purecrypter | 125df6f2b9f5445123c888a654df37e3bc185adb45e94e79b1e44627b1cbf65a | Triage

Analysis

max time kernel
58s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-02-2023 21:02

Sharing

Report Analysis Logs

General

Target

travelpeov.exe
Size

193.2MB
MD5

2928f4a10f1a824d26f56052accd9926
SHA1

93af9c82a7dedef40f3ab1b1a6a414210d90c192
SHA256

125df6f2b9f5445123c888a654df37e3bc185adb45e94e79b1e44627b1cbf65a
SHA512

4bd74f377bbd9ab41dd5fe0448a2d77e062a795b6e30a5961e2b62c70d5f1c35a470fe9a7cdbc313f40f8fbda086935e02677ba05213689bcec3b58eef5ea3e2
SSDEEP

96:eSwqiJBpnpML3uibpR3KbofKkor74BzNt:eBpnsLRPwof3oXu

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

C2

https://www.franceconsobanque.fr/wp-admin/images/css/design/fabric/bo/Sjbgpxzi.bmp

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1104	548	WerFault.exe	26

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	548	travelpeov.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1104	548	travelpeov.exe	27
PID 548 wrote to memory of 1104	548	travelpeov.exe	27
PID 548 wrote to memory of 1104	548	travelpeov.exe	27
PID 548 wrote to memory of 1104	548	travelpeov.exe	27

C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
"C:\Users\Admin\AppData\Local\Temp\travelpeov.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1316
  2⤵
  - Program crash
  PID:1104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/548-54-0x0000000000920000-0x0000000000928000-memory.dmp

Filesize
32KB

Download
memory/548-55-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download