PID 752 wrote to memory of 940 752 file.exe powershell.exe PID 752 wrote to memory of 940 752 file.exe powershell.exe PID 752 wrote to memory of 1020 752 file.exe file.exe PID 752 wrote to memory of 1020 752 file.exe file.exe PID 752 wrote to memory of 1020 752 file.exe file.exe PID 752 wrote to memory of 1020 752 file.exe file.exe PID 752 wrote to memory of 1892 752 file.exe file.exe PID 752 wrote to memory of 1892 752 file.exe file.exe PID 752 wrote to memory of 1892 752 file.exe file.exe PID 752 wrote to memory of 1892 752 file.exe file.exe PID 752 wrote to memory of 972 752 file.exe file.exe PID 752 wrote to memory of 972 752 file.exe file.exe PID 752 wrote to memory of 972 752 file.exe file.exe PID 752 wrote to memory of 972 752 file.exe file.exe PID 752 wrote to memory of 320 752 file.exe file.exe PID 752 wrote to memory of 320 752 file.exe file.exe PID 752 wrote to memory of 320 752 file.exe file.exe PID 752 wrote to memory of 320 752 file.exe file.exe PID 752 wrote to memory of 656 752 file.exe file.exe PID 752 wrote to memory of 656 752 file.exe file.exe PID 752 wrote to memory of 656 752 file.exe file.exe PID 752 wrote to memory of 656 752 file.exe file.exe PID 752 wrote to memory of 1872 752 file.exe file.exe PID 752 wrote to memory of 1872 752 file.exe file.exe PID 752 wrote to memory of 1872 752 file.exe file.exe PID 752 wrote to memory of 1872 752 file.exe file.exe PID 752 wrote to memory of 1120 752 file.exe file.exe PID 752 wrote to memory of 1120 752 file.exe file.exe PID 752 wrote to memory of 1120 752 file.exe file.exe PID 752 wrote to memory of 1120 752 file.exe file.exe PID 752 wrote to memory of 1496 752 file.exe file.exe PID 752 wrote to memory of 1496 752 file.exe file.exe PID 752 wrote to memory of 1496 752 file.exe file.exe PID 752 wrote to memory of 1496 752 file.exe file.exe PID 752 wrote to memory of 1712 752 file.exe file.exe PID 752 wrote to memory of 1712 752 file.exe file.exe PID 752 wrote to memory of 1712 752 file.exe file.exe PID 752 wrote to memory of 1712 752 file.exe file.exe PID 752 wrote to memory of 632 752 file.exe file.exe PID 752 wrote to memory of 632 752 file.exe file.exe PID 752 wrote to memory of 632 752 file.exe file.exe PID 752 wrote to memory of 632 752 file.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/752-54-0x0000000000340000-0x00000000005F8000-memory.dmpFilesize
2.7MB
-
memory/752-55-0x0000000004A00000-0x0000000004CA6000-memory.dmpFilesize
2.6MB
-
memory/752-56-0x0000000075D01000-0x0000000075D03000-memory.dmpFilesize
8KB
-
memory/752-62-0x00000000050E0000-0x0000000005160000-memory.dmpFilesize
512KB
-
memory/940-57-0x0000000000000000-mapping.dmp
-
memory/940-59-0x000000006FD20000-0x00000000702CB000-memory.dmpFilesize
5.7MB
-
memory/940-60-0x000000006FD20000-0x00000000702CB000-memory.dmpFilesize
5.7MB
-
memory/940-61-0x000000006FD20000-0x00000000702CB000-memory.dmpFilesize
5.7MB