Malware Analysis Report

2024-11-30 21:53

Sample ID 230207-k4lwaaaf97
Target c4869d1471e76a3efa87816ad5ebfec3.zip
SHA256 0492e86e9f32847a07e11519c5833035b85a85473777de0c1c558e53a019e3c0
Tags
purecrypter remcos mimiboy downloader loader persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0492e86e9f32847a07e11519c5833035b85a85473777de0c1c558e53a019e3c0

Threat Level: Known bad

The file c4869d1471e76a3efa87816ad5ebfec3.zip was found to be: Known bad.

Malicious Activity Summary

purecrypter remcos mimiboy downloader loader persistence rat

PureCrypter

Detect PureCrypter injector

Remcos

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-07 09:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-07 09:09

Reported

2023-02-07 09:15

Platform

win7-20220901-en

Max time kernel

297s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Remcos

rat remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cjkftmvp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Znpyrvobkvt\\Cjkftmvp.exe\"" C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1356 set thread context of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 1356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

"C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

Network

Country Destination Domain Proto
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp

Files

memory/1356-54-0x0000000000D00000-0x0000000000D76000-memory.dmp

memory/1356-55-0x0000000000490000-0x0000000000500000-memory.dmp

memory/1356-56-0x0000000004970000-0x0000000004A02000-memory.dmp

memory/1356-57-0x0000000075091000-0x0000000075093000-memory.dmp

memory/1296-58-0x0000000000000000-mapping.dmp

memory/1296-60-0x000000006EB60000-0x000000006F10B000-memory.dmp

memory/1296-61-0x000000006EB60000-0x000000006F10B000-memory.dmp

memory/1296-62-0x000000006EB60000-0x000000006F10B000-memory.dmp

memory/1176-63-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1176-64-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1176-66-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1176-68-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1176-69-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1176-70-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1176-73-0x0000000000413FA4-mapping.dmp

memory/1176-72-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1176-76-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1176-77-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-07 09:09

Reported

2023-02-07 09:15

Platform

win10-20220812-en

Max time kernel

299s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Remcos

rat remcos

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cjkftmvp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Znpyrvobkvt\\Cjkftmvp.exe\"" C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2344 set thread context of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
PID 2344 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

"C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe

Network

Country Destination Domain Proto
UA 91.231.84.41:52651 tcp
US 104.208.16.90:443 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp
N/A 127.0.0.1:52651 tcp
N/A 10.5.175.21:52651 tcp
UA 91.231.84.41:52651 tcp

Files

memory/2344-118-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-119-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-120-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-121-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-122-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-123-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-124-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-125-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-126-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-127-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-128-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-129-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-130-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-131-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-132-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-133-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-134-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-135-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-136-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-137-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-138-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-139-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-140-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-141-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-142-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-143-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-144-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-145-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-146-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-147-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-148-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-149-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-150-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-151-0x00000000002A0000-0x0000000000316000-memory.dmp

memory/2344-152-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-153-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-154-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-155-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-156-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-157-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-158-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-159-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-160-0x0000000004AA0000-0x0000000004B10000-memory.dmp

memory/2344-161-0x00000000051A0000-0x000000000569E000-memory.dmp

memory/2344-162-0x0000000004BD0000-0x0000000004C62000-memory.dmp

memory/2344-163-0x0000000004CA0000-0x0000000004D32000-memory.dmp

memory/2344-164-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-165-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-166-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-167-0x0000000004D80000-0x0000000004DA2000-memory.dmp

memory/2344-168-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-169-0x0000000004DB0000-0x0000000005100000-memory.dmp

memory/2344-170-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-171-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-172-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-173-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-174-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-175-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-176-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-177-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-178-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-179-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-180-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-181-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-182-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-183-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-184-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-185-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-186-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2344-187-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2172-188-0x0000000000000000-mapping.dmp

memory/2172-189-0x00000000770E0000-0x000000007726E000-memory.dmp

memory/2172-224-0x0000000000F30000-0x0000000000F66000-memory.dmp

memory/2172-229-0x0000000006F80000-0x00000000075A8000-memory.dmp

memory/2172-248-0x0000000006E80000-0x0000000006EE6000-memory.dmp

memory/2172-249-0x0000000006F00000-0x0000000006F66000-memory.dmp

memory/2172-252-0x0000000007810000-0x000000000782C000-memory.dmp

memory/2172-253-0x00000000080C0000-0x000000000810B000-memory.dmp

memory/2172-257-0x0000000007E30000-0x0000000007EA6000-memory.dmp

memory/2172-268-0x0000000009580000-0x0000000009BF8000-memory.dmp

memory/2172-269-0x0000000008CB0000-0x0000000008CCA000-memory.dmp

memory/4900-277-0x0000000000413FA4-mapping.dmp

memory/4900-330-0x0000000000400000-0x0000000000421000-memory.dmp