purecrypter | 1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2023 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe
Size

8KB
MD5

39c5e1e87aa30c1628eec3e2ab9a6b07
SHA1

f2fd910454ba7aaf8d482ad1bfd9ace32e612e8c
SHA256

1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e
SHA512

414bd6bcfac34fb5980c43d0ccf731568d5c29deca1d63c77bc1641f954df54ef92fcf024813fb97589562b07c6081864ea6d7d0315b73f01bd67c93368c924a
SSDEEP

192:viovIB+jqlfX0lvb2cvqFH/dJLmbVVnrKqJWKgWXi:vi8+AqlfMvi4qp/dJLmbH7WKgWS

Score

10^/10

purecrypter collection downloader loader spyware stealer

Malware Config

Extracted

Family

purecrypter

http://cleaning.homesecuritypc.com/packages/Beqivfwbch.bmp

http://cleaning.homesecuritypc.com/packages/Lpfqwia.dat

http://cleaning.homesecuritypc.com/packages/Bdsgdwlbpu.dll

http://cleaning.homesecuritypc.com/packages/Emoqkhs.png

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Kjobttcgroejybjch.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Ecvveososclqexczmjqqwzssqhjo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	IterationCount
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Fmocnpecplpmgokmihrjohgewqz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe

Executes dropped EXE 5 IoCs

pid	Process
1144	Kjobttcgroejybjch.exe
4696	Ecvveososclqexczmjqqwzssqhjo.exe
1684	IterationCount
4284	Fmocnpecplpmgokmihrjohgewqz.exe
3760	Ecvveososclqexczmjqqwzssqhjo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4692 set thread context of 3152	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3540	powershell.exe
3540	powershell.exe
3400	powershell.exe
3400	powershell.exe
3152	RegAsm.exe
1832	powershell.exe
1832	powershell.exe
536	powershell.exe
536	powershell.exe
4896	powershell.exe
4896	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe
Token: SeDebugPrivilege	3540	powershell.exe
Token: SeDebugPrivilege	1144	Kjobttcgroejybjch.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	3152	RegAsm.exe
Token: SeDebugPrivilege	4696	Ecvveososclqexczmjqqwzssqhjo.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1144	Kjobttcgroejybjch.exe
Token: SeDebugPrivilege	1684	IterationCount
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	4284	Fmocnpecplpmgokmihrjohgewqz.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4696	Ecvveososclqexczmjqqwzssqhjo.exe
Token: SeDebugPrivilege	3760	Ecvveososclqexczmjqqwzssqhjo.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 3540	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	82
PID 4692 wrote to memory of 3540	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	82
PID 4692 wrote to memory of 1144	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	91
PID 4692 wrote to memory of 1144	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	91
PID 4692 wrote to memory of 3152	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	92
PID 4692 wrote to memory of 3152	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	92
PID 4692 wrote to memory of 3152	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	92
PID 4692 wrote to memory of 3152	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	92
PID 4692 wrote to memory of 3152	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	92
PID 4692 wrote to memory of 3152	4692	1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe	92
PID 1144 wrote to memory of 3400	1144	Kjobttcgroejybjch.exe	93
PID 1144 wrote to memory of 3400	1144	Kjobttcgroejybjch.exe	93
PID 1144 wrote to memory of 4696	1144	Kjobttcgroejybjch.exe	95
PID 1144 wrote to memory of 4696	1144	Kjobttcgroejybjch.exe	95
PID 4696 wrote to memory of 1832	4696	Ecvveososclqexczmjqqwzssqhjo.exe	96
PID 4696 wrote to memory of 1832	4696	Ecvveososclqexczmjqqwzssqhjo.exe	96
PID 1684 wrote to memory of 536	1684	IterationCount	99
PID 1684 wrote to memory of 536	1684	IterationCount	99
PID 4696 wrote to memory of 4284	4696	Ecvveososclqexczmjqqwzssqhjo.exe	101
PID 4696 wrote to memory of 4284	4696	Ecvveososclqexczmjqqwzssqhjo.exe	101
PID 4696 wrote to memory of 4284	4696	Ecvveososclqexczmjqqwzssqhjo.exe	101
PID 4284 wrote to memory of 4896	4284	Fmocnpecplpmgokmihrjohgewqz.exe	102
PID 4284 wrote to memory of 4896	4284	Fmocnpecplpmgokmihrjohgewqz.exe	102
PID 4284 wrote to memory of 4896	4284	Fmocnpecplpmgokmihrjohgewqz.exe	102
PID 1684 wrote to memory of 3760	1684	IterationCount	104
PID 1684 wrote to memory of 3760	1684	IterationCount	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe
"C:\Users\Admin\AppData\Local\Temp\1c6e612cecab7fdc8d3389c1e88f795d85ef1d08646ec0c3ded43fbb6577a34e.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA0AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Users\Admin\AppData\Local\Temp\Kjobttcgroejybjch.exe
  "C:\Users\Admin\AppData\Local\Temp\Kjobttcgroejybjch.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA0AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- - C:\Users\Admin\AppData\Local\Temp\Ecvveososclqexczmjqqwzssqhjo.exe
    "C:\Users\Admin\AppData\Local\Temp\Ecvveososclqexczmjqqwzssqhjo.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA0AA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\Fmocnpecplpmgokmihrjohgewqz.exe
      "C:\Users\Admin\AppData\Local\Temp\Fmocnpecplpmgokmihrjohgewqz.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA0AA==
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:3152

