Malware Analysis Report

2024-11-15 08:52

Sample ID 230225-b5tg3sbf98
Target d40448b5ac56cf8f2a4bbea8d22982c2.bin
SHA256 79d65e58254d7e5903ab9fb1e522099d67e3069054e3d61e67ce615d68b8ec7a
Tags
purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79d65e58254d7e5903ab9fb1e522099d67e3069054e3d61e67ce615d68b8ec7a

Threat Level: Known bad

The file d40448b5ac56cf8f2a4bbea8d22982c2.bin was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader

PureCrypter

Purecrypter family

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-25 01:44

Signatures

Purecrypter family

purecrypter

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-25 01:44

Reported

2023-02-25 01:46

Platform

win10v2004-20230220-en

Max time kernel

96s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc.exe"

Signatures

PureCrypter

loader downloader purecrypter

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc.exe

"C:\Users\Admin\AppData\Local\Temp\d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 2000

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 ashaambulanceservice.com udp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
US 8.8.8.8:53 24.53.225.43.in-addr.arpa udp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 13.89.178.26:443 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp

Files

memory/3820-133-0x0000000000030000-0x000000000004E000-memory.dmp

memory/3820-134-0x0000000005030000-0x00000000055D4000-memory.dmp

memory/3820-135-0x0000000004A80000-0x0000000004B12000-memory.dmp

memory/3820-136-0x00000000049F0000-0x0000000004A00000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-25 01:44

Reported

2023-02-25 01:46

Platform

win7-20230220-en

Max time kernel

29s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc.exe

"C:\Users\Admin\AppData\Local\Temp\d97bdbb4ad01f8873a141e7544160d070469b0c6865b823fec42184315b923cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1344

Network

Country Destination Domain Proto
US 8.8.8.8:53 ashaambulanceservice.com udp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp
IN 43.225.53.24:443 ashaambulanceservice.com tcp

Files

memory/1064-54-0x0000000000040000-0x000000000005E000-memory.dmp

memory/1064-55-0x00000000048A0000-0x00000000048E0000-memory.dmp

memory/1064-56-0x00000000048A0000-0x00000000048E0000-memory.dmp