purecrypter | hxxps://drive[.]google[.]com/uc?export=download&confirm=no_antivirus&id=1-ET3snlA2cVkSmeBv30QBVPVX_3XeYYu

Analysis

max time kernel
296s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1-ET3snlA2cVkSmeBv30QBVPVX_3XeYYu

Score

10^/10

purecrypter discovery downloader loader persistence

Malware Config

Extracted

Family

purecrypter

https://knickglobal.com/wp-admin/images/css/design/fabric/bo/Odcny.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

171 1556 rundll32.exe
184 3620 rundll32.exe

flow	pid	process
171	1556	rundll32.exe
184	3620	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\setup_ov2\ImagePath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\setup_ov2.exe"	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup_ov2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	setup_ov2.exe

Executes dropped EXE 5 IoCs

Processes:

setup_ov2.exesetup_ov2.exesetup_ov2.exesetup_ov2.exesetup_ov2.exe

pid process

1872 setup_ov2.exe
2916 setup_ov2.exe
5040 setup_ov2.exe
4880 setup_ov2.exe
3112 setup_ov2.exe

pid	process
1872	setup_ov2.exe
2916	setup_ov2.exe
5040	setup_ov2.exe
4880	setup_ov2.exe
3112	setup_ov2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CRM_chat_laucnher.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	CRM_chat_laucnher.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	CRM_chat_laucnher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

setup_ov2.exesetup_ov2.exe

description	pid	process	target process
PID 1872 set thread context of 3112	1872	setup_ov2.exe	setup_ov2.exe
PID 3112 set thread context of 3620	3112	setup_ov2.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 51 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup_ov2.exerundll32.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	setup_ov2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup_ov2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup_ov2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	setup_ov2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	setup_ov2.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	setup_ov2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup_ov2.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\CRM_chat.zip:Zone.Identifier firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\CRM_chat.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exesetup_ov2.exepowershell.exerundll32.exe

pid	process
2832	powershell.exe
2832	powershell.exe
1872	setup_ov2.exe
1872	setup_ov2.exe
1872	setup_ov2.exe
1872	setup_ov2.exe
4068	powershell.exe
1872	setup_ov2.exe
1872	setup_ov2.exe
4068	powershell.exe
3620	rundll32.exe
3620	rundll32.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

firefox.exesetup_ov2.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	1872	setup_ov2.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	4360	firefox.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	4360	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exerundll32.exe

pid process

4360 firefox.exe
4360 firefox.exe
4360 firefox.exe
4360 firefox.exe
3620 rundll32.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4360 firefox.exe
4360 firefox.exe
4360 firefox.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

firefox.exeCRM_chat_laucnher.exesetup_ov2.exe

pid process

4360 firefox.exe
4360 firefox.exe
4360 firefox.exe
4360 firefox.exe
1456 CRM_chat_laucnher.exe
3112 setup_ov2.exe

pid	process
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
3620	rundll32.exe

pid	process
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe

pid	process
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
4360	firefox.exe
1456	CRM_chat_laucnher.exe
3112	setup_ov2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 1364 wrote to memory of 4360	1364	firefox.exe	firefox.exe
PID 1364 wrote to memory of 4360	1364	firefox.exe	firefox.exe
PID 1364 wrote to memory of 4360	1364	firefox.exe	firefox.exe
PID 1364 wrote to memory of 4360	1364	firefox.exe	firefox.exe
PID 1364 wrote to memory of 4360	1364	firefox.exe	firefox.exe
PID 1364 wrote to memory of 4360	1364	firefox.exe	firefox.exe
PID 1364 wrote to memory of 4360	1364	firefox.exe	firefox.exe
PID 1364 wrote to memory of 4360	1364	firefox.exe	firefox.exe
PID 1364 wrote to memory of 4360	1364	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2404	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2404	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 3900	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe
PID 4360 wrote to memory of 2852	4360	firefox.exe	firefox.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1-ET3snlA2cVkSmeBv30QBVPVX_3XeYYu
1⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://drive.google.com/uc?export=download&confirm=no_antivirus&id=1-ET3snlA2cVkSmeBv30QBVPVX_3XeYYu
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4360.0.1409802371\238195903" -parentBuildID 20200403170909 -prefsHandle 1692 -prefMapHandle 1684 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4360 "\\.\pipe\gecko-crash-server-pipe.4360" 1772 gpu
3⤵
PID:2404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4360.3.513534717\113125107" -childID 1 -isForBrowser -prefsHandle 2236 -prefMapHandle 2324 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4360 "\\.\pipe\gecko-crash-server-pipe.4360" 2484 tab
3⤵
PID:3900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4360.13.1613376710\1421321451" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3500 -prefsLen 6894 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4360 "\\.\pipe\gecko-crash-server-pipe.4360" 3492 tab
3⤵
PID:2852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

