purecrypter | 8650dcaece1489d98b7f6782ae638de33797f2a1018f949ec270054f0893aea0 | Triage

Analysis

max time kernel
28s
max time network
133s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 07:07

Sharing

Report Analysis Logs

General

Target

48a13c217c965ed66e5d6c018b89217b.exe
Size

6KB
MD5

48a13c217c965ed66e5d6c018b89217b
SHA1

2d8b62d02c73e7e2fc367fc64b51350564c7acb4
SHA256

8650dcaece1489d98b7f6782ae638de33797f2a1018f949ec270054f0893aea0
SHA512

b0e5556ad36a74ddfbbbfcd94f04635a614bc70d159aaab8fb540ecd0d823e14c2ed8687b95943cd992b434c37c9bfaa04db79c62f9d654b85616f45d275802a
SSDEEP

96:4rs7rOMGPGDupbGL7g8y23I6mUUWH78kVl6l2xzNt:oKrsPGDupKL7nNhVlk2T

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

C2

https://onedrive.live.com/download?cid=A113DD34A0D77810&resid=A113DD34A0D77810%21121&authkey=APUVM8ZXD6Jpjd0

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1356 2024 WerFault.exe 48a13c217c965ed66e5d6c018b89217b.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

48a13c217c965ed66e5d6c018b89217b.exe

description pid process

Token: SeDebugPrivilege 2024 48a13c217c965ed66e5d6c018b89217b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

48a13c217c965ed66e5d6c018b89217b.exe

description	pid	process	target process
PID 2024 wrote to memory of 1356	2024	48a13c217c965ed66e5d6c018b89217b.exe	WerFault.exe
PID 2024 wrote to memory of 1356	2024	48a13c217c965ed66e5d6c018b89217b.exe	WerFault.exe
PID 2024 wrote to memory of 1356	2024	48a13c217c965ed66e5d6c018b89217b.exe	WerFault.exe
PID 2024 wrote to memory of 1356	2024	48a13c217c965ed66e5d6c018b89217b.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\48a13c217c965ed66e5d6c018b89217b.exe
"C:\Users\Admin\AppData\Local\Temp\48a13c217c965ed66e5d6c018b89217b.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1736
2⤵
- Program crash
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-56-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x00000000011F0000-0x00000000011F8000-memory.dmp

Filesize
32KB

Download
memory/2024-55-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download