Overview

overview

10

Static

static

1

b67649a9a6...ec.exe

windows7-x64

10

b67649a9a6...ec.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    16-02-2023 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b67649a9a69b4891e75746f8ed5ffbec.exe

  • Size

    1.5MB

  • MD5

    b67649a9a69b4891e75746f8ed5ffbec

  • SHA1

    4d59dcf71f149fbd482e045bd58742d8589b7d4b

  • SHA256

    9fbd44c68c8181d842e2553efc72b2f56324d638f56e2581b2db2ce53421d70f

  • SHA512

    6edfb13376787e5a2f6fcfc5126421c60080c2504b48cad2b37cde73e441a66462220b6e2ca56e1223c864df0c2011c6244e5139b70744141fc6b59a60771e70

  • SSDEEP

    24576:DP/kDXWkQpq97UrOPdDOBeWICivr9kDXWkQpq97UrOPdDOBeWICivp:DUm5pYI6PdDAeTvr2m5pYI6PdDAeTvp

Score
10/10
purecrypterdownloaderloader

Malware Config

Extracted

Family

purecrypter

C2

http://rssh.li/panel/uploads/Vvfilmvppec.dat

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b67649a9a69b4891e75746f8ed5ffbec.exe
    "C:\Users\Admin\AppData\Local\Temp\b67649a9a69b4891e75746f8ed5ffbec.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ipconfig/release
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /release
        3⤵
        • Gathers network information
        PID:820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAyADAA
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1604-63-0x000000006F490000-0x000000006FA3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1604-64-0x000000006F490000-0x000000006FA3B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1708-54-0x0000000001320000-0x0000000001340000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1708-55-0x0000000075551000-0x0000000075553000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1708-56-0x0000000005B70000-0x0000000005C24000-memory.dmp

    Filesize

    720KB

    Download

  • memory/1708-57-0x0000000000570000-0x000000000058C000-memory.dmp

    Filesize

    112KB

    Download