purecrypter | 73d66c77945f6ff7fe5d62a4ba5efd4bbc2f8459eaf4722833e0df6cfd4c6309

Resubmissions

19-12-2023 10:14

231219-l9nshaabb3 10

Analysis

max time kernel
141s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00fce918b5cf447876a61f05978b2db0.exe
Size

74KB
MD5

00fce918b5cf447876a61f05978b2db0
SHA1

6dec21de3d9d4584e2200a117e6edf70ecfd5c11
SHA256

73d66c77945f6ff7fe5d62a4ba5efd4bbc2f8459eaf4722833e0df6cfd4c6309
SHA512

31b0801ad232b746493c073527bf238b4d6bbc929313109222ac7a4625e831dcbbaaac973f6a0c0f825aef14432dcb8968b08676f27cef14914842561da59206
SSDEEP

1536:aheb4mzLMaM68hD0BLX/yYiAst6C4bllDp7kXqXPtkrBZF7SzKHzUWhUzTrGtltD:Lb4mzLMaM68hD0BLX/yYiAst6C4bllDO

Score

10^/10

purecrypter downloader loader

Malware Config

Extracted

Family

purecrypter

https://store2.gofile.io/download/5c283eeb-ee75-4585-ac23-386c6a3ea789/Jcafcgneb.dll

Signatures

PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
loader downloader purecrypter

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	00fce918b5cf447876a61f05978b2db0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1544	powershell.exe
1544	powershell.exe
416	powershell.exe
416	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	00fce918b5cf447876a61f05978b2db0.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeIncreaseQuotaPrivilege	1544	powershell.exe
Token: SeSecurityPrivilege	1544	powershell.exe
Token: SeTakeOwnershipPrivilege	1544	powershell.exe
Token: SeLoadDriverPrivilege	1544	powershell.exe
Token: SeSystemProfilePrivilege	1544	powershell.exe
Token: SeSystemtimePrivilege	1544	powershell.exe
Token: SeProfSingleProcessPrivilege	1544	powershell.exe
Token: SeIncBasePriorityPrivilege	1544	powershell.exe
Token: SeCreatePagefilePrivilege	1544	powershell.exe
Token: SeBackupPrivilege	1544	powershell.exe
Token: SeRestorePrivilege	1544	powershell.exe
Token: SeShutdownPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeSystemEnvironmentPrivilege	1544	powershell.exe
Token: SeRemoteShutdownPrivilege	1544	powershell.exe
Token: SeUndockPrivilege	1544	powershell.exe
Token: SeManageVolumePrivilege	1544	powershell.exe
Token: 33	1544	powershell.exe
Token: 34	1544	powershell.exe
Token: 35	1544	powershell.exe
Token: 36	1544	powershell.exe
Token: SeIncreaseQuotaPrivilege	1544	powershell.exe
Token: SeSecurityPrivilege	1544	powershell.exe
Token: SeTakeOwnershipPrivilege	1544	powershell.exe
Token: SeLoadDriverPrivilege	1544	powershell.exe
Token: SeSystemProfilePrivilege	1544	powershell.exe
Token: SeSystemtimePrivilege	1544	powershell.exe
Token: SeProfSingleProcessPrivilege	1544	powershell.exe
Token: SeIncBasePriorityPrivilege	1544	powershell.exe
Token: SeCreatePagefilePrivilege	1544	powershell.exe
Token: SeBackupPrivilege	1544	powershell.exe
Token: SeRestorePrivilege	1544	powershell.exe
Token: SeShutdownPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeSystemEnvironmentPrivilege	1544	powershell.exe
Token: SeRemoteShutdownPrivilege	1544	powershell.exe
Token: SeUndockPrivilege	1544	powershell.exe
Token: SeManageVolumePrivilege	1544	powershell.exe
Token: 33	1544	powershell.exe
Token: 34	1544	powershell.exe
Token: 35	1544	powershell.exe
Token: 36	1544	powershell.exe
Token: SeIncreaseQuotaPrivilege	1544	powershell.exe
Token: SeSecurityPrivilege	1544	powershell.exe
Token: SeTakeOwnershipPrivilege	1544	powershell.exe
Token: SeLoadDriverPrivilege	1544	powershell.exe
Token: SeSystemProfilePrivilege	1544	powershell.exe
Token: SeSystemtimePrivilege	1544	powershell.exe
Token: SeProfSingleProcessPrivilege	1544	powershell.exe
Token: SeIncBasePriorityPrivilege	1544	powershell.exe
Token: SeCreatePagefilePrivilege	1544	powershell.exe
Token: SeBackupPrivilege	1544	powershell.exe
Token: SeRestorePrivilege	1544	powershell.exe
Token: SeShutdownPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeSystemEnvironmentPrivilege	1544	powershell.exe
Token: SeRemoteShutdownPrivilege	1544	powershell.exe
Token: SeUndockPrivilege	1544	powershell.exe
Token: SeManageVolumePrivilege	1544	powershell.exe
Token: 33	1544	powershell.exe
Token: 34	1544	powershell.exe
Token: 35	1544	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 1544	4200	00fce918b5cf447876a61f05978b2db0.exe	88
PID 4200 wrote to memory of 1544	4200	00fce918b5cf447876a61f05978b2db0.exe	88
PID 4200 wrote to memory of 416	4200	00fce918b5cf447876a61f05978b2db0.exe	101
PID 4200 wrote to memory of 416	4200	00fce918b5cf447876a61f05978b2db0.exe	101

