Malware Analysis Report

2024-11-15 08:52

Sample ID 230226-hcb6nafh41
Target 2d046356adc419adef4049f5ec0529fa.exe
SHA256 31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b
Tags
purecrypter downloader loader redline z2k infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

31e477a3732cf4d377bbb89c5a5a3763dadd3581ce07534bb4fc54efb951823b

Threat Level: Known bad

The file 2d046356adc419adef4049f5ec0529fa.exe was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader redline z2k infostealer

RedLine

Detect PureCrypter injector

PureCrypter

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-26 06:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-26 06:35

Reported

2023-02-26 06:37

Platform

win7-20230220-en

Max time kernel

150s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe

"C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe"

Network

N/A

Files

memory/1268-54-0x0000000000350000-0x000000000049C000-memory.dmp

memory/1268-55-0x0000000004C70000-0x0000000004EF4000-memory.dmp

memory/1268-56-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-57-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-59-0x00000000047A0000-0x00000000047E0000-memory.dmp

memory/1268-62-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-60-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-64-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-68-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-66-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-70-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-72-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-74-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-76-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-80-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-78-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-84-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-82-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-86-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-88-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-94-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-92-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-90-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-96-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-98-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-100-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-104-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-102-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-106-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-108-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-110-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-114-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-112-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-120-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-118-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-116-0x0000000004C70000-0x0000000004EEF000-memory.dmp

memory/1268-747-0x00000000047A0000-0x00000000047E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-26 06:35

Reported

2023-02-26 06:37

Platform

win10v2004-20230220-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

RedLine

infostealer redline

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4492 set thread context of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4492 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe

"C:\Users\Admin\AppData\Local\Temp\2d046356adc419adef4049f5ec0529fa.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 amrican-sport-live-stream.cc udp
NL 193.142.146.212:4581 amrican-sport-live-stream.cc tcp
NL 193.142.146.212:4581 amrican-sport-live-stream.cc tcp

Files

memory/4492-133-0x0000000000190000-0x00000000002DC000-memory.dmp

memory/4492-134-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-135-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-137-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-138-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/4492-140-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-142-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-144-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-146-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-148-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-150-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-152-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-154-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-156-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-158-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-160-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-162-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-164-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-166-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-168-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-170-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-172-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-174-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-176-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-178-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-180-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-182-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-184-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-186-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-188-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-190-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-192-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-194-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-196-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-198-0x0000000004C40000-0x0000000004EBF000-memory.dmp

memory/4492-782-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/4492-10324-0x0000000000850000-0x0000000000872000-memory.dmp

memory/4492-10325-0x0000000005110000-0x0000000005176000-memory.dmp

memory/4492-10326-0x0000000036710000-0x00000000367A2000-memory.dmp

memory/4492-10327-0x0000000036D60000-0x0000000037304000-memory.dmp

memory/3152-10330-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3152-10331-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

memory/3152-10332-0x000000000AA60000-0x000000000B078000-memory.dmp

memory/3152-10333-0x000000000A5A0000-0x000000000A6AA000-memory.dmp

memory/3152-10334-0x000000000A4D0000-0x000000000A4E2000-memory.dmp

memory/3152-10335-0x000000000A530000-0x000000000A56C000-memory.dmp

memory/3152-10336-0x0000000004DB0000-0x0000000004DC0000-memory.dmp