Analysis Overview
SHA256
e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90
Threat Level: Known bad
The file e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90 was found to be: Known bad.
Malicious Activity Summary
Purecrypter family
PureCrypter
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-13 07:21
Signatures
Purecrypter family
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-13 07:21
Reported
2023-02-13 07:22
Platform
win7-20221111-en
Max time kernel
31s
Max time network
10s
Command Line
Signatures
PureCrypter
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1540 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1540 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1540 wrote to memory of 916 | N/A | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
"C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Network
| Country | Destination | Domain | Proto |
| US | 163.123.142.210:80 | 163.123.142.210 | tcp |
Files
memory/1540-54-0x000000013F290000-0x000000013F29E000-memory.dmp
memory/1540-55-0x000000001C8A0000-0x000000001C9BC000-memory.dmp
memory/1540-56-0x000000001AA20000-0x000000001AAA4000-memory.dmp
memory/916-57-0x0000000000000000-mapping.dmp
memory/916-58-0x000007FEFC091000-0x000007FEFC093000-memory.dmp
memory/916-59-0x000007FEEBBC0000-0x000007FEEC5E3000-memory.dmp
memory/916-60-0x000007FEEB060000-0x000007FEEBBBD000-memory.dmp
memory/916-61-0x00000000029B4000-0x00000000029B7000-memory.dmp
memory/916-62-0x000000001B710000-0x000000001BA0F000-memory.dmp
memory/916-63-0x00000000029BB000-0x00000000029DA000-memory.dmp
memory/916-64-0x00000000029B4000-0x00000000029B7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-13 07:21
Reported
2023-02-13 07:24
Platform
win10v2004-20221111-en
Max time kernel
112s
Max time network
116s
Command Line
Signatures
PureCrypter
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vokaupcde = "\"C:\\Users\\Admin\\AppData\\Roaming\\Rrlirudzf\\Vokaupcde.exe\"" | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2728 set thread context of 5040 | N/A | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
"C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
C:\Users\Admin\AppData\Local\Temp\e1614217a227ee00d452c21059af1d4572420cd6079d384ec265e2b1a5192f90.exe
Network
| Country | Destination | Domain | Proto |
| US | 163.123.142.210:80 | 163.123.142.210 | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| IT | 179.43.155.202:9090 | tcp | |
| NL | 8.253.208.121:80 | tcp | |
| NL | 8.253.208.121:80 | tcp | |
| IT | 179.43.155.202:9091 | tcp | |
| IT | 179.43.155.202:9092 | tcp | |
| IT | 179.43.155.202:8444 | tcp |
Files
memory/2728-132-0x000002238A300000-0x000002238A30E000-memory.dmp
memory/2728-133-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp
memory/2728-134-0x00000223A58D0000-0x00000223A58F2000-memory.dmp
memory/996-135-0x0000000000000000-mapping.dmp
memory/996-136-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp
memory/2728-137-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp
memory/996-138-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp
memory/996-139-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp
memory/5040-141-0x0000000000400000-mapping.dmp
memory/5040-140-0x0000000000400000-0x000000000048C000-memory.dmp
memory/5040-142-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp
memory/2728-143-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp
memory/5040-144-0x00007FFA61D30000-0x00007FFA627F1000-memory.dmp