C:\Users\Admin\AppData\Roaming\DefinedTypes\IterationCount
C:\Users\Admin\AppData\Roaming\DefinedTypes\IterationCount
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA0AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Users\Admin\AppData\Local\Temp\Ecvveososclqexczmjqqwzssqhjo.exe
  "C:\Users\Admin\AppData\Local\Temp\Ecvveososclqexczmjqqwzssqhjo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ecvveososclqexczmjqqwzssqhjo.exe.log

Filesize
2KB

MD5
810138bfaaf89179d51dc2046bcba294

SHA1
df32a43869d31efc9c333134665a40a93cc78d76

SHA256
983c7966fa757e8082c7676bf04bd0a015eeaecb8162d23d1a4e2656a699ed11

SHA512
127b82139f05917dcd305f191817f5289eca1006cb8fe308fa641928fd985c0f9405d8b2c125476d0ed2c5f70ba54f82da7b8dc26e0395eb09d95262d9a370ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bad2704664b4c1a190586ec492be65f

SHA1
1c98e6645c66774152c184d23f7a3178ce522e7b

SHA256
5950586396814b38bfdbb86757839fc8c7ce3eb73577775473c29ce6be81fe3e

SHA512
668553c12f1e5560baba826d5c8b139d7c7e323b6aa4e3723aaca479850f898c147d63cb77d305d715044db1e75cf501d6502ca214c7ed05ded424b230893bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fb3fe07c6be34af2e548ca59453de06

SHA1
d305b0c2d0de07c390ebca3d4317d1756f993294

SHA256
7ba55bf1b49649378d9363346e07034c6efea9a7fd5f011762e9dbe4ada0c0de

SHA512
b309dc88ccbc5000e77ab27054069f9ba0760750b7585efb9074a65801f424792000e8497fa51f09b95d40793feefc5a56fe843dc2892df366d9c300987c3d32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3db5a3b556b01c59c5812cb86abb674e

SHA1
3848e5419d5c47879f159247e4f1b08005674cf0

SHA256
218d487f881ce9640acd16f7476b445471b83671569e99973f77d0bbf6c42ffa

SHA512
3eb6575d3e476053a65b2631b0cd0d584056ca476058ee2706c69fe10b0502460c40f8985f1f4666e42fba2809924f6dc34ba2e9b2629217542e45cb3640adcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecvveososclqexczmjqqwzssqhjo.exe

Filesize
7KB

MD5
36d66a7d0cf7821e584ff866c673776a

SHA1
42d3bf45ae3d2a3e4687d77a910a9fd7a08df72c

SHA256
686c3626e48fc962ded1b56bc1f64b283eeba71510f182f590503e0ae0399792

SHA512
285bd67868219c7b42bfb920100e3f95cf61014273550f14becffd52738e968cdd46da76bfe07b0c57261e956481181785d7f6231e95537d97c12c65ca703ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecvveososclqexczmjqqwzssqhjo.exe

Filesize
7KB

MD5
36d66a7d0cf7821e584ff866c673776a

SHA1
42d3bf45ae3d2a3e4687d77a910a9fd7a08df72c

SHA256
686c3626e48fc962ded1b56bc1f64b283eeba71510f182f590503e0ae0399792

SHA512
285bd67868219c7b42bfb920100e3f95cf61014273550f14becffd52738e968cdd46da76bfe07b0c57261e956481181785d7f6231e95537d97c12c65ca703ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecvveososclqexczmjqqwzssqhjo.exe

