Analysis
-
max time kernel
76s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 16:36
Behavioral task
behavioral1
Sample
c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe
Resource
win10v2004-20230220-en
General
-
Target
c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe
-
Size
6KB
-
MD5
4fc2df99dcdbf2886d139b0f4dfad85c
-
SHA1
5c02c737e12540a6b5c56615b9b972ee171d2aa1
-
SHA256
c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685
-
SHA512
ae83119c6d47b6f6f06ab372cb584d88f01560c9847451faf00b61aa93373f492613b36dee83ae51ed2268ac9b553f70ec46522583d9636a91114f760abe14e5
-
SSDEEP
96:DgdesBVLuiDTgIlNtuL/A3/I63yPRZjXMRWV6xjtLEk9sl8jzNt:EYsd/jtuLIg6YT4Rd5t9y8l
Malware Config
Extracted
purecrypter
https://wemodd.co/Anrwqjqr.dll
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe -
Executes dropped EXE 1 IoCs
pid Process 3368 Jbdjkkwmltuvghizyaiqunhjpihsm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4872 3368 WerFault.exe 93 -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4328 powershell.exe 4328 powershell.exe 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 3940 powershell.exe 3940 powershell.exe 3940 powershell.exe 3940 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe Token: SeDebugPrivilege 4328 powershell.exe Token: SeDebugPrivilege 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe Token: SeDebugPrivilege 3940 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2612 wrote to memory of 4328 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 85 PID 2612 wrote to memory of 4328 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 85 PID 2612 wrote to memory of 3368 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 93 PID 2612 wrote to memory of 3368 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 93 PID 2612 wrote to memory of 3368 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 93 PID 2612 wrote to memory of 3940 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 104 PID 2612 wrote to memory of 3940 2612 c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe"C:\Users\Admin\AppData\Local\Temp\c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe"C:\Users\Admin\AppData\Local\Temp\Jbdjkkwmltuvghizyaiqunhjpihsm.exe"2⤵
- Executes dropped EXE
PID:3368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 10483⤵
- Program crash
PID:4872
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 5; Stop-Process 2612 -Force; Start-Sleep -Seconds 2; Remove-Item "C:\Users\Admin\AppData\Local\Temp\c7cbb1b4915f9cbce71dbe9df6027e73166fef1fce95976685640845e5f79685.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3368 -ip 33681⤵PID:4812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD5e936ffde1732f536cc835ed3e6c83842
SHA105a7c09e599c32003ea21329932a032ace4f592c
SHA256da9997a3db22d4c3b7900392af3d4a88d09de0df6c4a75d89ea1b271edbb2552
SHA51235d49450a82c671843080c2ff2ff0d33aa5640234958b7e417a9c2f9e20e24b752a4793a99662253e7ad892dcd70904f6524d5e71c0d80333d7d01741c115870
-
Filesize
292KB
MD565727c071543cc129d7476b1c4b15b6f
SHA1d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5
SHA256737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c
SHA5120eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca
-
Filesize
292KB
MD565727c071543cc129d7476b1c4b15b6f
SHA1d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5
SHA256737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c
SHA5120eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca
-
Filesize
292KB
MD565727c071543cc129d7476b1c4b15b6f
SHA1d8aba3f3ccb07ff5712bcac50df2bf7a9b2e6bf5
SHA256737db69684061395728f0145604c7110297605bc143c68dc599a2e96e264553c
SHA5120eba2062df4b6f25a41ca14e4e2360ec5319c639620a08943263ebd2c707fd2fb6c6b64674b897e6ba4bfa439773ca4d6a25d20d27cc0d9abd086f5704bdb5ca
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82