Analysis Overview
SHA256
0492e86e9f32847a07e11519c5833035b85a85473777de0c1c558e53a019e3c0
Threat Level: Known bad
The file c4869d1471e76a3efa87816ad5ebfec3.zip was found to be: Known bad.
Malicious Activity Summary
PureCrypter
Detect PureCrypter injector
Remcos
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-07 09:09
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-07 09:09
Reported
2023-02-07 09:15
Platform
win7-20220901-en
Max time kernel
297s
Max time network
302s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Remcos
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cjkftmvp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Znpyrvobkvt\\Cjkftmvp.exe\"" | C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1356 set thread context of 1176 | N/A | C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe | C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
"C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
Network
| Country | Destination | Domain | Proto |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp |
Files
memory/1356-54-0x0000000000D00000-0x0000000000D76000-memory.dmp
memory/1356-55-0x0000000000490000-0x0000000000500000-memory.dmp
memory/1356-56-0x0000000004970000-0x0000000004A02000-memory.dmp
memory/1356-57-0x0000000075091000-0x0000000075093000-memory.dmp
memory/1296-58-0x0000000000000000-mapping.dmp
memory/1296-60-0x000000006EB60000-0x000000006F10B000-memory.dmp
memory/1296-61-0x000000006EB60000-0x000000006F10B000-memory.dmp
memory/1296-62-0x000000006EB60000-0x000000006F10B000-memory.dmp
memory/1176-63-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1176-64-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1176-66-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1176-68-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1176-69-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1176-70-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1176-73-0x0000000000413FA4-mapping.dmp
memory/1176-72-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1176-76-0x0000000000400000-0x0000000000421000-memory.dmp
memory/1176-77-0x0000000000400000-0x0000000000421000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-07 09:09
Reported
2023-02-07 09:15
Platform
win10-20220812-en
Max time kernel
299s
Max time network
301s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Remcos
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Cjkftmvp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Znpyrvobkvt\\Cjkftmvp.exe\"" | C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2344 set thread context of 4900 | N/A | C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe | C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
"C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
C:\Users\Admin\AppData\Local\Temp\Mhiwfmlub.exe
Network
| Country | Destination | Domain | Proto |
| UA | 91.231.84.41:52651 | tcp | |
| US | 104.208.16.90:443 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp | |
| N/A | 127.0.0.1:52651 | tcp | |
| N/A | 10.5.175.21:52651 | tcp | |
| UA | 91.231.84.41:52651 | tcp |
Files
memory/2344-118-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-119-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-120-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-121-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-122-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-123-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-124-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-125-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-126-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-127-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-128-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-129-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-130-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-131-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-132-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-133-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-134-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-135-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-136-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-137-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-138-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-139-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-140-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-141-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-142-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-143-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-144-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-145-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-146-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-147-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-148-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-149-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-150-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-151-0x00000000002A0000-0x0000000000316000-memory.dmp
memory/2344-152-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-153-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-154-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-155-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-156-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-157-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-158-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-159-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-160-0x0000000004AA0000-0x0000000004B10000-memory.dmp
memory/2344-161-0x00000000051A0000-0x000000000569E000-memory.dmp
memory/2344-162-0x0000000004BD0000-0x0000000004C62000-memory.dmp
memory/2344-163-0x0000000004CA0000-0x0000000004D32000-memory.dmp
memory/2344-164-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-165-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-166-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-167-0x0000000004D80000-0x0000000004DA2000-memory.dmp
memory/2344-168-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-169-0x0000000004DB0000-0x0000000005100000-memory.dmp
memory/2344-170-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-171-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-172-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-173-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-174-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-175-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-176-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-177-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-178-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-179-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-180-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-181-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-182-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-183-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-184-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-185-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-186-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2344-187-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2172-188-0x0000000000000000-mapping.dmp
memory/2172-189-0x00000000770E0000-0x000000007726E000-memory.dmp
memory/2172-224-0x0000000000F30000-0x0000000000F66000-memory.dmp
memory/2172-229-0x0000000006F80000-0x00000000075A8000-memory.dmp
memory/2172-248-0x0000000006E80000-0x0000000006EE6000-memory.dmp
memory/2172-249-0x0000000006F00000-0x0000000006F66000-memory.dmp
memory/2172-252-0x0000000007810000-0x000000000782C000-memory.dmp
memory/2172-253-0x00000000080C0000-0x000000000810B000-memory.dmp
memory/2172-257-0x0000000007E30000-0x0000000007EA6000-memory.dmp
memory/2172-268-0x0000000009580000-0x0000000009BF8000-memory.dmp
memory/2172-269-0x0000000008CB0000-0x0000000008CCA000-memory.dmp
memory/4900-277-0x0000000000413FA4-mapping.dmp
memory/4900-330-0x0000000000400000-0x0000000000421000-memory.dmp