purecrypter | 78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-02-2023 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1.exe
Size

110KB
MD5

0ede257a56a6b1fbd2b1405568b44015
SHA1

bffba8a4cc2ba225b51d1650c3db80198175f842
SHA256

78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1
SHA512

ca727b6d5ce27efd72193c82b58f8fcae03463a5bcd71c94d02375a5127b69db904b83de8a6c5322ddbf8a40a2ad0719cd053152bff82ede9e4167f3b9285c7c
SSDEEP

384:49OYSG2piL6CM9QXr5bCbFxlYh6GmTx3qpWV4U6DPl3YlTloNlvcloNlvAlfYlNP:49OPe29QXr5qFx2YnJqy6CV

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://cents-ability.org/loader/uploads/withoutstartup_Wacutryp.jpg

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
628	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1408	78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1548	1408	78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1.exe	28
PID 1408 wrote to memory of 1548	1408	78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1.exe	28
PID 1408 wrote to memory of 1548	1408	78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1.exe	28
PID 1408 wrote to memory of 1548	1408	78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1.exe	28
PID 1548 wrote to memory of 628	1548	cmd.exe	30
PID 1548 wrote to memory of 628	1548	cmd.exe	30
PID 1548 wrote to memory of 628	1548	cmd.exe	30
PID 1548 wrote to memory of 628	1548	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1.exe
"C:\Users\Admin\AppData\Local\Temp\78ee0644bbe5776bbf4474fa112e69da56a250d40357f7b09ddf09e0de117ea1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c ping google.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\PING.EXE
    ping google.com
    3⤵
    - Runs ping.exe
    PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1408-54-0x0000000000BA0000-0x0000000000BC2000-memory.dmp

Filesize
136KB

Download
memory/1408-55-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download
memory/1408-56-0x0000000004B00000-0x0000000004B40000-memory.dmp

Filesize
256KB

Download