Analysis

  • max time kernel
    27s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06-02-2023 07:25

General

  • Target

    0x000400000001e68a-147.exe

  • Size

    24KB

  • MD5

    7d046ce10b24412f4506c433cfe0747d

  • SHA1

    5a96afd11e493c5eddd1f335e7228868d666c787

  • SHA256

    abccee4556d532981bd1a3a36b92e9563c880eb93517ba677417741dbafe302a

  • SHA512

    03e78a3113526b6fd29e8379390c01b0fd6407aa55b96ffce331b2da780305bc43710a92649b3db617d2a26186db663f2816f8e47bb3955257625971d751d4f9

  • SSDEEP

    96:Mmc26NAcJs979+IlucMLG0eRJNlCWonD8JNQmkTKNiRB4e3T3eNo005brzNt:MfJ3IkIQLGLXaWtYTKrj+J

Malware Config

Extracted

Family

purecrypter

C2

http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000400000001e68a-147.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000400000001e68a-147.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2020
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1196
      2⤵
      • Program crash
      PID:1044

Network

  • flag-us
    DNS
    modeloartesanatos.com.br
    0x000400000001e68a-147.exe
    Remote address:
    8.8.8.8:53
    Request
    modeloartesanatos.com.br
    IN A
    Response
    modeloartesanatos.com.br
    IN A
    186.202.153.7
  • flag-br
    GET
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    0x000400000001e68a-147.exe
    Remote address:
    186.202.153.7:80
    Request
    GET /wp-admin/images/Zqchb.bmp HTTP/1.1
    Host: modeloartesanatos.com.br
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 06 Feb 2023 07:22:31 GMT
    Server: Apache
    Vary: accept-language,accept-charset
    Content-Type: text/html; charset=iso-8859-1
    Content-Language: en
    Cache-Control: No-Cache
    Pragma: no-cache
    X-Varnish: 38814181 36202847
    Age: 4
    Via: 1.1 varnish-v4
    Content-Length: 1013
    Connection: keep-alive
  • flag-br
    GET
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    0x000400000001e68a-147.exe
    Remote address:
    186.202.153.7:80
    Request
    GET /wp-admin/images/Zqchb.bmp HTTP/1.1
    Host: modeloartesanatos.com.br
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 06 Feb 2023 07:22:31 GMT
    Server: Apache
    Vary: accept-language,accept-charset
    Content-Type: text/html; charset=iso-8859-1
    Content-Language: en
    Cache-Control: No-Cache
    Pragma: no-cache
    X-Varnish: 39977546 36202847
    Age: 5
    Via: 1.1 varnish-v4
    Content-Length: 1013
    Connection: keep-alive
  • flag-br
    GET
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    0x000400000001e68a-147.exe
    Remote address:
    186.202.153.7:80
    Request
    GET /wp-admin/images/Zqchb.bmp HTTP/1.1
    Host: modeloartesanatos.com.br
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 06 Feb 2023 07:22:31 GMT
    Server: Apache
    Vary: accept-language,accept-charset
    Content-Type: text/html; charset=iso-8859-1
    Content-Language: en
    Cache-Control: No-Cache
    Pragma: no-cache
    X-Varnish: 39621034 36202847
    Age: 5
    Via: 1.1 varnish-v4
    Content-Length: 1013
    Connection: keep-alive
  • flag-br
    GET
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    0x000400000001e68a-147.exe
    Remote address:
    186.202.153.7:80
    Request
    GET /wp-admin/images/Zqchb.bmp HTTP/1.1
    Host: modeloartesanatos.com.br
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 06 Feb 2023 07:22:31 GMT
    Server: Apache
    Vary: accept-language,accept-charset
    Content-Type: text/html; charset=iso-8859-1
    Content-Language: en
    Cache-Control: No-Cache
    Pragma: no-cache
    X-Varnish: 38814183 36202847
    Age: 6
    Via: 1.1 varnish-v4
    Content-Length: 1013
    Connection: keep-alive
  • flag-br
    GET
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    0x000400000001e68a-147.exe
    Remote address:
    186.202.153.7:80
    Request
    GET /wp-admin/images/Zqchb.bmp HTTP/1.1
    Host: modeloartesanatos.com.br
    Response
    HTTP/1.1 404 Not Found
    Date: Mon, 06 Feb 2023 07:22:31 GMT
    Server: Apache
    Vary: accept-language,accept-charset
    Content-Type: text/html; charset=iso-8859-1
    Content-Language: en
    Cache-Control: No-Cache
    Pragma: no-cache
    X-Varnish: 39977548 36202847
    Age: 6
    Via: 1.1 varnish-v4
    Content-Length: 1013
    Connection: keep-alive
  • 186.202.153.7:80
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    http
    0x000400000001e68a-147.exe
    335 B
    2.9kB
    5
    5

    HTTP Request

    GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp

    HTTP Response

    404
  • 186.202.153.7:80
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    http
    0x000400000001e68a-147.exe
    311 B
    2.9kB
    5
    5

    HTTP Request

    GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp

    HTTP Response

    404
  • 186.202.153.7:80
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    http
    0x000400000001e68a-147.exe
    357 B
    2.9kB
    6
    5

    HTTP Request

    GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp

    HTTP Response

    404
  • 186.202.153.7:80
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    http
    0x000400000001e68a-147.exe
    311 B
    2.9kB
    5
    5

    HTTP Request

    GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp

    HTTP Response

    404
  • 186.202.153.7:80
    http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp
    http
    0x000400000001e68a-147.exe
    357 B
    2.9kB
    6
    5

    HTTP Request

    GET http://modeloartesanatos.com.br/wp-admin/images/Zqchb.bmp

    HTTP Response

    404
  • 8.8.8.8:53
    modeloartesanatos.com.br
    dns
    0x000400000001e68a-147.exe
    70 B
    86 B
    1
    1

    DNS Request

    modeloartesanatos.com.br

    DNS Response

    186.202.153.7

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2020-54-0x0000000000230000-0x000000000023C000-memory.dmp

    Filesize

    48KB

  • memory/2020-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.