Analysis
-
max time kernel
42s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
02-02-2023 10:50
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20221111-en
General
-
Target
tmp.exe
-
Size
6KB
-
MD5
48a13c217c965ed66e5d6c018b89217b
-
SHA1
2d8b62d02c73e7e2fc367fc64b51350564c7acb4
-
SHA256
8650dcaece1489d98b7f6782ae638de33797f2a1018f949ec270054f0893aea0
-
SHA512
b0e5556ad36a74ddfbbbfcd94f04635a614bc70d159aaab8fb540ecd0d823e14c2ed8687b95943cd992b434c37c9bfaa04db79c62f9d654b85616f45d275802a
-
SSDEEP
96:4rs7rOMGPGDupbGL7g8y23I6mUUWH78kVl6l2xzNt:oKrsPGDupKL7nNhVlk2T
Malware Config
Extracted
purecrypter
https://onedrive.live.com/download?cid=A113DD34A0D77810&resid=A113DD34A0D77810%21121&authkey=APUVM8ZXD6Jpjd0
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1720 1968 WerFault.exe tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmp.exedescription pid process Token: SeDebugPrivilege 1968 tmp.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
tmp.exedescription pid process target process PID 1968 wrote to memory of 1720 1968 tmp.exe WerFault.exe PID 1968 wrote to memory of 1720 1968 tmp.exe WerFault.exe PID 1968 wrote to memory of 1720 1968 tmp.exe WerFault.exe PID 1968 wrote to memory of 1720 1968 tmp.exe WerFault.exe