Analysis Overview
SHA256
dd218eb78e26587e43df5f00ff3ad87e23154c672615309a193a657323b62e20
Threat Level: Known bad
The file tmp was found to be: Known bad.
Malicious Activity Summary
Detect PureCrypter injector
PureCrypter
Checks computer location settings
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-05 16:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-05 16:04
Reported
2023-02-05 16:06
Platform
win7-20221111-en
Max time kernel
83s
Max time network
33s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 940 wrote to memory of 580 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 940 wrote to memory of 580 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 940 wrote to memory of 580 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgA1AA==
Network
| Country | Destination | Domain | Proto |
| AT | 77.73.131.249:80 | 77.73.131.249 | tcp |
Files
memory/940-54-0x000000013FD50000-0x0000000140056000-memory.dmp
memory/940-55-0x00000000201B0000-0x0000000020496000-memory.dmp
memory/580-56-0x0000000000000000-mapping.dmp
memory/580-57-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp
memory/940-58-0x0000000002547000-0x0000000002566000-memory.dmp
memory/580-59-0x000007FEED340000-0x000007FEEDD63000-memory.dmp
memory/580-60-0x000007FEEC7E0000-0x000007FEED33D000-memory.dmp
memory/580-61-0x0000000002824000-0x0000000002827000-memory.dmp
memory/580-62-0x000000000282B000-0x000000000284A000-memory.dmp
memory/580-63-0x0000000002824000-0x0000000002827000-memory.dmp
memory/580-64-0x000000000282B000-0x000000000284A000-memory.dmp
memory/940-65-0x000000001BF00000-0x000000001BFD6000-memory.dmp
memory/940-66-0x000000001C090000-0x000000001C12B000-memory.dmp
memory/940-67-0x000000001C6F0000-0x000000001C788000-memory.dmp
memory/940-68-0x000000001D900000-0x000000001D9B4000-memory.dmp
memory/940-69-0x000000001BDF0000-0x000000001BE46000-memory.dmp
memory/940-70-0x000000001C1D0000-0x000000001C224000-memory.dmp
memory/940-71-0x000000001C650000-0x000000001C69C000-memory.dmp
memory/940-72-0x000000001C840000-0x000000001C894000-memory.dmp
memory/940-73-0x0000000002547000-0x0000000002566000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-05 16:04
Reported
2023-02-05 16:06
Platform
win10v2004-20221111-en
Max time kernel
91s
Max time network
128s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1620 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1620 wrote to memory of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgA1AA==
Network
| Country | Destination | Domain | Proto |
| AT | 77.73.131.249:80 | 77.73.131.249 | tcp |
| AU | 104.46.162.226:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/1620-132-0x000001670E850000-0x000001670EB56000-memory.dmp
memory/1620-133-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp
memory/1620-134-0x0000016710840000-0x0000016710862000-memory.dmp
memory/1732-135-0x0000000000000000-mapping.dmp
memory/1732-136-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp
memory/1620-137-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp
memory/1732-138-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp
memory/1732-139-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp
memory/1620-140-0x000001672A690000-0x000001672A72B000-memory.dmp
memory/1620-141-0x0000016729BAA000-0x0000016729BAF000-memory.dmp
memory/1620-142-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp
memory/1620-143-0x0000016729BAA000-0x0000016729BAF000-memory.dmp