Analysis Overview
SHA256
8bbf3420ad5b1e7283ecc131dd720728a0ebaba799d9084509c8a47b8efe1cb0
Threat Level: Known bad
The file bypass_ps1_extracted_pe_file was found to be: Known bad.
Malicious Activity Summary
Detect PureCrypter injector
PureCrypter
Checks computer location settings
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-27 10:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-27 10:04
Reported
2023-02-27 10:07
Platform
win7-20230220-en
Max time kernel
113s
Max time network
111s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureCrypter
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe
"C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe"
Network
| Country | Destination | Domain | Proto |
| US | 163.123.142.210:80 | 163.123.142.210 | tcp |
Files
memory/1048-54-0x0000000000A80000-0x0000000000AAE000-memory.dmp
memory/1048-55-0x000000001B070000-0x000000001B0F0000-memory.dmp
memory/1048-56-0x000000001C560000-0x000000001C842000-memory.dmp
memory/1048-57-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-58-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-60-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-62-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-64-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-66-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-68-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-70-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-72-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-74-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-76-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-78-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-80-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-82-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-84-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-86-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-88-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-90-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-92-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-94-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-96-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-98-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-100-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-102-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-104-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-106-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-108-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-110-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-112-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-114-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-116-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-118-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-120-0x000000001C560000-0x000000001C83C000-memory.dmp
memory/1048-300-0x000000001B070000-0x000000001B0F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-27 10:04
Reported
2023-02-27 10:07
Platform
win10v2004-20230220-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PureCrypter
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1524 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1524 wrote to memory of 5000 | N/A | C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe
"C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
Network
| Country | Destination | Domain | Proto |
| US | 163.123.142.210:80 | 163.123.142.210 | tcp |
| US | 8.8.8.8:53 | 210.142.123.163.in-addr.arpa | udp |
| NL | 8.238.178.254:80 | tcp | |
| NL | 8.238.178.254:80 | tcp | |
| NL | 8.238.178.254:80 | tcp | |
| US | 8.8.8.8:53 | 29.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| IE | 13.69.239.73:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
Files
memory/1524-133-0x000001AB047A0000-0x000001AB047CE000-memory.dmp
memory/1524-134-0x000001AB1F740000-0x000001AB1F750000-memory.dmp
memory/1524-135-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-136-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-138-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-140-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-142-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-144-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-146-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-148-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-150-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-152-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-154-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-156-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-158-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-160-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-162-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-164-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-166-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-168-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-170-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-172-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-174-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-176-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-178-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-180-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-182-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-184-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-186-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-188-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-190-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-192-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-194-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-196-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-198-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp
memory/1524-396-0x000001AB1F740000-0x000001AB1F750000-memory.dmp
memory/1524-10300-0x000001AB1FB70000-0x000001AB1FB92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sk0lg1xu.wxh.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1524-10310-0x000001AB1F740000-0x000001AB1F750000-memory.dmp
memory/1524-10311-0x000001AB1F740000-0x000001AB1F750000-memory.dmp
memory/5000-10312-0x000001C2F3A00000-0x000001C2F3A10000-memory.dmp
memory/5000-10313-0x000001C2F3A00000-0x000001C2F3A10000-memory.dmp
memory/1524-10314-0x000001AB1F740000-0x000001AB1F750000-memory.dmp
memory/1524-10315-0x000001AB1F740000-0x000001AB1F750000-memory.dmp
memory/5000-10316-0x000001C2F3A00000-0x000001C2F3A10000-memory.dmp
memory/5000-10317-0x000001C2F3A00000-0x000001C2F3A10000-memory.dmp