Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-02-2023 07:31
Static task
static1
Behavioral task
behavioral1
Sample
29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe
Resource
win10v2004-20230220-en
General
-
Target
29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe
-
Size
772KB
-
MD5
66d87580c3b91f7d3e7220bc25d227d9
-
SHA1
0f3363152110789a9808eefaeedb3f9ece505d14
-
SHA256
29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff
-
SHA512
d34cadd2ebf2a78bd3fea3fd188f6b585cdbbba6eda79e089ff5ef12d1360bb71b87e93e031e317b962bd334e8ab76e117450d7425145467a200a350673b7483
-
SSDEEP
3072:iahKyd2n31Kl58fVwCRt++Ny1Nat3xpGc8rApo04Ya9veML:iahOomVwSt++AatKL9x
Malware Config
Extracted
purecrypter
http://comicmaster.org.uk/img/css/design/fabric/bo/Qzxoye.dll
Extracted
redline
@NekoChan815
45.15.157.131:36457
-
auth_value
27e91af9bac7df060a7c43fed05eded6
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation ablenetwov.exe -
Executes dropped EXE 2 IoCs
pid Process 4168 ablenetwov.exe 2156 ablenetwov.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce 29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4168 set thread context of 2156 4168 ablenetwov.exe 89 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2224 powershell.exe 2224 powershell.exe 3984 powershell.exe 3984 powershell.exe 2156 ablenetwov.exe 2156 ablenetwov.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4168 ablenetwov.exe Token: SeDebugPrivilege 2224 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 2156 ablenetwov.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1020 wrote to memory of 4168 1020 29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe 83 PID 1020 wrote to memory of 4168 1020 29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe 83 PID 1020 wrote to memory of 4168 1020 29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe 83 PID 4168 wrote to memory of 2224 4168 ablenetwov.exe 85 PID 4168 wrote to memory of 2224 4168 ablenetwov.exe 85 PID 4168 wrote to memory of 2224 4168 ablenetwov.exe 85 PID 4168 wrote to memory of 4416 4168 ablenetwov.exe 87 PID 4168 wrote to memory of 4416 4168 ablenetwov.exe 87 PID 4168 wrote to memory of 4416 4168 ablenetwov.exe 87 PID 4168 wrote to memory of 2156 4168 ablenetwov.exe 89 PID 4168 wrote to memory of 2156 4168 ablenetwov.exe 89 PID 4168 wrote to memory of 2156 4168 ablenetwov.exe 89 PID 4168 wrote to memory of 2156 4168 ablenetwov.exe 89 PID 4168 wrote to memory of 2156 4168 ablenetwov.exe 89 PID 4168 wrote to memory of 2156 4168 ablenetwov.exe 89 PID 4168 wrote to memory of 2156 4168 ablenetwov.exe 89 PID 4168 wrote to memory of 2156 4168 ablenetwov.exe 89 PID 4416 wrote to memory of 3984 4416 cmd.exe 90 PID 4416 wrote to memory of 3984 4416 cmd.exe 90 PID 4416 wrote to memory of 3984 4416 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe"C:\Users\Admin\AppData\Local\Temp\29bf5e24622d2f6d36d6d08b10fe303dc483feb846a01717545f00fddd320bff.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ablenetwov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ablenetwov.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious use of WriteProcessMemory
PID:4416 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ablenetwov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ablenetwov.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fa566c9cc0cdfc2479d186ed2a7d2078
SHA1a4f5bc2d5d055a766b19f095f0a670eeda57c24b
SHA256bccaf63847951e065e8af3714593cdd2f8ecb76b384c1f7c71e3cd89df314960
SHA512ab3efa28f6f90dddde1472a474e26874e21248cc26603acb582ceb419e81165f4dc1044551755635dc6fd89600cbe0f1daec2ccb185fe77c68df16622e53396f
-
Filesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD5492eb19b9f7f43491a92296bc897bf9f
SHA1bf3fcf43be0def2db8273b0ff2e7af587e2d4e76
SHA256c743d71bafd06d3c91f57b3983df439df24ac78e48bf0bacf6a1eca72c7a89c4
SHA5127d71278f929069a699b016cc7ece4428d04e85de29a332b97d860825441abeaa2831a5e7c8843cf51a52cb170f97f34f299f4b4d530f1ed93f9ddb85941f63fd
-
Filesize
362.4MB
MD5c76628c221d17449f218d24dffcc46fb
SHA1da69708dc81a6650c221d031b69d311c9edd5aca
SHA25656f98dd6efd31b7a2b5e3a6c865c3eeb1ed29ef7230afb862e9f67cd64e14517
SHA51252dee8568bc544fde88dc9d365f2a6aef223227d100eb819c936896a5f3e443b3d69206fd3c719e5cbda2a7e82692430e8021585ec0ff029cd4fc09c38a2cb1c
-
Filesize
362.4MB
MD5c76628c221d17449f218d24dffcc46fb
SHA1da69708dc81a6650c221d031b69d311c9edd5aca
SHA25656f98dd6efd31b7a2b5e3a6c865c3eeb1ed29ef7230afb862e9f67cd64e14517
SHA51252dee8568bc544fde88dc9d365f2a6aef223227d100eb819c936896a5f3e443b3d69206fd3c719e5cbda2a7e82692430e8021585ec0ff029cd4fc09c38a2cb1c
-
Filesize
362.4MB
MD5c76628c221d17449f218d24dffcc46fb
SHA1da69708dc81a6650c221d031b69d311c9edd5aca
SHA25656f98dd6efd31b7a2b5e3a6c865c3eeb1ed29ef7230afb862e9f67cd64e14517
SHA51252dee8568bc544fde88dc9d365f2a6aef223227d100eb819c936896a5f3e443b3d69206fd3c719e5cbda2a7e82692430e8021585ec0ff029cd4fc09c38a2cb1c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82