purecrypter | c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97

Analysis

max time kernel
550s
max time network
553s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-02-2023 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation 202311025_PDF.scr
Size

24KB
MD5

f1ed9f09ea489162b2a5ef0c4d285503
SHA1

5e1b5599aef58f90e4ad3efa43661a1d7cc4ed6c
SHA256

c8007f5d3d8770320aa06642b4363f60d8caa0056507a6e1bf94dfb38b786f97
SHA512

4dfa6ad16b68bcc15362a93ef970bde290a654f67df507d8a3e8976ae45d38a4603184ad79fb7099de5fdaed637b8291022c3af3a374435428cc99512403252a
SSDEEP

384:iJg3aSz4PT02opvtOvt6Y4BwEapWNJR+:iW3Dl2oZU1ZdWNJR

Score

10^/10

purecrypter warzonerat downloader infostealer loader persistence rat

Malware Config

Extracted

Family

warzonerat

37.120.155.179:52920

Signatures

Detect PureCrypter injector 1 IoCs

loader

resource	yara_rule
behavioral1/memory/1504-56-0x0000000006130000-0x00000000063B0000-memory.dmp	family_purecrypter

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qreoiutud = "\"C:\\Users\\Admin\\AppData\\Roaming\\Nqzrmbza\\Qreoiutud.exe\""	Quotation 202311025_PDF.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 1184	1504	Quotation 202311025_PDF.scr	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1288	ipconfig.exe
1072	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1764	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	Quotation 202311025_PDF.scr
Token: SeDebugPrivilege	1764	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1100	1504	Quotation 202311025_PDF.scr	28
PID 1504 wrote to memory of 1100	1504	Quotation 202311025_PDF.scr	28
PID 1504 wrote to memory of 1100	1504	Quotation 202311025_PDF.scr	28
PID 1504 wrote to memory of 1100	1504	Quotation 202311025_PDF.scr	28
PID 1100 wrote to memory of 1072	1100	cmd.exe	30
PID 1100 wrote to memory of 1072	1100	cmd.exe	30
PID 1100 wrote to memory of 1072	1100	cmd.exe	30
PID 1100 wrote to memory of 1072	1100	cmd.exe	30
PID 1504 wrote to memory of 1764	1504	Quotation 202311025_PDF.scr	31
PID 1504 wrote to memory of 1764	1504	Quotation 202311025_PDF.scr	31
PID 1504 wrote to memory of 1764	1504	Quotation 202311025_PDF.scr	31
PID 1504 wrote to memory of 1764	1504	Quotation 202311025_PDF.scr	31
PID 1504 wrote to memory of 1744	1504	Quotation 202311025_PDF.scr	33
PID 1504 wrote to memory of 1744	1504	Quotation 202311025_PDF.scr	33
PID 1504 wrote to memory of 1744	1504	Quotation 202311025_PDF.scr	33
PID 1504 wrote to memory of 1744	1504	Quotation 202311025_PDF.scr	33
PID 1744 wrote to memory of 1288	1744	cmd.exe	35
PID 1744 wrote to memory of 1288	1744	cmd.exe	35
PID 1744 wrote to memory of 1288	1744	cmd.exe	35
PID 1744 wrote to memory of 1288	1744	cmd.exe	35
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36
PID 1504 wrote to memory of 1184	1504	Quotation 202311025_PDF.scr	36

C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr
"C:\Users\Admin\AppData\Local\Temp\Quotation 202311025_PDF.scr" /S
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/release
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1072
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ipconfig/renew
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /renew
    3⤵
    - Gathers network information
    PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  2⤵
  PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-69-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1184-85-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1184-83-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1184-79-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1184-78-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1184-76-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1184-74-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1184-72-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1184-70-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/1504-68-0x0000000004EC0000-0x0000000004F12000-memory.dmp

Filesize
328KB

Download
memory/1504-54-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/1504-56-0x0000000006130000-0x00000000063B0000-memory.dmp

Filesize
2.5MB

Download
memory/1504-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1764-64-0x000000006EFB0000-0x000000006F55B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-63-0x000000006EFB0000-0x000000006F55B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-62-0x000000006EFB0000-0x000000006F55B000-memory.dmp

Filesize
5.7MB

Download