Analysis Overview
SHA256
8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc
Threat Level: Known bad
The file b4138222931b8458a109d11cd2194ce8.exe was found to be: Known bad.
Malicious Activity Summary
Detect PureCrypter injector
PureCrypter
RedLine
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-08 01:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-08 01:33
Reported
2023-02-08 01:35
Platform
win7-20220901-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
RedLine
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1304 set thread context of 524 | N/A | C:\Users\Admin\AppData\Local\Temp\b4138222931b8458a109d11cd2194ce8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4138222931b8458a109d11cd2194ce8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4138222931b8458a109d11cd2194ce8.exe
"C:\Users\Admin\AppData\Local\Temp\b4138222931b8458a109d11cd2194ce8.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| NL | 193.142.146.212:4581 | amrican-sport-live-stream.cc | tcp |
Files
memory/1304-54-0x0000000000CD0000-0x0000000000E1C000-memory.dmp
memory/1304-55-0x0000000004DA0000-0x0000000005026000-memory.dmp
memory/1304-56-0x0000000004400000-0x0000000004460000-memory.dmp
memory/524-57-0x0000000000400000-0x000000000045A000-memory.dmp
memory/524-58-0x0000000000400000-0x000000000045A000-memory.dmp
memory/524-60-0x0000000000400000-0x000000000045A000-memory.dmp
memory/524-64-0x00000000004449EE-mapping.dmp
memory/524-62-0x0000000000400000-0x000000000045A000-memory.dmp
memory/524-63-0x0000000000400000-0x000000000045A000-memory.dmp
memory/524-66-0x0000000000400000-0x000000000045A000-memory.dmp
memory/524-68-0x0000000000400000-0x000000000045A000-memory.dmp
memory/524-69-0x00000000003C0000-0x00000000003C6000-memory.dmp
memory/524-70-0x00000000762E1000-0x00000000762E3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-08 01:33
Reported
2023-02-08 01:35
Platform
win10v2004-20221111-en
Max time kernel
126s
Max time network
148s
Command Line
Signatures
RedLine
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4600 set thread context of 4168 | N/A | C:\Users\Admin\AppData\Local\Temp\b4138222931b8458a109d11cd2194ce8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4138222931b8458a109d11cd2194ce8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4138222931b8458a109d11cd2194ce8.exe
"C:\Users\Admin\AppData\Local\Temp\b4138222931b8458a109d11cd2194ce8.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| NL | 193.142.146.212:4581 | amrican-sport-live-stream.cc | tcp |
| US | 204.79.197.200:443 | tcp |
Files
memory/4600-132-0x00000000002A0000-0x00000000003EC000-memory.dmp
memory/4600-133-0x0000000005040000-0x0000000005062000-memory.dmp
memory/4600-134-0x0000000005210000-0x0000000005276000-memory.dmp
memory/4600-135-0x00000000337C0000-0x0000000033852000-memory.dmp
memory/4600-136-0x0000000033E10000-0x00000000343B4000-memory.dmp
memory/4168-137-0x0000000000000000-mapping.dmp
memory/4168-138-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4168-139-0x0000000005AE0000-0x00000000060F8000-memory.dmp
memory/4168-140-0x00000000055D0000-0x00000000056DA000-memory.dmp
memory/4168-141-0x0000000005380000-0x0000000005392000-memory.dmp
memory/4168-142-0x0000000005500000-0x000000000553C000-memory.dmp
memory/4168-143-0x0000000006730000-0x00000000067A6000-memory.dmp
memory/4168-144-0x0000000006540000-0x0000000006590000-memory.dmp
memory/4168-145-0x0000000007220000-0x00000000073E2000-memory.dmp
memory/4168-146-0x0000000007C70000-0x000000000819C000-memory.dmp