purecrypter | 92c2987eb7f67ab9085cd3675d5e7324d2e51d3d6a4f69d6c1cf9d6fe9c6f669

Resubmissions

19-02-2023 00:19

230219-al7d6aea56 10

19-02-2023 00:13

230219-ah77aadd5x 7

Analysis

max time kernel
63s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2023 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[NEW] Hogwarts Legacy by Empress.zip
Size

33.3MB
MD5

97063fcaee93d46a4d0feb60483fbc38
SHA1

e12275f8f8f8050b22724c651e6ca9d1f7fc411c
SHA256

92c2987eb7f67ab9085cd3675d5e7324d2e51d3d6a4f69d6c1cf9d6fe9c6f669
SHA512

6ff3d4ff6ab3f2213ba6f962dbc1916bc100a9000336e24602026989fda96c7c472b2af8c33100f6c63b2433789d6b105e47595ce868f0a49ce8dc16006e1ca0
SSDEEP

786432:JE8Cti21i5bvj510RE5Fu4syo3TF7dnNZ/0sjJMuMwa4liCbuXzhVgrD:JE8CtioovV10RErtPq7qs9DMX4l9buj0

Score

10^/10

purecrypter downloader loader persistence

Malware Config

Extracted

Family

purecrypter

http://comicmaster.org.uk/img/css/design/fabric/bo/Kvxut.dat

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	setupov16.exe

Executes dropped EXE 4 IoCs

pid	Process
2028	Hogwarts Legacy by Empress.exe
3668	Hogwarts Legacy by Empress.exe
3364	setupov16.exe
4336	setupov16.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Hogwarts Legacy by Empress.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Hogwarts Legacy by Empress.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	Hogwarts Legacy by Empress.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Hogwarts Legacy by Empress.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3972	powershell.exe
3972	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4436	7zG.exe
Token: 35	4436	7zG.exe
Token: SeSecurityPrivilege	4436	7zG.exe
Token: SeSecurityPrivilege	4436	7zG.exe
Token: SeDebugPrivilege	3364	setupov16.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	4336	setupov16.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4436	7zG.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2028	Hogwarts Legacy by Empress.exe
3668	Hogwarts Legacy by Empress.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3364	2028	Hogwarts Legacy by Empress.exe	98
PID 2028 wrote to memory of 3364	2028	Hogwarts Legacy by Empress.exe	98
PID 2028 wrote to memory of 3364	2028	Hogwarts Legacy by Empress.exe	98
PID 3364 wrote to memory of 3972	3364	setupov16.exe	99
PID 3364 wrote to memory of 3972	3364	setupov16.exe	99
PID 3364 wrote to memory of 3972	3364	setupov16.exe	99
PID 3668 wrote to memory of 4336	3668	Hogwarts Legacy by Empress.exe	101
PID 3668 wrote to memory of 4336	3668	Hogwarts Legacy by Empress.exe	101
PID 3668 wrote to memory of 4336	3668	Hogwarts Legacy by Empress.exe	101

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress.zip"
1⤵
PID:1268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3352

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\" -spe -an -ai#7zMap26991:144:7zEvent6501
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4436

C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3364
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    PID:2032
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      PID:3672
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    3⤵
    PID:4372
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    3⤵
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    3⤵
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe
    3⤵
    PID:4492

C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe
"C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setupov16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setupov16.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
    3⤵
    PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
82a5236e11da5e819192550f23a93d1b

SHA1
b6a0f16db16c1a94f1003d1161db124cf90d0188

SHA256
ab84be03013c158d759eec516e43c2e25184f4c184f64e0dfd27051d61a239f3

SHA512
0fab68a18845c92952db65c7a60633811e8fae7ba9a0a2988287888cb329f693052fef13c98d2cf2c4ffaa9cd161404ee3b0b269a1c68e164046f9394bd5d217

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
211.9MB

MD5
8813293fb677e1db183a410a63e4e440

SHA1
7169f6c08202a9089fd35d15f7751f7712e33c9a

SHA256
b602f82f6f9c0f0a6a103f7b98712c69b4078699f7009a80888e1ff47ccf2e7b

SHA512
1028a041794800ab189a19ec29c5050f28176a37fff744ccff87d07c0af3ea64ebcd8c8e8446940b66327b819a8b133fa047a5558e3101abb631f3f8fe60b1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
219.6MB

MD5
10fcf4d3abb492ddd0e54cb6ff612b60

SHA1
1624da1328787f96116c1386fd81d8ba20b24ae1

SHA256
8cd647c7cf70827a6067692c3197fc9c3f7dd727184501c122f7eb8a698b6bfe

SHA512
3108d846ada9e1a461cbedc39145e171b54880bc7f53e0e14cf188c04980aaf2257f09cc22094c89e5a98a6926fe7264c27fa2fb53e535b87af0304a013424ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
52.2MB

MD5
b99a83777865cf7f9d4c437f4a9f58d4

SHA1
6a713a5e0a3eeb7b848386109350be18e42d2917

SHA256
720a9d6e2dd8b5172eae0e4a01e0f3f19c88345d03174f4023c2f7055b477cbe

SHA512
371e15c2472a483913fda7bc48168cf01934cb86819862756cf8c1d311ce75a08a7b278541348e1bc718cee7f8232128097fff44e8bf456f97dc16f3f9365f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
51.7MB

