Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2023 14:31

General

  • Target

    Kzzexzgao.exe

  • Size

    6KB

  • MD5

    57fef8f1f5588749972ca86427a84ac2

  • SHA1

    f02eeb37ab23baef39a9c473c0d140778eb89cd5

  • SHA256

    940962a877f581558d30c735c4bc00fc43f46aea046ead732611a6647bcb19ae

  • SHA512

    930b61e0f825afc2e8f05ec2937759cbfbfbcc9fea95a3d3da8f0967072761e2d1f8e93b47e171524aa2282e32048bc8a85e3ac524bcac6e2a8e15c020e9e074

  • SSDEEP

    96:y84Z26fM8osEEa79lbJWFPATRyUoSRCQ1tAkA3wzNt:qbZo7+PgUDi/4S

Malware Config

Extracted

Family

purecrypter

C2

https://cdn.discordapp.com/attachments/1069503522103644191/1069548449265098822/Tnqrgaadbre.dat

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Kzzexzgao.exe
    "C:\Users\Admin\AppData\Local\Temp\Kzzexzgao.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1660
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 1972
      2⤵
      • Program crash
      PID:1052
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1660 -ip 1660
    1⤵
      PID:1252

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1660-132-0x0000000000CB0000-0x0000000000CB8000-memory.dmp
      Filesize

      32KB