Malware Analysis Report

2024-11-30 21:48

Sample ID 230211-zvs1kahf3s
Target travelpeov.mal
SHA256 125df6f2b9f5445123c888a654df37e3bc185adb45e94e79b1e44627b1cbf65a
Tags
purecrypter redline @gestaslinoff discovery downloader infostealer loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

125df6f2b9f5445123c888a654df37e3bc185adb45e94e79b1e44627b1cbf65a

Threat Level: Known bad

The file travelpeov.mal was found to be: Known bad.

Malicious Activity Summary

purecrypter redline @gestaslinoff discovery downloader infostealer loader spyware stealer

PureCrypter

RedLine

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-11 21:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-11 21:02

Reported

2023-02-11 21:08

Platform

win10v2004-20220812-en

Max time kernel

170s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\travelpeov.exe"

Signatures

PureCrypter

loader downloader purecrypter

RedLine

infostealer redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\travelpeov.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{605DB2CF-6953-4F9B-B22C-706C1575E847}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{99898C9E-8264-4A1E-BD0D-D2D599310FA4}.catalogItem C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2304 set thread context of 2424 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
PID 2304 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe
PID 3176 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\travelpeov.exe

"C:\Users\Admin\AppData\Local\Temp\travelpeov.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Local\Temp\travelpeov.exe

C:\Users\Admin\AppData\Local\Temp\travelpeov.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.franceconsobanque.fr udp
FR 109.234.165.34:443 www.franceconsobanque.fr tcp
DE 45.15.157.131:36457 tcp

Files

memory/2304-132-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

memory/2304-133-0x0000000005DC0000-0x0000000006364000-memory.dmp

memory/2304-134-0x0000000005810000-0x00000000058A2000-memory.dmp

memory/2304-135-0x0000000007420000-0x0000000007442000-memory.dmp

memory/4916-136-0x0000000000000000-mapping.dmp

memory/4916-137-0x0000000002F00000-0x0000000002F36000-memory.dmp

memory/4916-138-0x00000000055F0000-0x0000000005C18000-memory.dmp

memory/4916-139-0x0000000005C20000-0x0000000005C86000-memory.dmp

memory/4916-140-0x0000000005E80000-0x0000000005EE6000-memory.dmp

memory/4916-141-0x0000000006550000-0x000000000656E000-memory.dmp

memory/4916-142-0x0000000007BC0000-0x000000000823A000-memory.dmp

memory/4916-143-0x0000000006960000-0x000000000697A000-memory.dmp

memory/3176-144-0x0000000000000000-mapping.dmp

memory/2424-145-0x0000000000000000-mapping.dmp

memory/2424-146-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2392-147-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39812f7d90b8e4b5d8fa283b41fa1c89
SHA1 aa98334485aa60383d4b2c5ffc855c9c2f278c72
SHA256 40a50ef41177e3d0f9c111dbf01a410813f08315865f786200e6665b3668a2cc
SHA512 ad6843582af654eda5ea3b6f58d2b7b6a9dd545b4037eeebebd846cbf3ffef2d289094f55ce9094b16561927c0ab19eaf4dd6d0ddfcc8215091145321f8dd4ed

memory/2424-150-0x0000000005400000-0x0000000005A18000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/2424-152-0x0000000004F80000-0x000000000508A000-memory.dmp

memory/2424-153-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

memory/2424-154-0x0000000004F10000-0x0000000004F4C000-memory.dmp

memory/2392-155-0x00000000071B0000-0x00000000071E2000-memory.dmp

memory/2392-156-0x000000006E160000-0x000000006E1AC000-memory.dmp

memory/2392-157-0x0000000006790000-0x00000000067AE000-memory.dmp

memory/2392-158-0x00000000075A0000-0x00000000075AA000-memory.dmp

memory/2392-159-0x00000000077E0000-0x0000000007876000-memory.dmp

memory/2392-160-0x0000000006080000-0x000000000608E000-memory.dmp

memory/2392-161-0x0000000007740000-0x000000000775A000-memory.dmp

memory/2392-162-0x0000000007720000-0x0000000007728000-memory.dmp

memory/2424-163-0x0000000006890000-0x0000000006A52000-memory.dmp

memory/2424-164-0x0000000006F90000-0x00000000074BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\travelpeov.exe.log

MD5 fa566c9cc0cdfc2479d186ed2a7d2078
SHA1 a4f5bc2d5d055a766b19f095f0a670eeda57c24b
SHA256 bccaf63847951e065e8af3714593cdd2f8ecb76b384c1f7c71e3cd89df314960
SHA512 ab3efa28f6f90dddde1472a474e26874e21248cc26603acb582ceb419e81165f4dc1044551755635dc6fd89600cbe0f1daec2ccb185fe77c68df16622e53396f

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-11 21:02

Reported

2023-02-11 21:05

Platform

win7-20220812-en

Max time kernel

58s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\travelpeov.exe"

Signatures

PureCrypter

loader downloader purecrypter

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\travelpeov.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\travelpeov.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\travelpeov.exe

"C:\Users\Admin\AppData\Local\Temp\travelpeov.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1316

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.franceconsobanque.fr udp
FR 109.234.165.34:443 www.franceconsobanque.fr tcp
US 204.79.197.200:443 tcp

Files

memory/548-54-0x0000000000920000-0x0000000000928000-memory.dmp

memory/548-55-0x0000000076831000-0x0000000076833000-memory.dmp

memory/1104-56-0x0000000000000000-mapping.dmp