C:\Users\Admin\AppData\Local\Temp\00fce918b5cf447876a61f05978b2db0.exe
"C:\Users\Admin\AppData\Local\Temp\00fce918b5cf447876a61f05978b2db0.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitch.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
9b839c896dee7cbef31e62d9130fe067

SHA1
20974f32005a641b3b7aae03b130f9a6fb0bd321

SHA256
970916b50c737053ae7dcdb13e84fe4786b7884a03e4486c10cabd6d9f00e573

SHA512
75d645562b621afe3735ab1e92664a27b27c93948c7edfa88299ea77ca5bec1d383c0f2eaa908f527dc22108beaf81dc7b31fa96e63ae7842966a34cd7f8fed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1d74745c57b2169cb9011dca750cbdf

SHA1
cd0bbe009913ac02891a0ef09d388683f801f660

SHA256
6dd923bf19569a28b2ad0b15e6dac53d87967c5cc02b372b1d21b28d6d947f9e

SHA512
55a10ee559c04c3e520a17f09d60c92963e50477f1199a7a0a9f8d45c86c98cf43d4ae4ef7c87cfd6b92e9972c8a7f21db81d3aad1c28d71ac397a31980f9de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0f2ebeq.atb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/416-47-0x00007FFCE6630000-0x00007FFCE70F1000-memory.dmp

Filesize
10.8MB

Download
memory/416-44-0x0000026F91B90000-0x0000026F91BA0000-memory.dmp

Filesize
64KB

Download
memory/416-34-0x0000026F91B90000-0x0000026F91BA0000-memory.dmp

Filesize
64KB

Download
memory/416-33-0x00007FFCE6630000-0x00007FFCE70F1000-memory.dmp

Filesize
10.8MB

Download
memory/1544-22-0x0000013C22430000-0x0000013C22440000-memory.dmp

Filesize
64KB

Download
memory/1544-26-0x0000013C24B30000-0x0000013C24B54000-memory.dmp

Filesize
144KB

Download
memory/1544-12-0x0000013C246E0000-0x0000013C24702000-memory.dmp

Filesize
136KB

Download
memory/1544-13-0x00007FFCE6630000-0x00007FFCE70F1000-memory.dmp

Filesize
10.8MB

Download
memory/1544-19-0x00007FFCE6630000-0x00007FFCE70F1000-memory.dmp

Filesize
10.8MB

Download
memory/1544-20-0x0000013C22430000-0x0000013C22440000-memory.dmp

Filesize
64KB

Download
memory/1544-21-0x0000013C22430000-0x0000013C22440000-memory.dmp

Filesize
64KB

Download
memory/1544-16-0x0000013C22430000-0x0000013C22440000-memory.dmp

Filesize
64KB

Download
memory/1544-23-0x0000013C246C0000-0x0000013C246D0000-memory.dmp

Filesize
64KB

Download
memory/1544-24-0x0000013C24770000-0x0000013C2478A000-memory.dmp

Filesize
104KB

Download
memory/1544-25-0x0000013C24B30000-0x0000013C24B5A000-memory.dmp

Filesize
168KB

Download
memory/1544-15-0x0000013C22430000-0x0000013C22440000-memory.dmp

Filesize
64KB

Download
memory/1544-27-0x0000013C22430000-0x0000013C22440000-memory.dmp

Filesize
64KB

Download
memory/1544-28-0x0000013C24790000-0x0000013C2479E000-memory.dmp

Filesize
56KB

Download
memory/1544-31-0x00007FFCE6630000-0x00007FFCE70F1000-memory.dmp

Filesize
10.8MB

Download
memory/1544-14-0x0000013C22430000-0x0000013C22440000-memory.dmp

Filesize
64KB

Download
memory/4200-0-0x00000000003C0000-0x00000000003D6000-memory.dmp

Filesize
88KB

Download
memory/4200-18-0x000000001BD50000-0x000000001BD60000-memory.dmp

Filesize
64KB

Download
memory/4200-17-0x00007FFCE6630000-0x00007FFCE70F1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-2-0x000000001BD50000-0x000000001BD60000-memory.dmp

Filesize
64KB

Download
memory/4200-1-0x00007FFCE6630000-0x00007FFCE70F1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-48-0x00007FFCE6630000-0x00007FFCE70F1000-memory.dmp

Filesize
10.8MB

Download