Malware Analysis Report

2024-11-30 21:48

Sample ID 230211-w55kkaeh72
Target AtmosphereLauncher.mal
SHA256 6872346b1b51a9e0c9442fb7d4d03969af3ce7e60c1014fab0f35d8e5ca10417
Tags
purecrypter downloader loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6872346b1b51a9e0c9442fb7d4d03969af3ce7e60c1014fab0f35d8e5ca10417

Threat Level: Known bad

The file AtmosphereLauncher.mal was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader persistence

PureCrypter

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-11 18:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-11 18:31

Reported

2023-02-11 18:42

Platform

win7-20220812-en

Max time kernel

86s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe"

Signatures

PureCrypter

loader downloader purecrypter

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe

"C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1188

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.franceconsobanque.fr udp
FR 109.234.165.34:443 www.franceconsobanque.fr tcp

Files

memory/1444-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

MD5 cfdca7d646a938c27e6dee83ac0c1278
SHA1 51dc726080be9c64f29dc1360d30fbbd475e99c0
SHA256 c486efdb22b932a3cd04fa60965ad053b824c241e676863c0d430f2b601443b9
SHA512 48c1ede8bfaf4c1c073a3720039db7671100578941ad7d71909887742d5f79badee7a82d4e29bb2d621f8446e92758cf1f03aa3d865f0e1207459d94e598d8e3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

MD5 cfdca7d646a938c27e6dee83ac0c1278
SHA1 51dc726080be9c64f29dc1360d30fbbd475e99c0
SHA256 c486efdb22b932a3cd04fa60965ad053b824c241e676863c0d430f2b601443b9
SHA512 48c1ede8bfaf4c1c073a3720039db7671100578941ad7d71909887742d5f79badee7a82d4e29bb2d621f8446e92758cf1f03aa3d865f0e1207459d94e598d8e3

memory/1444-57-0x00000000010E0000-0x00000000010E8000-memory.dmp

memory/1444-58-0x0000000074AD1000-0x0000000074AD3000-memory.dmp

memory/1864-59-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

MD5 2719e362a6ae6072fc69750f4448ffb7
SHA1 13b2cb0230cbc82b20633bb97630c7fa1a849d8d
SHA256 9259f5bcc3206ae406993262f368898d5c6fc18aea4148bed9eceb0755cccfc8
SHA512 fdf4a47c14d9009a2ef51d125e99e3b2982cf44bfb44fa45b0ee39a661dc00e1e7b049a93c426dbd5e3b635b6e0fb4bb60670868ea07c2d695f96781d7b770f1

\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

MD5 0cdd6f30c6ee817e93df3007f10b7e6a
SHA1 a1420de73a64ca8022442aed32ab552c50251e4e
SHA256 8f30fd8b082175f6fdd042cd403b39afc0cf68daddf9e1f431ee55d3d9e91f05
SHA512 2dbc921674c95cba3ecba9797a08bae6db9d2acc47c99e7b0648a83da87808e4179444908a9c416c13fce7b761b9adcd989a700d6571de1b1260708b8771c915

\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

MD5 403c0272eba716f90109eb6b098d397c
SHA1 841c09e13477909302335a2af9087c2af301b4a5
SHA256 a522db582ec5b302b11e26e39dd56b9d397576c3f0948a73e10459d869604628
SHA512 2fef9a92742f0d4a98a934b3078fac0c027f754e70b5833929f64744b0cd8324ac26027f4d4b8397bdd101ee490bbc7849cebbf1cf783b659fcfdded007de806

\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

MD5 13e6f41ab50cb51148fb16723bb679c5
SHA1 345e922fa031acf47df7ce8697e6e7bcb62ccb32
SHA256 a825ecc0c97c41ae0d1e793b8b2a89c5f924f3c7442ff28a27d6daae89c9c3a7
SHA512 f6a18e09d83f08c3e68111a4a1f213db0a5f21f5a393803b7ab96a47d0ca836539062181f50619b722eae70f0e4f8ad01489c04b5227981615df9795c3d5818c

\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe

MD5 2928f4a10f1a824d26f56052accd9926
SHA1 93af9c82a7dedef40f3ab1b1a6a414210d90c192
SHA256 125df6f2b9f5445123c888a654df37e3bc185adb45e94e79b1e44627b1cbf65a
SHA512 4bd74f377bbd9ab41dd5fe0448a2d77e062a795b6e30a5961e2b62c70d5f1c35a470fe9a7cdbc313f40f8fbda086935e02677ba05213689bcec3b58eef5ea3e2

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-11 18:31

Reported

2023-02-11 18:46

Platform

win10v2004-20221111-en

Max time network

400s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 104.80.225.205:443 tcp
FR 2.20.8.110:443 tcp
FR 2.20.8.110:443 tcp

Files

N/A