Analysis
-
max time kernel
224s -
max time network
295s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
10-02-2023 21:34
Behavioral task
behavioral1
Sample
swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe
Resource
win10v2004-20221111-en
General
-
Target
swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe
-
Size
11KB
-
MD5
14fec5297bef8c5fa6d3f0f5934dea32
-
SHA1
5549beb12b3635e878b174ae93d47a147e2f6d98
-
SHA256
bc080be46ac6e8aaff225091e2afdb6074fed20e30d30e1ad018f58a1e1901b7
-
SHA512
a7889770f7bed2ed2aff36c67cda577cd0ebc064c93532d425d0207bb60f55ee474d6e433402b86704d3f80e442209df53f0bd885d5fcd72b5b229ff5697fda6
-
SSDEEP
192:cliHh1RDurJEC+88OSM4+pmqQcNM2YDM:cG1d2JEC+lKFI
Malware Config
Extracted
purecrypter
https://vinosbiodinamicos.com/Wnsixjk.bmp
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5084 powershell.exe 5084 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2292 swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe Token: SeDebugPrivilege 5084 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2292 wrote to memory of 5084 2292 swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe 80 PID 2292 wrote to memory of 5084 2292 swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe 80 PID 2292 wrote to memory of 5084 2292 swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe"C:\Users\Admin\AppData\Local\Temp\swift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA3AA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
Network
-
Remote address:8.8.8.8:53Request96.108.152.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request226.101.242.52.in-addr.arpaIN PTRResponse
-
DNSvinosbiodinamicos.comswift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exeRemote address:8.8.8.8:53Requestvinosbiodinamicos.comIN AResponsevinosbiodinamicos.comIN A92.52.217.24
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
92.52.217.24:443vinosbiodinamicos.comtlsswift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe17.7kB 1.0MB 374 727
-
72 B 146 B 1 1
DNS Request
96.108.152.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
226.101.242.52.in-addr.arpa
-
8.8.8.8:53vinosbiodinamicos.comdnsswift_09_feb_2023_usd_42019347593691658483-37497169570422045546309802-2379924.exe67 B 83 B 1 1
DNS Request
vinosbiodinamicos.com
DNS Response
92.52.217.24