Analysis

  • max time kernel
    224s
  • max time network
    295s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-02-2023 21:34

General

  • Target

    swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe

  • Size

    11KB

  • MD5

    14fec5297bef8c5fa6d3f0f5934dea32

  • SHA1

    5549beb12b3635e878b174ae93d47a147e2f6d98

  • SHA256

    bc080be46ac6e8aaff225091e2afdb6074fed20e30d30e1ad018f58a1e1901b7

  • SHA512

    a7889770f7bed2ed2aff36c67cda577cd0ebc064c93532d425d0207bb60f55ee474d6e433402b86704d3f80e442209df53f0bd885d5fcd72b5b229ff5697fda6

  • SSDEEP

    192:cliHh1RDurJEC+88OSM4+pmqQcNM2YDM:cG1d2JEC+lKFI

Malware Config

Extracted

Family

purecrypter

C2

https://vinosbiodinamicos.com/Wnsixjk.bmp

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe
    "C:\Users\Admin\AppData\Local\Temp\swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA3AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5084

Network

  • flag-us
    DNS
    96.108.152.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    96.108.152.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    226.101.242.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.101.242.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    vinosbiodinamicos.com
    swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe
    Remote address:
    8.8.8.8:53
    Request
    vinosbiodinamicos.com
    IN A
    Response
    vinosbiodinamicos.com
    IN A
    92.52.217.24
  • 93.184.220.29:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 20.189.173.10:443
    322 B
    7
  • 88.221.25.154:80
    322 B
    7
  • 88.221.25.154:80
    322 B
    7
  • 87.248.202.1:80
    322 B
    7
  • 92.52.217.24:443
    vinosbiodinamicos.com
    tls
    swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe
    17.7kB
    1.0MB
    374
    727
  • 8.8.8.8:53
    96.108.152.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    96.108.152.52.in-addr.arpa

  • 8.8.8.8:53
    226.101.242.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    226.101.242.52.in-addr.arpa

  • 8.8.8.8:53
    vinosbiodinamicos.com
    dns
    swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe
    67 B
    83 B
    1
    1

    DNS Request

    vinosbiodinamicos.com

    DNS Response

    92.52.217.24

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2292-132-0x0000000000730000-0x0000000000738000-memory.dmp

    Filesize

    32KB

  • memory/2292-133-0x00000000054C0000-0x0000000005A64000-memory.dmp

    Filesize

    5.6MB

  • memory/2292-134-0x0000000005230000-0x00000000052C2000-memory.dmp

    Filesize

    584KB

  • memory/2292-135-0x0000000000F10000-0x0000000000F32000-memory.dmp

    Filesize

    136KB

  • memory/5084-137-0x0000000003080000-0x00000000030B6000-memory.dmp

    Filesize

    216KB

  • memory/5084-138-0x0000000005850000-0x0000000005E78000-memory.dmp

    Filesize

    6.2MB

  • memory/5084-139-0x0000000005EF0000-0x0000000005F56000-memory.dmp

    Filesize

    408KB

  • memory/5084-140-0x0000000006050000-0x00000000060B6000-memory.dmp

    Filesize

    408KB

  • memory/5084-141-0x0000000006660000-0x000000000667E000-memory.dmp

    Filesize

    120KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.