ddfa562944fef37afbe6b805f393b8595a2a7f9ca2320a548b873b0bc2c0cfe6

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 03:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

64580a410475d180a01504971ec0b468.exe
Size

1.9MB
MD5

64580a410475d180a01504971ec0b468
SHA1

1b2fe04409ed2b8783619e0513621dad97667725
SHA256

ddfa562944fef37afbe6b805f393b8595a2a7f9ca2320a548b873b0bc2c0cfe6
SHA512

d871296bc6d15d248cdd203be6ad81d463e13a8b134784232e945f79ffae2b0520bc36bdd518ba3c9f9c2b3696756c72405e6a72a5623312cae3e18c10440e1f
SSDEEP

49152:0wKfCoN28TNNFawefGk5ICyEF6jeQhS26qHHU:0wK6oN/xNIweukqtCM6qHHU

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	64580a410475d180a01504971ec0b468.exe

Executes dropped EXE 1 IoCs

pid	Process
4140	purpsi.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	purpsi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4140	purpsi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4824	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4824	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4140	purpsi.exe
4140	purpsi.exe
4140	purpsi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 4140	2076	64580a410475d180a01504971ec0b468.exe	53
PID 2076 wrote to memory of 4140	2076	64580a410475d180a01504971ec0b468.exe	53
PID 2076 wrote to memory of 4140	2076	64580a410475d180a01504971ec0b468.exe	53

C:\Users\Admin\AppData\Local\Temp\64580a410475d180a01504971ec0b468.exe
"C:\Users\Admin\AppData\Local\Temp\64580a410475d180a01504971ec0b468.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\pck1e240600171\purpsi.exe
  "C:\Users\Admin\AppData\Local\Temp\pck1e240600171\purpsi.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4140

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x33c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pck1e240600171\Arial_18.bmp

Filesize
297KB

MD5
c97238f295db40d552558d49519f3e3d

SHA1
6c16232332a90989f4e3b61cefb3a05d97e1c276

SHA256
8f0d187421b38ddd94def7932816c005cd4eda108f5de7a8090710b039e27c04

SHA512
dd46ecabe13eb034e353dd4d5055a2ef12fc76ecfdce5c3af236065f5f2da50e824865d6ac8eeffbe71c38c6251a63a4353af41742ef875fb1fbf6d7a1126a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\Arial_18w.bmp

Filesize
297KB

MD5
76808f98c5abe5330c5a70090091beb1

SHA1
63a709649ff3f4855b9d05eed4ef1431b3441d5a

SHA256
e9e6de0632dd3a9f092fab341c95e67a3c72dfcf65b655ab7000fc22c97a8c86

SHA512
62658c4b346032655c5198bd49956ff738aeb9e611ad8b4a5714c88ce705d81b8da8827ff45601dcd784c2263a7581a6e0fa0c1c83cab903e210851c6888e539

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\banane2.tga

Filesize
23KB

MD5
7aa3c3cee0e585d0c57e2c0dfb577482

SHA1
00afd83e19da36c925777102aa67d74f495bad5b

SHA256
b007b819b68a20fd2b04dabdb703dca63b8fc79b0328ef21fc214b5f130abcf6

SHA512
cb44a6acd2da6a2a20e3fc4d3e95af6f43f9cac89b7baad6067e0cb53fb75b8923581d503abb4bc61bf2f36998f7195adcb5e00126339396d68420a860b80f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\beep.wav

Filesize
5KB

MD5
b65c1c850c9522cfbf3b4d49ecf2b8b9

SHA1
39b4f662f51daa294c7b7ad693a33758ca78d6fd

SHA256
c75feaf3fa3c1bf40d46ebe991caf68b31902e72549d53478570213aa1cf6f15

SHA512
3e32441bab93035ca80dc07fca34afe620cb5153b5b7bed0181219c37ee464397ce0769995b23ba1908c87b657e3cac39ab4763860de025f4d311c9be0641dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\bomb.tga

Filesize
4KB

MD5
00513d9fbf6d27be73219eeaf3ff8867

SHA1
99bb708505bfd04e02a3bca009001cf1ee001abe

SHA256
a3f59618ebe709acc2f5b393b278b9ec9b86415214c0164194f11fdb83cf2e09

SHA512
13ac0452a3fe4ea82346c684baaf5f3980fdb7383d132fb22f535b2c1f777485b22906fe772cc7be3b8c8a4684049357a3cf35ebad1038301da862cd235fb507

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\endscreen.tga

Filesize
980KB

MD5
eb61a272baa9f3d405fa8c74a01d7677

SHA1
0cc055bd19607df33e25706180e294a0d89e7354

SHA256
1e5e71126ef037fe631be8915969cb34f8b8aeacd1366b6133e67bb4ed8b4e64

SHA512
d37cab647b6f3b9b72d1533772a260c619f16304cc283eedd287c4653942c536b7c1812a9e2113c4463af9d4038b790365b9e051d5677619a2b73e31686fe314

