purecrypter | 0cfe0c50487f6d372e650d4171b51dae5a085de9d604a6701c5ebec442268b5b

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 12:29

Target

Client.exe
Size

335KB
MD5

17783c63b34cb560cee2219a5a718511
SHA1

0653a57e59b4bbb9735d0c2f320bcf79c414ba82
SHA256

0cfe0c50487f6d372e650d4171b51dae5a085de9d604a6701c5ebec442268b5b
SHA512

4a95b7972343d13bdb5ef1ed2f9d5cad3725fbdcb2aefe44987a4eb5ffa49c76fa07b73c6cc205ca7d73c39f50dbb59a9c337b82c69bee25051f836c55061a59
SSDEEP

6144:lW8ABhSQBJd85Cnz4ny1+J6HRw2bLnZRo4G8u3i43FHm7p1:A8qdd85CnWycJ6HhTQ3M

Score

10^/10

Family

purecrypter

https://janiking.xyz/loader/uploads/Whotdf_Kzhgekln.png

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3404 set thread context of 4552	3404	Client.exe	89

Suspicious behavior: EnumeratesProcesses 6 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	Client.exe
Token: SeDebugPrivilege	4552	Client.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 4652	3404	Client.exe	86
PID 3404 wrote to memory of 4652	3404	Client.exe	86
PID 3404 wrote to memory of 4652	3404	Client.exe	86
PID 3404 wrote to memory of 4120	3404	Client.exe	87
PID 3404 wrote to memory of 4120	3404	Client.exe	87
PID 3404 wrote to memory of 4120	3404	Client.exe	87
PID 3404 wrote to memory of 2072	3404	Client.exe	88
PID 3404 wrote to memory of 2072	3404	Client.exe	88
PID 3404 wrote to memory of 2072	3404	Client.exe	88
PID 3404 wrote to memory of 4552	3404	Client.exe	89
PID 3404 wrote to memory of 4552	3404	Client.exe	89
PID 3404 wrote to memory of 4552	3404	Client.exe	89
PID 3404 wrote to memory of 4552	3404	Client.exe	89
PID 3404 wrote to memory of 4552	3404	Client.exe	89
PID 3404 wrote to memory of 4552	3404	Client.exe	89
PID 3404 wrote to memory of 4552	3404	Client.exe	89
PID 3404 wrote to memory of 4552	3404	Client.exe	89

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  PID:4652
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  PID:4120
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  PID:2072
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4552

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Client.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
memory/3404-133-0x00000000001C0000-0x0000000000218000-memory.dmp

Filesize
352KB

Download
memory/4552-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4552-137-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download
memory/4552-138-0x0000000004F80000-0x0000000004F90000-memory.dmp

Filesize
64KB

Download