Malware Analysis Report

2024-11-13 16:42

Sample ID 230227-l39rdsda95
Target bypass_ps1_extracted_pe_file
SHA256 8bbf3420ad5b1e7283ecc131dd720728a0ebaba799d9084509c8a47b8efe1cb0
Tags
purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bbf3420ad5b1e7283ecc131dd720728a0ebaba799d9084509c8a47b8efe1cb0

Threat Level: Known bad

The file bypass_ps1_extracted_pe_file was found to be: Known bad.

Malicious Activity Summary

purecrypter downloader loader

Detect PureCrypter injector

PureCrypter

Checks computer location settings

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-27 10:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-27 10:04

Reported

2023-02-27 10:07

Platform

win7-20230220-en

Max time kernel

113s

Max time network

111s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe

"C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe"

Network

Country Destination Domain Proto
US 163.123.142.210:80 163.123.142.210 tcp

Files

memory/1048-54-0x0000000000A80000-0x0000000000AAE000-memory.dmp

memory/1048-55-0x000000001B070000-0x000000001B0F0000-memory.dmp

memory/1048-56-0x000000001C560000-0x000000001C842000-memory.dmp

memory/1048-57-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-58-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-60-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-62-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-64-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-66-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-68-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-70-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-72-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-74-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-76-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-78-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-80-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-82-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-84-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-86-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-88-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-90-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-92-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-94-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-96-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-98-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-100-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-102-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-104-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-106-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-108-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-110-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-112-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-114-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-116-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-118-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-120-0x000000001C560000-0x000000001C83C000-memory.dmp

memory/1048-300-0x000000001B070000-0x000000001B0F0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-27 10:04

Reported

2023-02-27 10:07

Platform

win10v2004-20230220-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe

"C:\Users\Admin\AppData\Local\Temp\bypass_ps1_extracted_pe_file.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

Network

Country Destination Domain Proto
US 163.123.142.210:80 163.123.142.210 tcp
US 8.8.8.8:53 210.142.123.163.in-addr.arpa udp
NL 8.238.178.254:80 tcp
NL 8.238.178.254:80 tcp
NL 8.238.178.254:80 tcp
US 8.8.8.8:53 29.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
IE 13.69.239.73:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp

Files

memory/1524-133-0x000001AB047A0000-0x000001AB047CE000-memory.dmp

memory/1524-134-0x000001AB1F740000-0x000001AB1F750000-memory.dmp

memory/1524-135-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-136-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-138-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-140-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-142-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-144-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-146-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-148-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-150-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-152-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-154-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-156-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-158-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-160-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-162-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-164-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-166-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-168-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-170-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-172-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-174-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-176-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-178-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-180-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-182-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-184-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-186-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-188-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-190-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-192-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-194-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-196-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-198-0x000001AB1F890000-0x000001AB1FB6C000-memory.dmp

memory/1524-396-0x000001AB1F740000-0x000001AB1F750000-memory.dmp

memory/1524-10300-0x000001AB1FB70000-0x000001AB1FB92000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sk0lg1xu.wxh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1524-10310-0x000001AB1F740000-0x000001AB1F750000-memory.dmp

memory/1524-10311-0x000001AB1F740000-0x000001AB1F750000-memory.dmp

memory/5000-10312-0x000001C2F3A00000-0x000001C2F3A10000-memory.dmp

memory/5000-10313-0x000001C2F3A00000-0x000001C2F3A10000-memory.dmp

memory/1524-10314-0x000001AB1F740000-0x000001AB1F750000-memory.dmp

memory/1524-10315-0x000001AB1F740000-0x000001AB1F750000-memory.dmp

memory/5000-10316-0x000001C2F3A00000-0x000001C2F3A10000-memory.dmp

memory/5000-10317-0x000001C2F3A00000-0x000001C2F3A10000-memory.dmp