C:\Users\Admin\Desktop\New folder\CRM_chat\CRM_chat\CRM_chat_laucnher.exe
"C:\Users\Admin\Desktop\New folder\CRM_chat\CRM_chat\CRM_chat_laucnher.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
3⤵
PID:3736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
3⤵
- Executes dropped EXE
PID:2916

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
3⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
3⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3112

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
- Blocklisted process makes network request
PID:1556

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
- Blocklisted process makes network request
- Sets service image path in registry
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3620

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
1⤵
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
2⤵
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
1a4f76fd79ce646da703bfc945acbbc2

SHA1
35562f6514c74ff66e463866d88a1bc542ed6f43

SHA256
1b78283ed34e4e839861b3fde9d8c1da930ea17490a62d96d83dcad44af9a878

SHA512
1c00933245414702ea9299ca489fabc6bd5ce6fea6e195adac0f289b96c27caea29a7bcdaf8c4de1493662a9a182c24d837d47e470dae70ee88ae928ff0edcad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
362.4MB

MD5
6c14c4def456320e26c2ea5f2886e3a4

SHA1
530f9425a6b3d8e78a035e11efb4be27d2bcacf4

SHA256
8ff1b246e839bb692cb41ae3c09b7048a361eef6ebd6b2316b4d3ea8e3b78afa

SHA512
63ef77b2f31e596916e574ae0c77a0dcc62f09753753e7299f4abc070dc32f7be07115c8da11868f165cb181e8681351524875e049ba5be2a1ab2c68e83ac5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup_ov2.exe
Filesize
30.2MB

MD5
72b9b08c9c4f6b8e97556eedbc8e2c88

SHA1
d95c0411b6e6740b00f8f4e6745f8bce40c8796e

SHA256
cc59aa5658f275ed0886605c0cafc3ed48ce36d8d6d6acbb981cde1e9a1b4544

SHA512
a7cbcabb6339026560ed809ccba9d8a4e70b80a1ac14546f9f99f719a19b2294828af0dea6cb9a2b8a07d34393035cb89c9eba35b8e1daefe3ff42c44eeef5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tperiuiu.tmp
Filesize
3.5MB

MD5
552c24c5983c8624f49cedd2695b43d7

SHA1
f86503b92829adf9c262172690000f06171ee253

SHA256
30d0e2421c18b22ff2d9128f0607043650a33f3ad7ac8d9a52578b914d4ad1f3

SHA512
986528217392730a66440fbef5a90dad4f2982445b7a2a8f15a8d73cc607633af0ec1b665101d2eddb3764fc9e53e625008d6bf1ec89d7bf54b9aa9de583ec62

Download Submit
memory/1556-168-0x0000000000000000-mapping.dmp

Download
memory/1872-136-0x0000000008290000-0x00000000082B2000-memory.dmp

Filesize
136KB

Download
memory/1872-135-0x0000000000F30000-0x0000000000F3C000-memory.dmp

Filesize
48KB

Download
memory/1872-132-0x0000000000000000-mapping.dmp

Download
memory/2832-138-0x0000000002540000-0x0000000002576000-memory.dmp

Filesize
216KB

Download
memory/2832-144-0x0000000006390000-0x00000000063AA000-memory.dmp

Filesize
104KB

Download
memory/2832-143-0x0000000007560000-0x0000000007BDA000-memory.dmp

Filesize
6.5MB

Download
memory/2832-142-0x0000000005F00000-0x0000000005F1E000-memory.dmp

Filesize
120KB

Download
memory/2832-141-0x0000000005860000-0x00000000058C6000-memory.dmp

Filesize
408KB

Download
memory/2832-140-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/2832-139-0x0000000005150000-0x0000000005778000-memory.dmp