MD5
4035ca97546fbc4f50e47aaf85beba4a

SHA1
18902bdc2ee3666b4af11f0a25790410d9d741f7

SHA256
6829eed0ee78d3828ac6526a22c0a50072cca5a4c4d445a3d643358536558a8e

SHA512
9476d1bf586e96928ff3228bffc7aa08d305e2eda5e279253caf800132336cff8ac5428b103239bf2e64fb7ebb2de8027de7983fd93eff7aeedaedd0efcdec4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
51.6MB

MD5
3cdf0d3b7e973e0e517eb3df1872ef2b

SHA1
a41f9451475c0478865d54178c10ac6830085b32

SHA256
7ed3ab2d874da9fca0242bfcab315d001ee29885baaecb6f9ff11c8f788a3bfa

SHA512
2b487afd12f378bfbbdcca90c877280a5236a43c89f532d6eac44851e2ca0892c4026af56b56f3938d14931c3d4e7fb14c7a5bd51ddd10ef3ec0a6e8bcd9ae64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setupov16.exe

Filesize
51.4MB

MD5
7eb215d1e31ddc224c351dc8fef95381

SHA1
906e6800507fd2aa95ab076cdfb630a1e66b9d91

SHA256
9cabffe3243b6107ba61ac87559280d43824960df2f14bab2fda0fde6603fff1

SHA512
45ae61194cce9b5f968198e3a0dffabb0283ad7f41a5b2af4b149d2c574f267238dc081594db0e213372869bdbb4dd606af851510aa8a1ad7e619b8110c8859a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setupov16.exe

Filesize
186.6MB

MD5
69396b14e131003c27b3eaa82521e095

SHA1
fb65b220bc7a52a4518a4661f29877ba9046fb1a

SHA256
3f907792bf782ff1d8f9498e6a4e30a1d85b14eb91e1337460cc5704a123fcb6

SHA512
9f60060fed48e3f91ccbedd1ab347785f732592a574298e42311fe362a6ed7accde5d31833c02988d8d85d967de8b3d575bafe58c1a52922da723041a5144224

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setupov16.exe

Filesize
186.8MB

MD5
c362f714c517f9c9d867b1f160f29a8a

SHA1
b6b2cc44a87958e0007ff1bff6fb3aee5678be74

SHA256
4858bbc10c6adcc0b8755fcfac9ec972bb38875d6d913e62f4c1d538ad0e8988

SHA512
fa81c67ccc4ef4075b0c901e556f76b4401e083193ea1f4c9dc19405465a11aae79417d745c8c857c868aa0922b2958de7af100abd40fbe553a81b4d7fbc6bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe

Filesize
364.5MB

MD5
89960d686de53c8065d0d846cd8cee84

SHA1
a57909ccecc705350579896be4de376d941e1f11

SHA256
6c5b213951a3d1a029a32dbb580ae2ea54f6aa1d135afe01750945ca2acbb1d6

SHA512
0b7b1be52531780d4e43ae107e04c5843e8dffc2e09c18cbf74dfe8e1712e4ba278526cc356b2cd6deee939a295d2346b00da0a9f662c6c7c2f48fb6e167d8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe

Filesize
361.1MB

MD5
b26fb548624967cc74b746896347d728

SHA1
119e32cdd273dfd19cfed14d9a73fa377e84bbda

SHA256
72cec91c63c3134c995bd4c89e57dde50ea7add1f1323ff152713968d6544071

SHA512
8cb4dc9f1a3b637352edfda1b16bf3d100c75e844b300d625d94f5538dcf65cc8726aece7bdea9b637ef277f8ce1ea0755c40db64edeaa9f043194271816852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\[NEW] Hogwarts Legacy by Empress\Hogwarts Legacy by Empress.exe

Filesize
252.6MB

MD5
50311d5c72860e53ed048ae9b777ac49

SHA1
7762499610dfdb13fdd433955690ab2678f89047

SHA256
98e59c0ad6274bcbd08b0387c7487991376306330e53b91a02db08f516269235

SHA512
9017aa0c32d91da277125f81dd50f7d66ca554c36dd2ea23a38edcea5911280d4a18008e07dda78202be9d2da9315a90922e1a5fbf32243d6d5e791abe1b0280

Download Submit
memory/3364-139-0x0000000005F50000-0x0000000005F72000-memory.dmp

Filesize
136KB

Download
memory/3364-138-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/3972-150-0x0000000007120000-0x000000000779A000-memory.dmp

Filesize
6.5MB

Download
memory/3972-145-0x0000000005A30000-0x0000000005A4E000-memory.dmp

Filesize
120KB

Download
memory/3972-141-0x0000000000D00000-0x0000000000D36000-memory.dmp

Filesize
216KB

Download
memory/3972-142-0x0000000004BD0000-0x00000000051F8000-memory.dmp

Filesize
6.2MB

Download
memory/3972-151-0x0000000005F30000-0x0000000005F4A000-memory.dmp

Filesize
104KB

Download
memory/3972-143-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/3972-144-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/4492-164-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4492-160-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download