Malware Analysis Report

2024-11-30 21:48

Sample ID 230211-lcgypadf63
Target ID180717.exe
SHA256 780b6ba7fa2126b7f172c23c31474b2eedbd2ac9cd0018c5763f77213995a56b
Tags
purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

780b6ba7fa2126b7f172c23c31474b2eedbd2ac9cd0018c5763f77213995a56b

Threat Level: Known bad

The file ID180717.exe was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader

Purecrypter family

PureCrypter

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-11 09:23

Signatures

Purecrypter family

purecrypter

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-11 09:23

Reported

2023-02-11 09:26

Platform

win7-20220812-en

Max time kernel

36s

Max time network

42s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ID180717.exe"

Signatures

PureCrypter

loader downloader purecrypter

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ID180717.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ID180717.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ID180717.exe

"C:\Users\Admin\AppData\Local\Temp\ID180717.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1728

Network

Country Destination Domain Proto
US 204.79.197.200:443 tcp
US 8.8.8.8:53 carlcederlaw.com udp
US 188.114.97.0:443 carlcederlaw.com tcp

Files

memory/1260-54-0x00000000009C0000-0x00000000009C8000-memory.dmp

memory/1260-55-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

memory/1800-56-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-11 09:23

Reported

2023-02-11 09:26

Platform

win10v2004-20220812-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ID180717.exe"

Signatures

PureCrypter

loader downloader purecrypter

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ID180717.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ID180717.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ID180717.exe

"C:\Users\Admin\AppData\Local\Temp\ID180717.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2608 -ip 2608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 1696

Network

Country Destination Domain Proto
FR 2.20.8.110:443 tcp
FR 2.20.8.110:443 tcp
US 8.8.8.8:53 carlcederlaw.com udp
US 188.114.97.0:443 carlcederlaw.com tcp
US 8.8.8.8:53 carlcederlaw.com udp
US 188.114.96.0:443 carlcederlaw.com tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 20.189.173.4:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
NL 8.238.178.126:80 tcp
US 8.247.211.254:80 tcp

Files

memory/2608-132-0x00000000003D0000-0x00000000003D8000-memory.dmp

memory/2608-133-0x0000000005260000-0x0000000005804000-memory.dmp

memory/2608-134-0x0000000004D90000-0x0000000004E22000-memory.dmp