Malware Analysis Report

2024-11-30 21:52

Sample ID 230206-mr3dlsde55
Target d785e46b0d269b0578dcfd1b90375a6a.bin
SHA256 a07bd7f88c492c1b1ee72e6725bcd0223d3c322e1057ce38ae25561e0b5b9238
Tags
purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a07bd7f88c492c1b1ee72e6725bcd0223d3c322e1057ce38ae25561e0b5b9238

Threat Level: Known bad

The file d785e46b0d269b0578dcfd1b90375a6a.bin was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader

Purecrypter family

PureCrypter

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-06 10:42

Signatures

Purecrypter family

purecrypter

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-06 10:42

Reported

2023-02-06 10:45

Platform

win7-20220812-en

Max time kernel

38s

Max time network

41s

Command Line

"C:\Users\Admin\AppData\Local\Temp\164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2.exe

"C:\Users\Admin\AppData\Local\Temp\164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1228

Network

Country Destination Domain Proto
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp

Files

memory/1516-54-0x00000000009C0000-0x00000000009C8000-memory.dmp

memory/1516-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

memory/1656-56-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-06 10:42

Reported

2023-02-06 10:45

Platform

win10v2004-20221111-en

Max time kernel

91s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2.exe"

Signatures

PureCrypter

loader downloader purecrypter

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2.exe

"C:\Users\Admin\AppData\Local\Temp\164df1aecac769eb2d9485abcb776f9ee55fc1e297c5b8b2bc50009e786d41b2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 752 -ip 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1768

Network

Country Destination Domain Proto
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
NL 8.253.208.121:80 tcp
NL 8.253.208.121:80 tcp
US 8.8.8.8:53 justnormalsite.ddns.net udp
NL 185.238.3.212:80 justnormalsite.ddns.net tcp

Files

memory/752-132-0x0000000000FE0000-0x0000000000FE8000-memory.dmp