Malware Analysis Report

2024-11-30 21:51

Sample ID 230205-th1a8aaa77
Target tmp
SHA256 dd218eb78e26587e43df5f00ff3ad87e23154c672615309a193a657323b62e20
Tags
purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd218eb78e26587e43df5f00ff3ad87e23154c672615309a193a657323b62e20

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader

Detect PureCrypter injector

PureCrypter

Checks computer location settings

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-05 16:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-05 16:04

Reported

2023-02-05 16:06

Platform

win7-20221111-en

Max time kernel

83s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgA1AA==

Network

Country Destination Domain Proto
AT 77.73.131.249:80 77.73.131.249 tcp

Files

memory/940-54-0x000000013FD50000-0x0000000140056000-memory.dmp

memory/940-55-0x00000000201B0000-0x0000000020496000-memory.dmp

memory/580-56-0x0000000000000000-mapping.dmp

memory/580-57-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

memory/940-58-0x0000000002547000-0x0000000002566000-memory.dmp

memory/580-59-0x000007FEED340000-0x000007FEEDD63000-memory.dmp

memory/580-60-0x000007FEEC7E0000-0x000007FEED33D000-memory.dmp

memory/580-61-0x0000000002824000-0x0000000002827000-memory.dmp

memory/580-62-0x000000000282B000-0x000000000284A000-memory.dmp

memory/580-63-0x0000000002824000-0x0000000002827000-memory.dmp

memory/580-64-0x000000000282B000-0x000000000284A000-memory.dmp

memory/940-65-0x000000001BF00000-0x000000001BFD6000-memory.dmp

memory/940-66-0x000000001C090000-0x000000001C12B000-memory.dmp

memory/940-67-0x000000001C6F0000-0x000000001C788000-memory.dmp

memory/940-68-0x000000001D900000-0x000000001D9B4000-memory.dmp

memory/940-69-0x000000001BDF0000-0x000000001BE46000-memory.dmp

memory/940-70-0x000000001C1D0000-0x000000001C224000-memory.dmp

memory/940-71-0x000000001C650000-0x000000001C69C000-memory.dmp

memory/940-72-0x000000001C840000-0x000000001C894000-memory.dmp

memory/940-73-0x0000000002547000-0x0000000002566000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-05 16:04

Reported

2023-02-05 16:06

Platform

win10v2004-20221111-en

Max time kernel

91s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgA1AA==

Network

Country Destination Domain Proto
AT 77.73.131.249:80 77.73.131.249 tcp
AU 104.46.162.226:443 tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
US 93.184.221.240:80 tcp

Files

memory/1620-132-0x000001670E850000-0x000001670EB56000-memory.dmp

memory/1620-133-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp

memory/1620-134-0x0000016710840000-0x0000016710862000-memory.dmp

memory/1732-135-0x0000000000000000-mapping.dmp

memory/1732-136-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp

memory/1620-137-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp

memory/1732-138-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp

memory/1732-139-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp

memory/1620-140-0x000001672A690000-0x000001672A72B000-memory.dmp

memory/1620-141-0x0000016729BAA000-0x0000016729BAF000-memory.dmp

memory/1620-142-0x00007FFBADDB0000-0x00007FFBAE871000-memory.dmp

memory/1620-143-0x0000016729BAA000-0x0000016729BAF000-memory.dmp