purecrypter | e535bc5f201f84ccd46ecc2374ae4213b46456d8c027d44f58700579018c5264

Analysis

max time kernel
131s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
19-02-2023 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Hogwarts Legacy by Empress.exe
Size

326.4MB
MD5

7a1c6ba99ba81106917acf37c8711bac
SHA1

4b08c2a3d26242d209d45f086f001f4b66a6c31a
SHA256

e535bc5f201f84ccd46ecc2374ae4213b46456d8c027d44f58700579018c5264
SHA512

b9a234411630edc3029d62954a874714d911704d92db94a27323dec77c4334187ab1608ebf527b90a8d461254364d82c616dfdd31cf0739ff6f026e04def8686
SSDEEP

1536:3rae78zjORCDGwfdCSog013131Zs5gW0MuiNcL3IIG4BLpr:dahKyd2n31F253ObL3IIG4xl

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Extracted

Family

purecrypter

http://comicmaster.org.uk/img/css/design/fabric/bo/Kvxut.dat

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Executes dropped EXE 2 IoCs

pid	Process
820	setupov16.exe
1964	setupov16.exe

Loads dropped DLL 1 IoCs

pid	Process
820	setupov16.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Hogwarts Legacy by Empress.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Hogwarts Legacy by Empress.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 820 set thread context of 1964	820	setupov16.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1788	powershell.exe
1644	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	820	setupov16.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 820	1728	Hogwarts Legacy by Empress.exe	28
PID 1728 wrote to memory of 820	1728	Hogwarts Legacy by Empress.exe	28
PID 1728 wrote to memory of 820	1728	Hogwarts Legacy by Empress.exe	28
PID 1728 wrote to memory of 820	1728	Hogwarts Legacy by Empress.exe	28
PID 1728 wrote to memory of 820	1728	Hogwarts Legacy by Empress.exe	28
PID 1728 wrote to memory of 820	1728	Hogwarts Legacy by Empress.exe	28
PID 1728 wrote to memory of 820	1728	Hogwarts Legacy by Empress.exe	28
PID 820 wrote to memory of 1788	820	setupov16.exe	29
PID 820 wrote to memory of 1788	820	setupov16.exe	29
PID 820 wrote to memory of 1788	820	setupov16.exe	29
PID 820 wrote to memory of 1788	820	setupov16.exe	29
PID 820 wrote to memory of 760	820	setupov16.exe	31
PID 820 wrote to memory of 760	820	setupov16.exe	31
PID 820 wrote to memory of 760	820	setupov16.exe	31
PID 820 wrote to memory of 760	820	setupov16.exe	31
PID 760 wrote to memory of 1644	760	cmd.exe	33
PID 760 wrote to memory of 1644	760	cmd.exe	33
PID 760 wrote to memory of 1644	760	cmd.exe	33
PID 760 wrote to memory of 1644	760	cmd.exe	33
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34
PID 820 wrote to memory of 1964	820	setupov16.exe	34

C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress.exe
"C:\Users\Admin\AppData\Local\Temp\Hogwarts Legacy by Empress.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    3⤵
    - Executes dropped EXE
    PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
362.4MB

MD5
bdefa58976786e95522af2cac8268e4a

SHA1
00073f4702ccbc7cb9de4e6ff6bfa028e9169137

SHA256
881f8a9d8b2c2650c9dc66076983941baeeb81ea9bf19d9a1e8904fed70ace12

SHA512
5cf26b14502e1bfe6504fe7be0e8b60afbae7cac788f755f76b49800e783260029210579d9ff57bd99e5559731a06593c373df616c09365e9e42456168f7bfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
362.4MB

MD5
bdefa58976786e95522af2cac8268e4a

SHA1
00073f4702ccbc7cb9de4e6ff6bfa028e9169137

SHA256
881f8a9d8b2c2650c9dc66076983941baeeb81ea9bf19d9a1e8904fed70ace12

SHA512
5cf26b14502e1bfe6504fe7be0e8b60afbae7cac788f755f76b49800e783260029210579d9ff57bd99e5559731a06593c373df616c09365e9e42456168f7bfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
362.4MB

MD5
bdefa58976786e95522af2cac8268e4a

SHA1
00073f4702ccbc7cb9de4e6ff6bfa028e9169137

SHA256
881f8a9d8b2c2650c9dc66076983941baeeb81ea9bf19d9a1e8904fed70ace12

SHA512
5cf26b14502e1bfe6504fe7be0e8b60afbae7cac788f755f76b49800e783260029210579d9ff57bd99e5559731a06593c373df616c09365e9e42456168f7bfb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
37ff67f6f65ad2d6356ca8dd546e761d

SHA1
2fff55d1c0ef5942ac82de05306da4ddb4239a78

SHA256
f28286fa593f5d68ac39b949e4adafafc5fdfc23b54686b4cf54a711d25c8706

SHA512
37f5da67aca20402d6509375930049a4a91374b0596209833ab517bd1286cf3dabc45f7de291dcc035d94d1b984f3b0832173c27d41f5f4f0ecbff219afc5788

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
362.4MB

MD5
bdefa58976786e95522af2cac8268e4a

SHA1
00073f4702ccbc7cb9de4e6ff6bfa028e9169137

SHA256
881f8a9d8b2c2650c9dc66076983941baeeb81ea9bf19d9a1e8904fed70ace12

SHA512
5cf26b14502e1bfe6504fe7be0e8b60afbae7cac788f755f76b49800e783260029210579d9ff57bd99e5559731a06593c373df616c09365e9e42456168f7bfb0

Download Submit
memory/820-57-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/820-58-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/820-59-0x0000000005B50000-0x0000000005BFA000-memory.dmp

Filesize
680KB

Download
memory/820-60-0x00000000004E0000-0x00000000004F4000-memory.dmp

Filesize
80KB

Download
memory/1644-81-0x000000006F1B0000-0x000000006F75B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-83-0x000000006F1B0000-0x000000006F75B000-memory.dmp

Filesize
5.7MB

Download
memory/1644-82-0x000000006F1B0000-0x000000006F75B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-65-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-63-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-64-0x000000006F1E0000-0x000000006F78B000-memory.dmp

Filesize
5.7MB

Download
memory/1964-71-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1964-74-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1964-76-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1964-77-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1964-70-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download