Filesize
7KB

MD5
36d66a7d0cf7821e584ff866c673776a

SHA1
42d3bf45ae3d2a3e4687d77a910a9fd7a08df72c

SHA256
686c3626e48fc962ded1b56bc1f64b283eeba71510f182f590503e0ae0399792

SHA512
285bd67868219c7b42bfb920100e3f95cf61014273550f14becffd52738e968cdd46da76bfe07b0c57261e956481181785d7f6231e95537d97c12c65ca703ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecvveososclqexczmjqqwzssqhjo.exe

Filesize
7KB

MD5
36d66a7d0cf7821e584ff866c673776a

SHA1
42d3bf45ae3d2a3e4687d77a910a9fd7a08df72c

SHA256
686c3626e48fc962ded1b56bc1f64b283eeba71510f182f590503e0ae0399792

SHA512
285bd67868219c7b42bfb920100e3f95cf61014273550f14becffd52738e968cdd46da76bfe07b0c57261e956481181785d7f6231e95537d97c12c65ca703ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecvveososclqexczmjqqwzssqhjo.exe

Filesize
7KB

MD5
36d66a7d0cf7821e584ff866c673776a

SHA1
42d3bf45ae3d2a3e4687d77a910a9fd7a08df72c

SHA256
686c3626e48fc962ded1b56bc1f64b283eeba71510f182f590503e0ae0399792

SHA512
285bd67868219c7b42bfb920100e3f95cf61014273550f14becffd52738e968cdd46da76bfe07b0c57261e956481181785d7f6231e95537d97c12c65ca703ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fmocnpecplpmgokmihrjohgewqz.exe

Filesize
8KB

MD5
de32b4576be12fd7a9796150066b1539

SHA1
ad153c57f414306583e44dbbd3ad643a0a5b0cb9

SHA256
5546e525c1aa4e3a3df4ee2ec8fbd04c1c593229d68f99c9de099ef9d7f30d60

SHA512
3cafe90a25334ddd627ef3ed37a299dd8520eafeedee71b0d8d86f2352158c51bf1b600940d2ba42cdbeba705493974a776d1a7c606872179e3a39bdcc3862af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fmocnpecplpmgokmihrjohgewqz.exe

Filesize
8KB

MD5
de32b4576be12fd7a9796150066b1539

SHA1
ad153c57f414306583e44dbbd3ad643a0a5b0cb9

SHA256
5546e525c1aa4e3a3df4ee2ec8fbd04c1c593229d68f99c9de099ef9d7f30d60

SHA512
3cafe90a25334ddd627ef3ed37a299dd8520eafeedee71b0d8d86f2352158c51bf1b600940d2ba42cdbeba705493974a776d1a7c606872179e3a39bdcc3862af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fmocnpecplpmgokmihrjohgewqz.exe

Filesize
8KB

MD5
de32b4576be12fd7a9796150066b1539

SHA1
ad153c57f414306583e44dbbd3ad643a0a5b0cb9

SHA256
5546e525c1aa4e3a3df4ee2ec8fbd04c1c593229d68f99c9de099ef9d7f30d60

SHA512
3cafe90a25334ddd627ef3ed37a299dd8520eafeedee71b0d8d86f2352158c51bf1b600940d2ba42cdbeba705493974a776d1a7c606872179e3a39bdcc3862af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjobttcgroejybjch.exe

Filesize
7KB

MD5
4e632862f121fd33d514c7c552857eef

SHA1
2a27a25eda27ed5cf6e7f3f0a635efeec439deea

SHA256
8a4fbefca8c4988fb7da141d269fb0fdc0dbee2ba40bc11a4a5a675e648925f7

SHA512
2d4115e249976f81af5f93d0adc6231031925cedc38030b6c5d080fa65346887d275147230da653e5c0c2ecf905d4512e55e26bc27149483afb37c3b08b9da5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjobttcgroejybjch.exe

Filesize
7KB

MD5
4e632862f121fd33d514c7c552857eef

SHA1
2a27a25eda27ed5cf6e7f3f0a635efeec439deea

SHA256
8a4fbefca8c4988fb7da141d269fb0fdc0dbee2ba40bc11a4a5a675e648925f7

SHA512
2d4115e249976f81af5f93d0adc6231031925cedc38030b6c5d080fa65346887d275147230da653e5c0c2ecf905d4512e55e26bc27149483afb37c3b08b9da5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kjobttcgroejybjch.exe

