Analysis Overview
SHA256
d6edf57c2ec790e7a97ddffc9243ebf29960c497822385bca0420fa940581e07
Threat Level: Known bad
The file 27099b00b5e7e72839edba8e085931e2.exe was found to be: Known bad.
Malicious Activity Summary
Detect PureCrypter injector
RedLine
PureCrypter
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-09 10:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-09 10:36
Reported
2023-02-09 10:38
Platform
win7-20220812-en
Max time kernel
151s
Max time network
158s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
RedLine
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQ安全防护盾(Q盾) = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\QQ安全防护盾(Q盾).exe\"" | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1752 set thread context of 316 | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe
"C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe
C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe
Network
| Country | Destination | Domain | Proto |
| RU | 195.2.79.233:80 | 195.2.79.233 | tcp |
| RU | 178.20.45.6:19170 | tcp |
Files
memory/1752-54-0x0000000001290000-0x0000000001298000-memory.dmp
memory/1752-55-0x0000000076681000-0x0000000076683000-memory.dmp
memory/1752-56-0x00000000073C0000-0x000000000762A000-memory.dmp
memory/1932-57-0x0000000000000000-mapping.dmp
memory/1932-59-0x000000006F490000-0x000000006FA3B000-memory.dmp
memory/1932-60-0x000000006F490000-0x000000006FA3B000-memory.dmp
memory/1932-61-0x000000006F490000-0x000000006FA3B000-memory.dmp
memory/1752-62-0x0000000004DE0000-0x0000000004E2C000-memory.dmp
memory/316-63-0x0000000000400000-0x0000000000432000-memory.dmp
memory/316-64-0x0000000000400000-0x0000000000432000-memory.dmp
memory/316-66-0x0000000000400000-0x0000000000432000-memory.dmp
memory/316-68-0x0000000000400000-0x0000000000432000-memory.dmp
memory/316-69-0x0000000000400000-0x0000000000432000-memory.dmp
memory/316-70-0x000000000041B58E-mapping.dmp
memory/316-72-0x0000000000400000-0x0000000000432000-memory.dmp
memory/316-74-0x0000000000400000-0x0000000000432000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-09 10:36
Reported
2023-02-09 10:40
Platform
win10v2004-20221111-en
Max time kernel
168s
Max time network
182s
Command Line
Signatures
RedLine
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQ安全防护盾(Q盾) = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tencent\\QQ安全防护盾(Q盾).exe\"" | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4892 set thread context of 1968 | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe
"C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe
C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe
C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe
C:\Users\Admin\AppData\Local\Temp\27099b00b5e7e72839edba8e085931e2.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.42.65.84:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.253.208.113:80 | tcp | |
| NL | 8.253.208.113:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| RU | 195.2.79.233:80 | 195.2.79.233 | tcp |
| IE | 52.109.77.1:443 | tcp | |
| RU | 178.20.45.6:19170 | tcp |
Files
memory/4892-132-0x0000000000FD0000-0x0000000000FD8000-memory.dmp
memory/4892-133-0x00000000080B0000-0x00000000080D2000-memory.dmp
memory/4552-134-0x0000000000000000-mapping.dmp
memory/4552-135-0x0000000005340000-0x0000000005376000-memory.dmp
memory/4552-136-0x0000000005B00000-0x0000000006128000-memory.dmp
memory/4552-137-0x0000000006130000-0x0000000006196000-memory.dmp
memory/4552-138-0x00000000061A0000-0x0000000006206000-memory.dmp
memory/4552-139-0x0000000006910000-0x000000000692E000-memory.dmp
memory/4552-140-0x00000000081A0000-0x000000000881A000-memory.dmp
memory/4552-141-0x0000000006E10000-0x0000000006E2A000-memory.dmp
memory/4564-142-0x0000000000000000-mapping.dmp
memory/1968-143-0x0000000000000000-mapping.dmp
memory/1968-144-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\27099b00b5e7e72839edba8e085931e2.exe.log
| MD5 | 3a9188331a78f1dbce606db64b841fcb |
| SHA1 | 8e2c99b7c477d06591a856a4ea3e1e214719eee8 |
| SHA256 | db4137e258a0f6159fda559a5f6dd2704be0582c3f0586f65040c7ad1eb68451 |
| SHA512 | d1a994610a045d89d5d306866c24ae56bf16555414b8f63f632552568e67b5586f26d5a17a1f0a55ada376730298e6d856e9161828d4eae9decfa4e015e0e90a |
memory/1968-146-0x00000000055E0000-0x0000000005BF8000-memory.dmp
memory/1968-147-0x0000000005150000-0x000000000525A000-memory.dmp
memory/1968-148-0x0000000005090000-0x00000000050A2000-memory.dmp
memory/1968-149-0x00000000050F0000-0x000000000512C000-memory.dmp
memory/1968-150-0x00000000064B0000-0x0000000006A54000-memory.dmp
memory/1968-151-0x0000000005FE0000-0x0000000006072000-memory.dmp
memory/1968-152-0x00000000063A0000-0x0000000006416000-memory.dmp
memory/1968-153-0x0000000006320000-0x0000000006370000-memory.dmp
memory/1968-154-0x00000000076E0000-0x00000000078A2000-memory.dmp
memory/1968-155-0x0000000007DE0000-0x000000000830C000-memory.dmp