purecrypter | 0cfe0c50487f6d372e650d4171b51dae5a085de9d604a6701c5ebec442268b5b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 07:03

Target

Clientexe.exe
Size

335KB
MD5

17783c63b34cb560cee2219a5a718511
SHA1

0653a57e59b4bbb9735d0c2f320bcf79c414ba82
SHA256

0cfe0c50487f6d372e650d4171b51dae5a085de9d604a6701c5ebec442268b5b
SHA512

4a95b7972343d13bdb5ef1ed2f9d5cad3725fbdcb2aefe44987a4eb5ffa49c76fa07b73c6cc205ca7d73c39f50dbb59a9c337b82c69bee25051f836c55061a59
SSDEEP

6144:lW8ABhSQBJd85Cnz4ny1+J6HRw2bLnZRo4G8u3i43FHm7p1:A8qdd85CnWycJ6HhTQ3M

Score

10^/10

Family

purecrypter

https://janiking.xyz/loader/uploads/Whotdf_Kzhgekln.png

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4364 set thread context of 3844	4364	Clientexe.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4364	Clientexe.exe
4364	Clientexe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4364	Clientexe.exe
Token: SeDebugPrivilege	3844	Clientexe.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 3708	4364	Clientexe.exe	85
PID 4364 wrote to memory of 3708	4364	Clientexe.exe	85
PID 4364 wrote to memory of 3708	4364	Clientexe.exe	85
PID 4364 wrote to memory of 3844	4364	Clientexe.exe	86
PID 4364 wrote to memory of 3844	4364	Clientexe.exe	86
PID 4364 wrote to memory of 3844	4364	Clientexe.exe	86
PID 4364 wrote to memory of 3844	4364	Clientexe.exe	86
PID 4364 wrote to memory of 3844	4364	Clientexe.exe	86
PID 4364 wrote to memory of 3844	4364	Clientexe.exe	86
PID 4364 wrote to memory of 3844	4364	Clientexe.exe	86
PID 4364 wrote to memory of 3844	4364	Clientexe.exe	86

C:\Users\Admin\AppData\Local\Temp\Clientexe.exe
"C:\Users\Admin\AppData\Local\Temp\Clientexe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\Clientexe.exe
  "C:\Users\Admin\AppData\Local\Temp\Clientexe.exe"
  2⤵
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\Clientexe.exe
  "C:\Users\Admin\AppData\Local\Temp\Clientexe.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3844

memory/3844-134-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3844-136-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/3844-137-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/4364-133-0x0000000000F70000-0x0000000000FC8000-memory.dmp

Filesize
352KB

Download