Filesize
6.2MB

Download
memory/2832-137-0x0000000000000000-mapping.dmp

Download
memory/2916-148-0x0000000000000000-mapping.dmp

Download
memory/3112-181-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/3112-188-0x000000000068B000-0x0000000000691000-memory.dmp

Filesize
24KB

Download
memory/3112-158-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3112-159-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3112-161-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3112-154-0x0000000000000000-mapping.dmp

Download
memory/3112-164-0x000000000068B000-0x0000000000691000-memory.dmp

Filesize
24KB

Download
memory/3112-163-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3112-197-0x00000000038A0000-0x00000000043F9000-memory.dmp

Filesize
11.3MB

Download
memory/3112-156-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3112-187-0x0000000000400000-0x00000000006DB000-memory.dmp

Filesize
2.9MB

Download
memory/3112-184-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/3112-185-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/3112-183-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/3112-182-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/3112-180-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/3112-179-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/3112-178-0x0000000004600000-0x0000000004740000-memory.dmp

Filesize
1.2MB

Download
memory/3112-175-0x00000000038A0000-0x00000000043F9000-memory.dmp

Filesize
11.3MB

Download
memory/3112-176-0x00000000038A0000-0x00000000043F9000-memory.dmp

Filesize
11.3MB

Download
memory/3112-177-0x00000000038A0000-0x00000000043F9000-memory.dmp

Filesize
11.3MB

Download
memory/3620-189-0x0000000003270000-0x0000000003DC9000-memory.dmp

Filesize
11.3MB

Download
memory/3620-195-0x0000000003F10000-0x0000000004050000-memory.dmp

Filesize
1.2MB

Download
memory/3620-194-0x0000000003F10000-0x0000000004050000-memory.dmp

Filesize
1.2MB

Download
memory/3620-193-0x0000000003270000-0x0000000003DC9000-memory.dmp

Filesize
11.3MB

Download
memory/3620-192-0x0000000000E00000-0x0000000001839000-memory.dmp

Filesize
10.2MB

Download
memory/3620-191-0x0000000003F10000-0x0000000004050000-memory.dmp

Filesize
1.2MB

Download
memory/3620-186-0x0000000000000000-mapping.dmp

Download
memory/3620-190-0x0000000003F10000-0x0000000004050000-memory.dmp

Filesize
1.2MB

Download
memory/3736-145-0x0000000000000000-mapping.dmp

Download
memory/3912-198-0x0000000000000000-mapping.dmp

Download
memory/4068-170-0x00000000078C0000-0x0000000007956000-memory.dmp

Filesize
600KB

Download
memory/4068-166-0x0000000071E30000-0x0000000071E7C000-memory.dmp

Filesize
304KB

Download
memory/4068-167-0x00000000071B0000-0x00000000071CE000-memory.dmp

Filesize
120KB

Download
memory/4068-169-0x0000000007670000-0x000000000767A000-memory.dmp

Filesize
40KB

Download
memory/4068-174-0x00000000078A0000-0x00000000078A8000-memory.dmp

Filesize
32KB

Download
memory/4068-171-0x0000000007800000-0x000000000780E000-memory.dmp

Filesize
56KB

Download
memory/4068-146-0x0000000000000000-mapping.dmp

Download
memory/4068-172-0x0000000007960000-0x000000000797A000-memory.dmp

Filesize
104KB

Download
memory/4068-165-0x00000000071F0000-0x0000000007222000-memory.dmp

Filesize
200KB

Download
memory/4880-152-0x0000000000000000-mapping.dmp

Download
memory/5040-150-0x0000000000000000-mapping.dmp

Download