Filesize
7KB

MD5
4e632862f121fd33d514c7c552857eef

SHA1
2a27a25eda27ed5cf6e7f3f0a635efeec439deea

SHA256
8a4fbefca8c4988fb7da141d269fb0fdc0dbee2ba40bc11a4a5a675e648925f7

SHA512
2d4115e249976f81af5f93d0adc6231031925cedc38030b6c5d080fa65346887d275147230da653e5c0c2ecf905d4512e55e26bc27149483afb37c3b08b9da5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qeclhnca.bzf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\DefinedTypes\IterationCount

Filesize
7KB

MD5
4e632862f121fd33d514c7c552857eef

SHA1
2a27a25eda27ed5cf6e7f3f0a635efeec439deea

SHA256
8a4fbefca8c4988fb7da141d269fb0fdc0dbee2ba40bc11a4a5a675e648925f7

SHA512
2d4115e249976f81af5f93d0adc6231031925cedc38030b6c5d080fa65346887d275147230da653e5c0c2ecf905d4512e55e26bc27149483afb37c3b08b9da5a

Download Submit
C:\Users\Admin\AppData\Roaming\DefinedTypes\IterationCount

Filesize
7KB

MD5
4e632862f121fd33d514c7c552857eef

SHA1
2a27a25eda27ed5cf6e7f3f0a635efeec439deea

SHA256
8a4fbefca8c4988fb7da141d269fb0fdc0dbee2ba40bc11a4a5a675e648925f7

SHA512
2d4115e249976f81af5f93d0adc6231031925cedc38030b6c5d080fa65346887d275147230da653e5c0c2ecf905d4512e55e26bc27149483afb37c3b08b9da5a

Download Submit
memory/536-5492-0x000001E852310000-0x000001E852320000-memory.dmp

Filesize
64KB

Download
memory/536-5501-0x000001E852310000-0x000001E852320000-memory.dmp

Filesize
64KB

Download
memory/536-6636-0x000001E852310000-0x000001E852320000-memory.dmp

Filesize
64KB

Download
memory/536-5500-0x000001E852310000-0x000001E852320000-memory.dmp

Filesize
64KB

Download
memory/536-6638-0x000001E852310000-0x000001E852320000-memory.dmp

Filesize
64KB

Download
memory/1144-4173-0x000001C12E310000-0x000001C12E320000-memory.dmp

Filesize
64KB

Download
memory/1144-2597-0x000001C12EB40000-0x000001C12EBF0000-memory.dmp

Filesize
704KB

Download
memory/1144-171-0x000001C12E310000-0x000001C12E320000-memory.dmp

Filesize
64KB

Download
memory/1144-4171-0x000001C12E310000-0x000001C12E320000-memory.dmp

Filesize
64KB

Download
memory/1144-4170-0x000001C12E310000-0x000001C12E320000-memory.dmp

Filesize
64KB

Download
memory/1144-4167-0x000001C12E310000-0x000001C12E320000-memory.dmp

Filesize
64KB

Download
memory/1144-165-0x000001C113D10000-0x000001C113D16000-memory.dmp

Filesize
24KB

Download
memory/1144-2595-0x000001C12EB30000-0x000001C12EB31000-memory.dmp

Filesize
4KB

Download
memory/1144-1486-0x000001C12E310000-0x000001C12E320000-memory.dmp

Filesize
64KB

Download
memory/1684-5480-0x000001CBFA8A0000-0x000001CBFA8B0000-memory.dmp

Filesize
64KB

Download
memory/1684-6257-0x000001CBFA8A0000-0x000001CBFA8B0000-memory.dmp

Filesize
64KB

Download
memory/1832-2785-0x000002D7D6F10000-0x000002D7D6F20000-memory.dmp

Filesize
64KB

Download
memory/1832-2788-0x000002D7D6F10000-0x000002D7D6F20000-memory.dmp

Filesize
64KB

Download
memory/1832-4521-0x000002D7D6F10000-0x000002D7D6F20000-memory.dmp

Filesize
64KB

Download
memory/1832-4523-0x000002D7D6F10000-0x000002D7D6F20000-memory.dmp

Filesize
64KB

Download
memory/1832-4519-0x000002D7D6F10000-0x000002D7D6F20000-memory.dmp

Filesize
64KB

Download
memory/3152-192-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-182-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-218-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-220-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-222-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-224-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-226-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-228-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-230-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-214-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-166-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/3152-168-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-212-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-169-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-210-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-1489-0x000001A6898C0000-0x000001A6898D0000-memory.dmp

Filesize
64KB

Download
memory/3152-172-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-174-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-176-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-2490-0x000001A6898C0000-0x000001A6898D0000-memory.dmp

