purecrypter | 9778c6d49c3ab49c7fd8c4bbbffd5e16aeca9ee0074a9c0854a55adde768e03e | Triage

Analysis

max time kernel
119s
max time network
109s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18-02-2023 16:06

Sharing

Report Analysis Logs

General

Target

file.exe
Size

195KB
MD5

b9242c8c1b0d0beb00c9d67a20e85c73
SHA1

43592d357c784c64b4182f7d04f293738ea8e848
SHA256

9778c6d49c3ab49c7fd8c4bbbffd5e16aeca9ee0074a9c0854a55adde768e03e
SHA512

e627268ac515cfeadcb44d6bd39c636855d94d523e31362be414b0245cb45cf2def518cadb656db894d54af50d95bd5e73b68f87c34fcbf9dd2c9b033a8d9693
SSDEEP

1536:fLMoVToraIlrxCka52oXKsuWoZxX6zaTlz5vF:fLMoFsVK2OKsuWoZxqaz

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

C2

http://rssh.li/panel/uploads/Sutpvfujdol.bmp

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Program crash 1 IoCs

pid	pid_target	Process	procid_target
748	1820	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	file.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 748	1820	file.exe	28
PID 1820 wrote to memory of 748	1820	file.exe	28
PID 1820 wrote to memory of 748	1820	file.exe	28
PID 1820 wrote to memory of 748	1820	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1256
  2⤵
  - Program crash
  PID:748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1820-54-0x00000000009A0000-0x00000000009D2000-memory.dmp

Filesize
200KB

Download
memory/1820-55-0x00000000757B1000-0x00000000757B3000-memory.dmp

Filesize
8KB

Download