Analysis Overview
SHA256
31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b
Threat Level: Known bad
The file 2d046356adc419adef4049f5ec0529fa.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Detect PureCrypter injector
PureCrypter
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-02-26 06:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-26 06:35
Reported
2023-02-26 06:37
Platform
win7-20230220-en
Max time kernel
150s
Max time network
33s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureCrypter
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe
"C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe"
Network
Files
memory/1268-54-0x0000000000350000-0x000000000049C000-memory.dmp
memory/1268-55-0x0000000004C70000-0x0000000004EF4000-memory.dmp
memory/1268-56-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-57-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-59-0x00000000047A0000-0x00000000047E0000-memory.dmp
memory/1268-62-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-60-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-64-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-68-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-66-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-70-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-72-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-74-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-76-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-80-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-78-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-84-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-82-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-86-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-88-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-94-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-92-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-90-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-96-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-98-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-100-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-104-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-102-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-106-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-108-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-110-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-114-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-112-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-120-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-118-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-116-0x0000000004C70000-0x0000000004EEF000-memory.dmp
memory/1268-747-0x00000000047A0000-0x00000000047E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-26 06:35
Reported
2023-02-26 06:37
Platform
win10v2004-20230220-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureCrypter
RedLine
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4492 set thread context of 3152 | N/A | C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe
"C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | amrican-sport-live-stream.cc | udp |
| NL | 193.142.146.212:4581 | amrican-sport-live-stream.cc | tcp |
| NL | 193.142.146.212:4581 | amrican-sport-live-stream.cc | tcp |
Files
memory/4492-133-0x0000000000190000-0x00000000002DC000-memory.dmp
memory/4492-134-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-135-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-137-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-138-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/4492-140-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-142-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-144-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-146-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-148-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-150-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-152-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-154-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-156-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-158-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-160-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-162-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-164-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-166-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-168-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-170-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-172-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-174-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-176-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-178-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-180-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-182-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-184-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-186-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-188-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-190-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-192-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-194-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-196-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-198-0x0000000004C40000-0x0000000004EBF000-memory.dmp
memory/4492-782-0x0000000004C30000-0x0000000004C40000-memory.dmp
memory/4492-10324-0x0000000000850000-0x0000000000872000-memory.dmp
memory/4492-10325-0x0000000005110000-0x0000000005176000-memory.dmp
memory/4492-10326-0x0000000036710000-0x00000000367A2000-memory.dmp
memory/4492-10327-0x0000000036D60000-0x0000000037304000-memory.dmp
memory/3152-10330-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3152-10331-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/3152-10332-0x000000000AA60000-0x000000000B078000-memory.dmp
memory/3152-10333-0x000000000A5A0000-0x000000000A6AA000-memory.dmp
memory/3152-10334-0x000000000A4D0000-0x000000000A4E2000-memory.dmp
memory/3152-10335-0x000000000A530000-0x000000000A56C000-memory.dmp
memory/3152-10336-0x0000000004DB0000-0x0000000004DC0000-memory.dmp