Analysis
-
max time kernel
27s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06-02-2023 07:25
Behavioral task
behavioral1
Sample
0x000400000001e68a-147.exe
Resource
win7-20221111-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
0x000400000001e68a-147.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
0x000400000001e68a-147.exe
-
Size
24KB
-
MD5
7d046ce10b24412f4506c433cfe0747d
-
SHA1
5a96afd11e493c5eddd1f335e7228868d666c787
-
SHA256
abccee4556d532981bd1a3a36b92e9563c880eb93517ba677417741dbafe302a
-
SHA512
03e78a3113526b6fd29e8379390c01b0fd6407aa55b96ffce331b2da780305bc43710a92649b3db617d2a26186db663f2816f8e47bb3955257625971d751d4f9
-
SSDEEP
96:Mmc26NAcJs979+IlucMLG0eRJNlCWonD8JNQmkTKNiRB4e3T3eNo005brzNt:MfJ3IkIQLGLXaWtYTKrj+J
Score
10/10
Malware Config
Extracted
Family
purecrypter
C2
http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1044 2020 WerFault.exe 26 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2020 0x000400000001e68a-147.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2020 wrote to memory of 1044 2020 0x000400000001e68a-147.exe 27 PID 2020 wrote to memory of 1044 2020 0x000400000001e68a-147.exe 27 PID 2020 wrote to memory of 1044 2020 0x000400000001e68a-147.exe 27 PID 2020 wrote to memory of 1044 2020 0x000400000001e68a-147.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000400000001e68a-147.exe"C:\Users\Admin\AppData\Local\Temp\0x000400000001e68a-147.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 11962⤵
- Program crash
PID:1044
-
Network
-
Remote address:8.8.8.8:53Requestmodeloartesanatos.com.brIN AResponsemodeloartesanatos.com.brIN A186.202.153.7
-
Remote address:186.202.153.7:80RequestGET /wp-admin/images/Zqchb.bmp HTTP/1.1
Host: modeloartesanatos.com.br
Connection: Keep-Alive
ResponseHTTP/1.1 404 Not Found
Server: Apache
Vary: accept-language,accept-charset
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Cache-Control: No-Cache
Pragma: no-cache
X-Varnish: 38814181 36202847
Age: 4
Via: 1.1 varnish-v4
Content-Length: 1013
Connection: keep-alive
-
Remote address:186.202.153.7:80RequestGET /wp-admin/images/Zqchb.bmp HTTP/1.1
Host: modeloartesanatos.com.br
ResponseHTTP/1.1 404 Not Found
Server: Apache
Vary: accept-language,accept-charset
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Cache-Control: No-Cache
Pragma: no-cache
X-Varnish: 39977546 36202847
Age: 5
Via: 1.1 varnish-v4
Content-Length: 1013
Connection: keep-alive
-
Remote address:186.202.153.7:80RequestGET /wp-admin/images/Zqchb.bmp HTTP/1.1
Host: modeloartesanatos.com.br
ResponseHTTP/1.1 404 Not Found
Server: Apache
Vary: accept-language,accept-charset
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Cache-Control: No-Cache
Pragma: no-cache
X-Varnish: 39621034 36202847
Age: 5
Via: 1.1 varnish-v4
Content-Length: 1013
Connection: keep-alive
-
Remote address:186.202.153.7:80RequestGET /wp-admin/images/Zqchb.bmp HTTP/1.1
Host: modeloartesanatos.com.br
ResponseHTTP/1.1 404 Not Found
Server: Apache
Vary: accept-language,accept-charset
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Cache-Control: No-Cache
Pragma: no-cache
X-Varnish: 38814183 36202847
Age: 6
Via: 1.1 varnish-v4
Content-Length: 1013
Connection: keep-alive
-
Remote address:186.202.153.7:80RequestGET /wp-admin/images/Zqchb.bmp HTTP/1.1
Host: modeloartesanatos.com.br
ResponseHTTP/1.1 404 Not Found
Server: Apache
Vary: accept-language,accept-charset
Content-Type: text/html; charset=iso-8859-1
Content-Language: en
Cache-Control: No-Cache
Pragma: no-cache
X-Varnish: 39977548 36202847
Age: 6
Via: 1.1 varnish-v4
Content-Length: 1013
Connection: keep-alive
-
186.202.153.7:80http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmphttp0x000400000001e68a-147.exe335 B 2.9kB 5 5
HTTP Request
GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmpHTTP Response
404 -
186.202.153.7:80http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmphttp0x000400000001e68a-147.exe311 B 2.9kB 5 5
HTTP Request
GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmpHTTP Response
404 -
186.202.153.7:80http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmphttp0x000400000001e68a-147.exe357 B 2.9kB 6 5
HTTP Request
GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmpHTTP Response
404 -
186.202.153.7:80http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmphttp0x000400000001e68a-147.exe311 B 2.9kB 5 5
HTTP Request
GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmpHTTP Response
404 -
186.202.153.7:80http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmphttp0x000400000001e68a-147.exe357 B 2.9kB 6 5
HTTP Request
GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmpHTTP Response
404