Analysis Overview
SHA256
6872346b1b51a9e0c9442fb7d4d03969af3ce7e60c1014fab0f35d8e5ca10417
Threat Level: Known bad
The file AtmosphereLauncher.mal was found to be: Known bad.
Malicious Activity Summary
PureCrypter
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-11 18:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-11 18:31
Reported
2023-02-11 18:42
Platform
win7-20220812-en
Max time kernel
86s
Max time network
203s
Command Line
Signatures
PureCrypter
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AtmosphereLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 1188
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.franceconsobanque.fr | udp |
| FR | 109.234.165.34:443 | www.franceconsobanque.fr | tcp |
Files
memory/1444-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
| MD5 | cfdca7d646a938c27e6dee83ac0c1278 |
| SHA1 | 51dc726080be9c64f29dc1360d30fbbd475e99c0 |
| SHA256 | c486efdb22b932a3cd04fa60965ad053b824c241e676863c0d430f2b601443b9 |
| SHA512 | 48c1ede8bfaf4c1c073a3720039db7671100578941ad7d71909887742d5f79badee7a82d4e29bb2d621f8446e92758cf1f03aa3d865f0e1207459d94e598d8e3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
| MD5 | cfdca7d646a938c27e6dee83ac0c1278 |
| SHA1 | 51dc726080be9c64f29dc1360d30fbbd475e99c0 |
| SHA256 | c486efdb22b932a3cd04fa60965ad053b824c241e676863c0d430f2b601443b9 |
| SHA512 | 48c1ede8bfaf4c1c073a3720039db7671100578941ad7d71909887742d5f79badee7a82d4e29bb2d621f8446e92758cf1f03aa3d865f0e1207459d94e598d8e3 |
memory/1444-57-0x00000000010E0000-0x00000000010E8000-memory.dmp
memory/1444-58-0x0000000074AD1000-0x0000000074AD3000-memory.dmp
memory/1864-59-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
| MD5 | 2719e362a6ae6072fc69750f4448ffb7 |
| SHA1 | 13b2cb0230cbc82b20633bb97630c7fa1a849d8d |
| SHA256 | 9259f5bcc3206ae406993262f368898d5c6fc18aea4148bed9eceb0755cccfc8 |
| SHA512 | fdf4a47c14d9009a2ef51d125e99e3b2982cf44bfb44fa45b0ee39a661dc00e1e7b049a93c426dbd5e3b635b6e0fb4bb60670868ea07c2d695f96781d7b770f1 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
| MD5 | 0cdd6f30c6ee817e93df3007f10b7e6a |
| SHA1 | a1420de73a64ca8022442aed32ab552c50251e4e |
| SHA256 | 8f30fd8b082175f6fdd042cd403b39afc0cf68daddf9e1f431ee55d3d9e91f05 |
| SHA512 | 2dbc921674c95cba3ecba9797a08bae6db9d2acc47c99e7b0648a83da87808e4179444908a9c416c13fce7b761b9adcd989a700d6571de1b1260708b8771c915 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
| MD5 | 403c0272eba716f90109eb6b098d397c |
| SHA1 | 841c09e13477909302335a2af9087c2af301b4a5 |
| SHA256 | a522db582ec5b302b11e26e39dd56b9d397576c3f0948a73e10459d869604628 |
| SHA512 | 2fef9a92742f0d4a98a934b3078fac0c027f754e70b5833929f64744b0cd8324ac26027f4d4b8397bdd101ee490bbc7849cebbf1cf783b659fcfdded007de806 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
| MD5 | 13e6f41ab50cb51148fb16723bb679c5 |
| SHA1 | 345e922fa031acf47df7ce8697e6e7bcb62ccb32 |
| SHA256 | a825ecc0c97c41ae0d1e793b8b2a89c5f924f3c7442ff28a27d6daae89c9c3a7 |
| SHA512 | f6a18e09d83f08c3e68111a4a1f213db0a5f21f5a393803b7ab96a47d0ca836539062181f50619b722eae70f0e4f8ad01489c04b5227981615df9795c3d5818c |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\travelpeov.exe
| MD5 | 2928f4a10f1a824d26f56052accd9926 |
| SHA1 | 93af9c82a7dedef40f3ab1b1a6a414210d90c192 |
| SHA256 | 125df6f2b9f5445123c888a654df37e3bc185adb45e94e79b1e44627b1cbf65a |
| SHA512 | 4bd74f377bbd9ab41dd5fe0448a2d77e062a795b6e30a5961e2b62c70d5f1c35a470fe9a7cdbc313f40f8fbda086935e02677ba05213689bcec3b58eef5ea3e2 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-11 18:31
Reported
2023-02-11 18:46
Platform
win10v2004-20221111-en
Max time network
400s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| FR | 2.20.8.110:443 | tcp | |
| FR | 2.20.8.110:443 | tcp |