Overview

overview

10

Static

static

10

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    194s
  • max time network
    205s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2023 18:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    6KB

  • MD5

    679104fb0479ff61c4b5e4b88f77d94b

  • SHA1

    bfbcb5d48fb4ab25d52e4e1bedf37a4e7a4a3cab

  • SHA256

    4134bd82bbea78103d0e32728df856870eaa2c0188b59423115c7d779b2bf83a

  • SHA512

    7cb36200865267885939956614a7b8603cd16575a3857e0ecc238ff22d296b29bfb208bb11f61f3856278f6b4585afdb2c8456d2f2630f0fbc33fa298df0253e

  • SSDEEP

    192:zU3efq7iEM9gdH98dfQbLE5lF22vjWwID:Q3efq7iEM9gdH98dfgLE5lI2vjlI

Score
10/10
purecrypterdownloaderloader

Malware Config

Extracted

Family

purecrypter

C2

https://onedrive.live.com/download?cid=A113DD34A0D77810&resid=A113DD34A0D77810%21125&authkey=AIgE8y9D-kUp_qA

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2640-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2640-135-0x00000000025D0000-0x0000000002606000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2640-136-0x0000000004EA0000-0x00000000054C8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2640-137-0x00000000054D0000-0x0000000005536000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2640-138-0x0000000005540000-0x00000000055A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2640-139-0x0000000005BB0000-0x0000000005BCE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2640-140-0x0000000007210000-0x000000000788A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2640-141-0x0000000006060000-0x000000000607A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/5068-132-0x0000000000810000-0x0000000000818000-memory.dmp
    Filesize

    32KB

    Download
  • memory/5068-133-0x0000000006240000-0x0000000006262000-memory.dmp
    Filesize

    136KB

    Download