Filesize
64KB

Download
memory/3152-2491-0x000001A6898C0000-0x000001A6898D0000-memory.dmp

Filesize
64KB

Download
memory/3152-208-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-206-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-204-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-178-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-202-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-180-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-200-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-198-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-196-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-194-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-216-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-184-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-190-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-188-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3152-186-0x000001A6A2170000-0x000001A6A2268000-memory.dmp

Filesize
992KB

Download
memory/3400-2186-0x0000019765B10000-0x0000019765B20000-memory.dmp

Filesize
64KB

Download
memory/3400-1994-0x0000019765B10000-0x0000019765B20000-memory.dmp

Filesize
64KB

Download
memory/3400-1992-0x0000019765B10000-0x0000019765B20000-memory.dmp

Filesize
64KB

Download
memory/3400-408-0x0000019765B10000-0x0000019765B20000-memory.dmp

Filesize
64KB

Download
memory/3400-242-0x0000019765B10000-0x0000019765B20000-memory.dmp

Filesize
64KB

Download
memory/3400-241-0x0000019765B10000-0x0000019765B20000-memory.dmp

Filesize
64KB

Download
memory/3540-149-0x0000021868B90000-0x0000021868BA0000-memory.dmp

Filesize
64KB

Download
memory/3540-145-0x0000021868B90000-0x0000021868BA0000-memory.dmp

Filesize
64KB

Download
memory/3540-146-0x0000021868B90000-0x0000021868BA0000-memory.dmp

Filesize
64KB

Download
memory/3540-147-0x0000021868B90000-0x0000021868BA0000-memory.dmp

Filesize
64KB

Download
memory/3540-151-0x0000021868B90000-0x0000021868BA0000-memory.dmp

Filesize
64KB

Download
memory/3540-150-0x0000021868B90000-0x0000021868BA0000-memory.dmp

Filesize
64KB

Download
memory/4284-5529-0x0000000005610000-0x000000000561A000-memory.dmp

Filesize
40KB

Download
memory/4284-5507-0x0000000005A80000-0x0000000006024000-memory.dmp

Filesize
5.6MB

Download
memory/4284-5513-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/4284-5505-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/4284-5703-0x0000000008250000-0x0000000008272000-memory.dmp

Filesize
136KB

Download
memory/4284-5647-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/4692-133-0x000001EC83BC0000-0x000001EC83BC6000-memory.dmp

Filesize
24KB

Download
memory/4692-134-0x000001EC83F30000-0x000001EC83F40000-memory.dmp

Filesize
64KB

Download
memory/4692-135-0x000001EC9F480000-0x000001EC9F4A2000-memory.dmp

Filesize
136KB

Download
memory/4692-148-0x000001EC83F30000-0x000001EC83F40000-memory.dmp

Filesize
64KB

Download
memory/4696-5525-0x0000020033640000-0x0000020033650000-memory.dmp

Filesize
64KB

Download
memory/4696-5527-0x0000020033640000-0x0000020033650000-memory.dmp

Filesize
64KB

Download
memory/4696-5523-0x0000020033640000-0x0000020033650000-memory.dmp

Filesize
64KB

Download
memory/4696-5520-0x0000020034170000-0x0000020034201000-memory.dmp

Filesize
580KB

Download
memory/4696-4166-0x0000020033640000-0x0000020033650000-memory.dmp

Filesize
64KB

Download
memory/4696-2599-0x0000020033640000-0x0000020033650000-memory.dmp

Filesize
64KB

Download
memory/4696-2546-0x0000020019050000-0x0000020019056000-memory.dmp

Filesize
24KB

Download
memory/4696-5521-0x0000020033640000-0x0000020033650000-memory.dmp

Filesize
64KB

Download
memory/4896-5786-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4896-5881-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/4896-5883-0x0000000006C20000-0x0000000006C3A000-memory.dmp

Filesize
104KB

Download
memory/4896-5905-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4896-5823-0x00000000067C0000-0x00000000067DE000-memory.dmp

Filesize
120KB

Download
memory/4896-5787-0x00000000061D0000-0x0000000006236000-memory.dmp

Filesize
408KB

Download
memory/4896-5788-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/4896-5783-0x00000000060F0000-0x0000000006156000-memory.dmp

Filesize
408KB

Download
memory/4896-5769-0x0000000005AC0000-0x00000000060E8000-memory.dmp

Filesize
6.2MB

Download
memory/4896-5759-0x0000000002E80000-0x0000000002EB6000-memory.dmp

Filesize
216KB

Download