purecrypter | 6f18c519197668bbf6db0fe9bf290d3d38d656f0c197e3a02cd6018ef5477991 | Triage

Analysis

max time kernel
117s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2023 16:06

Sharing

Report Analysis Logs

General

Target

file.exe
Size

195KB
MD5

d749a68e8a626d1fa86c707999e19828
SHA1

5e1fdde69d8d018b712e2d86b1bc0b664477dfd9
SHA256

6f18c519197668bbf6db0fe9bf290d3d38d656f0c197e3a02cd6018ef5477991
SHA512

d28609a3aba8376c24c2dda9810d5ba01a7d1503f1aaa930ee127d700339c2bbb45d4f94e24ee4333ef5884489733f60df751ce4a8d446bcb5169cd1292a0f88
SSDEEP

1536:KMDOTOoIaNlrxCka5SjXKT/aoA2O6zaTlz5vF:KMaDzVKSbKT/aoA2naz

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

C2

http://rssh.li/panel/uploads/Jnjztslzr.png

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4380	4972	WerFault.exe	80

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1784
  2⤵
  - Program crash
  PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4972 -ip 4972
1⤵
PID:1912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4972-132-0x00000000001C0000-0x00000000001F2000-memory.dmp

Filesize
200KB

Download
memory/4972-133-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/4972-134-0x0000000004BE0000-0x0000000004C72000-memory.dmp

Filesize
584KB

Download