purecrypter | d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc | Triage

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-02-2023 13:23

Sharing

Report Analysis Logs

General

Target

rR40P23D.exe
Size

92KB
MD5

d40448b5ac56cf8f2a4bbea8d22982c2
SHA1

ad405a4f3ea892a80b696f7460de70bbb6b082f8
SHA256

d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc
SHA512

be9b6ffda6ebee70baa79bab24129150895bf5d06f0d634a1099e129bd63396c2f73e1c82115b6ca37df5aa5c406e3d1df2932e9a8dbeb927aacda727675082d
SSDEEP

384:IiZHmh0O/Lrw+Ke8QEoDeJisnDPnFw5sglcMhQM0u+GrCPHFYgMSXA:IgGhHzr8e8B1PnFusmcDCXrCPqEXA

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

C2

https://ashaambulanceservice.com/Vuzbri.bmp

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Program crash 1 IoCs

pid	pid_target	Process	procid_target
432	1212	WerFault.exe	27

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	rR40P23D.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 432	1212	rR40P23D.exe	28
PID 1212 wrote to memory of 432	1212	rR40P23D.exe	28
PID 1212 wrote to memory of 432	1212	rR40P23D.exe	28
PID 1212 wrote to memory of 432	1212	rR40P23D.exe	28

C:\Users\Admin\AppData\Local\Temp\rR40P23D.exe
"C:\Users\Admin\AppData\Local\Temp\rR40P23D.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1304
  2⤵
  - Program crash
  PID:432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-54-0x0000000000D70000-0x0000000000D8E000-memory.dmp

Filesize
120KB

Download
memory/1212-55-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/1212-56-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download