purecrypter | f9cedf4358e6229bcc82dad28fd7fe3893f69ac237a30cc343d7aff182bfd025

Resubmissions

19-02-2023 00:09

230219-aftk4sdd4z 10

19-02-2023 00:00

230219-aacqeaea43 7

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2023 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[NEW] Hogwarts Legacy by Empress.rar
Size

29.7MB
MD5

cfd8232e140eab8777b8f991ae366340
SHA1

32d5220d626962ca2c9c7990ac0799307883e169
SHA256

f9cedf4358e6229bcc82dad28fd7fe3893f69ac237a30cc343d7aff182bfd025
SHA512

c5fe83ea69eed717dbeb7e234f39e42b18f5ce77e6725aee1740dcc92c1d6460f5209f2511c8ce9d9faff66dff25370427a73bb5e0c7624c45929dba1d3c3d63
SSDEEP

786432:wt2vfABLUXxAAP+wKYFAb314QQ4VUqTjCG0HaGkgOLBazdA:wGdxYJ32QQ4VleG3gOYz2

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Extracted

Family

purecrypter

http://comicmaster.org.uk/img/css/design/fabric/bo/Kvxut.dat

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	setupov16.exe

Executes dropped EXE 2 IoCs

pid	Process
4524	Hogwarts Legacy by Empress.exe
960	setupov16.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Hogwarts Legacy by Empress.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Hogwarts Legacy by Empress.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4412	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4924	7zG.exe
Token: 35	4924	7zG.exe
Token: SeSecurityPrivilege	4924	7zG.exe
Token: SeSecurityPrivilege	4924	7zG.exe
Token: SeDebugPrivilege	960	setupov16.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4924	7zG.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4412	OpenWith.exe
4412	OpenWith.exe
4412	OpenWith.exe
4412	OpenWith.exe
4412	OpenWith.exe
4412	OpenWith.exe
4412	OpenWith.exe
4412	OpenWith.exe
4412	OpenWith.exe
4412	OpenWith.exe
4412	OpenWith.exe
4524	Hogwarts Legacy by Empress.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 960	4524	Hogwarts Legacy by Empress.exe	97
PID 4524 wrote to memory of 960	4524	Hogwarts Legacy by Empress.exe	97
PID 4524 wrote to memory of 960	4524	Hogwarts Legacy by Empress.exe	97

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress.rar"
1⤵
- Modifies registry class
PID:4612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5044

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\" -spe -an -ai#7zMap20438:144:7zEvent26585
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4924

C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
    3⤵
    PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
179.4MB

MD5
db0d4087ecfcafdd78c4ca0242bfe350

SHA1
714ad8a8770a9fdcfa84789d51951e3b5cdb61f8

SHA256
9f35af90ebf67c67750876b977e54717348e40e44219db47b3e15adefb10897a

SHA512
8ebdbaffb08ec77a8088f892e3d1c842086a6547c96c56235767cb3bde0d814cbdab712ff8b20a0126e251e9dca510abad421586bb587c1ae535d083251a1569

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
263.8MB

MD5
1728c54ac2628de0c864baad5a9be0e4

SHA1
445479a0abacec8991d55c7773b1dc0340faac49

SHA256
3cf32bb4b98866ba695d46dceddaf432f19b1d596637ad5785343a66f7da3b2b

SHA512
309105e88b3bb263ca829520d0726e3a7f920e462375891a226a6647e2da7e1040616235d17666af13b475393ad2bad47871e51521fa452889eef019250ea1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe

Filesize
645.4MB

MD5
357c0d240e3d7275d92305b083221a69

SHA1
b1c58cec74e508e158d77144cda6a53a858fdbfd

SHA256
c9d05c1a046bd940cd7ec21f4ffdb866901b060f3628852db64997a698625976

SHA512
66a39d3004baf7c1dfa47ad800a4e0c1cb9c73979d0005337e575b664e765992deebf2b5c5b27a59755968ef62e40647712753c8403d10b8e32d82c1194c25dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe

Filesize
654.0MB

MD5
88bcc9cce14b0f4a755c8c50cc2a7d57

SHA1
51ec02afa0d1b6dd76f358fb54b80cdb8f407153

SHA256
029cb11d87e8983574a838747292a48c19def4c8220ac926c79c777f9c65511a

SHA512
f84637e720c17c01712167d3330736fc360b238a4de09c3be136e88aa991c1e14f76c1e3ea6d5696f7b551864de70e1f5214a70a4ac6d8130d18543460dc291d

Download Submit
memory/960-137-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/960-138-0x0000000006000000-0x0000000006022000-memory.dmp

Filesize
136KB

Download