Overview

overview

10

Static

static

1

Hogwarts L...ss.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-02-2023 21:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hogwarts Legacy by Empress.zip

  • Size

    33.3MB

  • MD5

    e8ed4b7d48df78c2657c2b4414fe8a08

  • SHA1

    55c5ddce39454e1a9570564703b2aa36faec33a4

  • SHA256

    14bd04d358baa93e39f94953f4a5db0c9f3318081f75e1a8dfa287cb60774fa4

  • SHA512

    fc5c2e934d4ada3d8ba2d5176d6dcf317030fa5c61473dd6af55ec41ca2326ebdb58db4321c74ac3330d26dbc709047f6d87670f96b7d13db219a84978fb73fc

  • SSDEEP

    786432:KSlRNFY4cMHvAVS4idfTvNwkMb6y1m4fPLsX/LLWOv/:tKVS9dfTvikpy1m4foX/3

Score
10/10
purecrypterdownloaderloaderpersistence

Malware Config

Extracted

Family

purecrypter

C2

http://comicmaster.org.uk/img/css/design/fabric/bo/Kvxut.dat

Signatures

  • PureCrypter

    PureCrypter is a .NET malware loader first seen in early 2021.

    loaderdownloaderpurecrypter
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress.zip"
    1⤵
      PID:1336
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1892
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\" -spe -an -ai#7zMap4814:132:7zEvent29223
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:4760
      • C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
        "C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"
        1⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
          C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4852
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
            3⤵
              PID:4364
        • C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
          "C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"
          1⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3788
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setupov16.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setupov16.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1352
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
              3⤵
                PID:4488
          • C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
            "C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3024
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\setupov16.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\setupov16.exe
              2⤵
                PID:448
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
                  3⤵
                    PID:4532

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
                Filesize

                460.1MB

                MD5

                9e4eb385b2510f0c43882311ceb56693

                SHA1

                b00f9e192609d18ae34473d008c5f450054c56f5

                SHA256

                77287124aea8556664a5e360f0a616dd3ffdd30f062efe56522e0ae67bf1f768

                SHA512

                124bdf9ea65889b4323515b744e4700bf2059a33582e979807b8b92971bad8c7e113d4995134eba043f935c30bc38b5828db0eb6ad7e15715e48cbf175d11403

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
                Filesize

                443.3MB

                MD5

                3aded33036908a0d2a10a4499fba6030

                SHA1

                bb3c974326c658fdb1661be2f71e9c9c240a4dcb

                SHA256

                57187e11c78ff9e86cdd4e97c82bab6d3b4662cc0b7d6acc00aa42555a3f58b1

                SHA512

                ad6c3900d62645e40ef37315a44220a808bec28f9d9d2fa7e9514e1d8276f5b099218c44b0a01d9df39bb86b25dddb05bebc0be1c480e272549ac77da1e9e5ba

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
                Filesize

                276.1MB

                MD5

                2c501ee9b3ac046cb0e8fbed24275e13

                SHA1

                8aa1cddf5bf1de63d2c34d933bdcc4ffbc0d4461

                SHA256

                8a11062548c0839930405b193bc1f7ffc2ba8ea5cce6d84af4aab7705367a1ec

                SHA512

                cbfff0bd734f0b2615eacf822c46080598207fc32e5e47e23475a5d14b907412ed19fa35f3c861767e3205b79b72ba20e822d49cf6022749deb25b1459bf6471

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
                Filesize

                75.9MB

                MD5

                cc3b58d242b6b48bc7eb1a40252ab230

                SHA1

                e0e2c75f8a3f8571e6c3d7e8890ecd1fbe0d39e9

                SHA256

                d30c17c813a049fc6c97b32b3044e477122321e18e7059439579b9f28b2e0d50

                SHA512

                8ee462720db58d016d038df9efe72e40347d9a7de047a77c2332f0817b686875f0c571fb460fa1a89f5991f9e7814d26c8dec32f7e7b8c5c9ac7ff2594e02a7d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
                Filesize

