Analysis Overview
SHA256
be09924a971a4de61cb2e9f031829d8ceb9822e5c54357b3fdb09fee72b781b2
Threat Level: Known bad
The file 8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.zip was found to be: Known bad.
Malicious Activity Summary
PureCrypter
RedLine
Detect PureCrypter injector
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-08 09:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-08 09:53
Reported
2023-02-08 09:55
Platform
win7-20221111-en
Max time kernel
27s
Max time network
30s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
RedLine
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1148 set thread context of 580 | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe
"C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| NL | 193.142.146.212:4581 | amrican-sport-live-stream.cc | tcp |
Files
memory/1148-54-0x00000000013C0000-0x000000000150C000-memory.dmp
memory/1148-55-0x0000000004FC0000-0x0000000005246000-memory.dmp
memory/1148-56-0x0000000001320000-0x0000000001380000-memory.dmp
memory/580-57-0x0000000000400000-0x000000000045A000-memory.dmp
memory/580-58-0x0000000000400000-0x000000000045A000-memory.dmp
memory/580-60-0x0000000000400000-0x000000000045A000-memory.dmp
memory/580-62-0x0000000000400000-0x000000000045A000-memory.dmp
memory/580-63-0x0000000000400000-0x000000000045A000-memory.dmp
memory/580-64-0x00000000004449EE-mapping.dmp
memory/580-66-0x0000000000400000-0x000000000045A000-memory.dmp
memory/580-68-0x0000000000400000-0x000000000045A000-memory.dmp
memory/580-69-0x0000000000240000-0x0000000000246000-memory.dmp
memory/580-70-0x0000000075A91000-0x0000000075A93000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-08 09:53
Reported
2023-02-08 09:55
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
151s
Command Line
Signatures
RedLine
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4064 set thread context of 3644 | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe
"C:\Users\Admin\AppData\Local\Temp\8601b9efdac4733e888cc949f337cfbba4140a6a441aaefe2ab391b4d637dfbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| NL | 193.142.146.212:4581 | amrican-sport-live-stream.cc | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/4064-132-0x0000000000420000-0x000000000056C000-memory.dmp
memory/4064-133-0x0000000005320000-0x0000000005342000-memory.dmp
memory/4064-134-0x00000000055D0000-0x0000000005636000-memory.dmp
memory/4064-135-0x00000000337D0000-0x0000000033862000-memory.dmp
memory/4064-136-0x0000000033E20000-0x00000000343C4000-memory.dmp
memory/3644-137-0x0000000000000000-mapping.dmp
memory/3644-138-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3644-139-0x000000000B1B0000-0x000000000B7C8000-memory.dmp
memory/3644-140-0x000000000ACF0000-0x000000000ADFA000-memory.dmp
memory/3644-141-0x000000000AC20000-0x000000000AC32000-memory.dmp
memory/3644-142-0x000000000AC80000-0x000000000ACBC000-memory.dmp
memory/3644-143-0x000000000C0B0000-0x000000000C126000-memory.dmp
memory/3644-144-0x000000000BC50000-0x000000000BCA0000-memory.dmp
memory/3644-145-0x000000000C940000-0x000000000CB02000-memory.dmp
memory/3644-146-0x000000000D750000-0x000000000DC7C000-memory.dmp