Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
23-06-2023 15:23
Static task
static1
Behavioral task
behavioral1
Sample
36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
Resource
win10v2004-20230621-en
General
-
Target
36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe
-
Size
6KB
-
MD5
4f0d3017e1d6e4c39f83a3e550e26c11
-
SHA1
6f6c966cf3465b48f86ce3b9befb47a209dbd1dd
-
SHA256
36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120
-
SHA512
2a1fb15339f192d05b958daa36da0e2f20aefeb396148a98696b8c2d4c15ed6d036b304f1fb4078fe12a257b774b8fc74131c3ac420d548f29ec5582076943fa
-
SSDEEP
96:eFU+v1uy+5tHd/xR5JNtG1KKqYDal+5zNt:G7653/xfhHRgE+7
Malware Config
Extracted
purecrypter
http://cleaning.homesecuritypc.com/packages/Ikucx.dat
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1952 created 784 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 75 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe Key value queried \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Control Panel\International\Geo\Nation Ynpbjslfjs.exe -
Executes dropped EXE 2 IoCs
pid Process 1384 Ynpbjslfjs.exe 1136 Estei.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4296 set thread context of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 5072 certreq.exe 5072 certreq.exe 5072 certreq.exe 5072 certreq.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe Token: SeDebugPrivilege 1384 Ynpbjslfjs.exe Token: SeDebugPrivilege 1136 Estei.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4296 wrote to memory of 1384 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 79 PID 4296 wrote to memory of 1384 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 79 PID 4296 wrote to memory of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 PID 4296 wrote to memory of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 PID 4296 wrote to memory of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 PID 4296 wrote to memory of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 PID 4296 wrote to memory of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 PID 4296 wrote to memory of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 PID 4296 wrote to memory of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 PID 4296 wrote to memory of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 PID 4296 wrote to memory of 1952 4296 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 80 PID 1952 wrote to memory of 5072 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 81 PID 1952 wrote to memory of 5072 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 81 PID 1952 wrote to memory of 5072 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 81 PID 1952 wrote to memory of 5072 1952 36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe 81 PID 1384 wrote to memory of 1136 1384 Ynpbjslfjs.exe 83 PID 1384 wrote to memory of 1136 1384 Ynpbjslfjs.exe 83 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2178924671-3779044592-2825503497-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:784
-
C:\Users\Admin\AppData\Local\Temp\36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe"C:\Users\Admin\AppData\Local\Temp\36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Users\Admin\AppData\Local\Temp\Ynpbjslfjs.exe"C:\Users\Admin\AppData\Local\Temp\Ynpbjslfjs.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\Estei.exe"C:\Users\Admin\AppData\Local\Temp\Estei.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
-
C:\Users\Admin\AppData\Local\Temp\36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exeC:\Users\Admin\AppData\Local\Temp\36e84f76412889664edcaca6b4d01e3b6f7a23a63d7ab159089bbe3630e05120.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952
-
-
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:5072
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD51e60442ffe8d9d91919bf2506e3efc68
SHA1908bd34c30f2baf73245541b9b18bd89d06c8d79
SHA256cf2e48859602e7f7b3a7006a952bd1e3c75f0c6220d9803c10b4220dbd6c1d06
SHA512ae221b72839e01c68cf9b0266d58413a43f8e365f9f455d274099e17ccb6883a23513f0f10d3b3e2b3771c5b09a0fcd5331dad6d2a1e088383188536cd81ef63
-
Filesize
6KB
MD51e60442ffe8d9d91919bf2506e3efc68
SHA1908bd34c30f2baf73245541b9b18bd89d06c8d79
SHA256cf2e48859602e7f7b3a7006a952bd1e3c75f0c6220d9803c10b4220dbd6c1d06
SHA512ae221b72839e01c68cf9b0266d58413a43f8e365f9f455d274099e17ccb6883a23513f0f10d3b3e2b3771c5b09a0fcd5331dad6d2a1e088383188536cd81ef63
-
Filesize
6KB
MD51e60442ffe8d9d91919bf2506e3efc68
SHA1908bd34c30f2baf73245541b9b18bd89d06c8d79
SHA256cf2e48859602e7f7b3a7006a952bd1e3c75f0c6220d9803c10b4220dbd6c1d06
SHA512ae221b72839e01c68cf9b0266d58413a43f8e365f9f455d274099e17ccb6883a23513f0f10d3b3e2b3771c5b09a0fcd5331dad6d2a1e088383188536cd81ef63
-
Filesize
6KB
MD58af1d478704d9528f08b2fffa5f47440
SHA1c140a7ac7eed24afd65adca65d930553c481602e
SHA256ceff3cbf74efe2ddbb8faa4a651d5d0a8bed637774e7c755e467cb5dc0174c48
SHA512d6c1677a35b35dd0994b2a8e2970fa59351a0a0f1a1bf43448ee1fe694e825d63d1bfadab7b723d1d76984aa0b9ea3994b6442686264ade67005b0754ec63855
-
Filesize
6KB
MD58af1d478704d9528f08b2fffa5f47440
SHA1c140a7ac7eed24afd65adca65d930553c481602e
SHA256ceff3cbf74efe2ddbb8faa4a651d5d0a8bed637774e7c755e467cb5dc0174c48
SHA512d6c1677a35b35dd0994b2a8e2970fa59351a0a0f1a1bf43448ee1fe694e825d63d1bfadab7b723d1d76984aa0b9ea3994b6442686264ade67005b0754ec63855
-
Filesize
6KB
MD58af1d478704d9528f08b2fffa5f47440
SHA1c140a7ac7eed24afd65adca65d930553c481602e
SHA256ceff3cbf74efe2ddbb8faa4a651d5d0a8bed637774e7c755e467cb5dc0174c48
SHA512d6c1677a35b35dd0994b2a8e2970fa59351a0a0f1a1bf43448ee1fe694e825d63d1bfadab7b723d1d76984aa0b9ea3994b6442686264ade67005b0754ec63855