                97.8MB

                MD5

                e3a90836b1457ae52afda05536234dcd

                SHA1

                8dc0857f2f50836a302a08dfc83394ab9cb67827

                SHA256

                9b881e5b8ec566c06d9011996999f08ddda4b2c4865a73d04efdc156a99ad16f

                SHA512

                acefad18365c8ec999bfb1d065a47999c31e96e2775ace7736eed5c809f28c9cd1fbcfec807780383932fb895e91504e2abd1363c1685e846b4a48493c37de75

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
                Filesize

                95.9MB

                MD5

                f546c1998343ffdbd93330efb55ad687

                SHA1

                afe495bf406e042876cc5d43a9ea12062a61af8c

                SHA256

                6fa39fd3a5ba5d867016a1aa9b00122fc293e9a3a2f638f18b8029dba5382b68

                SHA512

                cdb1e54b63cbcd25bbf6289ec647b08c69036e98bcb9e190f08ad255efdd96ccb8b0990ae28cc17907e6c4c5ae4e806210565fee4bb2fb2e0e6da942a02ff18e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setupov16.exe
                Filesize

                69.8MB

                MD5

                299aee11554a8bcf80877d4a1a3afc56

                SHA1

                d588279256af71479077ccf3fe1ecebeb767f132

                SHA256

                5fc9ef0f27d7762372730796df4457b20ad5b618c86a87931aced401d9a6f81d

                SHA512

                c29de7bd37510eefc9f307553b03a63f4459f6bd14dd3b39a5751f873b7cfad485f336188da6b1edcf74fe347eeb27728bfee9984478f47256978348b6387004

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setupov16.exe
                Filesize

                68.2MB

                MD5

                b25433dd3871d6c64fb22470645584b5

                SHA1

                a5f16f57595fd66ae0bc005803a2c0a6b35f4d6b

                SHA256

                5c194c25ff85a7408b71957ab0f38665370e067b0cd4eb32043e6c603d446615

                SHA512

                bdd6c56238419f58963b4d19a699877fd86010bfd163a20f910ad20a2663a087dee83458badd1ec66f5da651153745985858ff31be428c1d481be1c1c5f4a551

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\setupov16.exe
                Filesize

                62.1MB

                MD5

                1a2e401b63bca318d584131ff3b60b18

                SHA1

                26671184c795b5a6753d075658c547d069cef43c

                SHA256

                a79cb5ff4a4503a95aff32a0c49070589eaafdeb4d7cffd2ee2a0e115ab2a095

                SHA512

                062cbfb36fda6c37733ad8ba1957c3303512c62b2526a8f4390a030cd728ba4e75ec127e77bf7c028a465e495032b5aa574bb3e87a1eac5d073406e0fcdc228b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\setupov16.exe
                Filesize

                61.5MB

                MD5

                f91fe54dfb68175318aa09c12db7e7ad

                SHA1

                112da13de1249a3354bf3b06dd93969c0e14c936

                SHA256

                979a1fed7aca7a1f34f7ff09068bda5d89c2449d188782d38e91aa8eca4918c2

                SHA512

                f313276ff418ef39148ef5bfe6aacc532d6e5c42f7430501db1e79a56659a9d0285bbe64c780c7484a9a2f7d6979af84d1a492623e80b5f4258b2f4b263201de

                Download Submit

              • memory/4364-148-0x0000000005FE0000-0x0000000006046000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4364-149-0x00000000060C0000-0x0000000006126000-memory.dmp

                Filesize

                408KB

                Download

              • memory/4364-153-0x00000000066E0000-0x00000000066FE000-memory.dmp

                Filesize

                120KB

                Download

              • memory/4364-155-0x0000000007D40000-0x00000000083BA000-memory.dmp

                Filesize

                6.5MB

                Download

              • memory/4364-156-0x0000000006BE0000-0x0000000006BFA000-memory.dmp

                Filesize

                104KB

                Download

              • memory/4488-146-0x00000000028F0000-0x0000000002926000-memory.dmp

                Filesize

                216KB

                Download

              • memory/4488-147-0x0000000004FF0000-0x0000000005618000-memory.dmp

                Filesize

                6.2MB

                Download

              • memory/4852-143-0x0000000006340000-0x0000000006362000-memory.dmp

                Filesize

                136KB

                Download

              • memory/4852-139-0x00000000006C0000-0x00000000006C8000-memory.dmp

                Filesize

                32KB

                Download