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\gameover.bmp

Filesize
76KB

MD5
bb00ef1ef045553893e7df3c86445479

SHA1
49da6c62a5b980a9ae6ebe05e837e0c9fa12e9fb

SHA256
0cd59a12febfe3f4958f8baa388dbfb234a98cea605c06ed856ec5698164366b

SHA512
e4176bc57cbaa0db92c7b35c7bacda7e7826c85e1bce4dfb36919bcb5c5155f90f0ddf2d26a4043ba2b65975d70d6c68d117965e8cf38a020e41371685f718b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\gold.tga

Filesize
4KB

MD5
83de3a5d3ea4cf19eb8c614aa648cf8e

SHA1
51f4ed0dfd248fa7365ad2827d7bd211d27e006b

SHA256
6ec327d99b9e4ba012238a2b000554af87e9f80907efb6e97dff34a2d12c4e6e

SHA512
cb5579fae81c06c2fdda213914498fcffc67f0365510e4a448cdaf2096ce8a00100070f5c2a7d744a322120106b2aa5cfb3b3bedff30b69d2afb6cfd73bcc97f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\herz.tga

Filesize
4KB

MD5
18c839384d1fae80618e3b28931ed037

SHA1
f1477327e62b1695bddb7558f607cd96dfcd10a8

SHA256
c47bbf3ffd11dc401bb5ae144a0a6fd60be96c26b59bdda8dd3be5d964d2a690

SHA512
d7796f9dd3ed3073bb0be0f7535e59126a0d3390d3610012dbc5888a60d6fad18945e6d8ef215359f9e0f7b94716cf68e2b373d267830ee579eea5df5982c4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\nextlevel.bmp

Filesize
76KB

MD5
d167af9d09569dfabb234d002b977dd7

SHA1
41d70754e7d74cd351948850caffc1f651aeb3da

SHA256
cf1e706b8e5c3bbf265f4dd1ceaa0461e26d8fffe0af3607d04402f438ac03cf

SHA512
ac9e871b2b49a38477255f718c5cad554d762874ab9fe2d5f9c5d0e14460e891d1cd57d7b39a7cc01a10d4a2365ed8dc0079b7e62a2cf25862db21b2cf2c80f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\palette.raw

Filesize
768B

MD5
f160e6c8175269aac3d0dab34e5960c5

SHA1
f8f646e08d9fce132a5ccb3c081e04e046f81a88

SHA256
5d548a3a3f14b87236079891bf5aab06b5dd2e70f388af14a112304801350afc

SHA512
37dd8986d329cb384e173a9f9ebe3c5abac4bb5f2c850e6b054ae482bd5c3b07cb026754711e48b70e7379be053353a450df0aa73ba7594354ec77d68d2358c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\punktek.tga

Filesize
14KB

MD5
3005b512d240d205351eef1b5ed7cc7e

SHA1
85abdb859d0ed09fea9252cac07f84c1e3a8b159

SHA256
635aa1fe6800f5622482d92204bc4cbf45e3513f8312dfb59764925e78d23800

SHA512
193f54257911fb2794252c7388a6d353acec5b2b9fe2091aafce2e79e3e9f2cb1d066476c22163de200f3ef020858ac1d7ece198beb04886d69f7e17c29b3153

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\purpsi.WDL

Filesize
13KB

MD5
9998c68907133063f3bb8ddf2b0881e6

SHA1
06cd2e7c71fa7f8a259a8f6f61a95406a4666b74

SHA256
93bf171b5ecb187c4d14f7882ab5052e267c07c344d95a453a216512d6161d61

SHA512
cfefc0b64e9de9a41a40cace23ef408a91a7d9bff3ce1f500c35ceddbd33e61f72a548f4dc27069f4f902eece45ba5e7143e2195fd87d3d1818f6fc6cb84bf82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\purpsi.exe

Filesize
752KB

MD5
4ee4514585cecdb7cd3f9156a50899d4

SHA1
d8b89344b0aafaa3ae4232cd6b9ef4c776cf2693

SHA256
4233daccb23fbd9cc40369b507def72720ae88b61278d1de3bd481a774a4930a

SHA512
5e2f5eb8831d8e08d19d3e577e33aee6fe46d04cf00172ca3dab22758f2af7b6b2f94057396285d82f50f550c8a72ee5c6e4904e1075b9771816a3436b9680eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\purpsi.exe

Filesize
710KB

MD5
07f4fe638c1ffe37cf4eeb3369fbb895

SHA1
181f73c3701c928646a9cbad224430e04516a65a

SHA256
e3d74a31308263195a8c369f06fbcabb1f1509cbb4d499aee8fdacd603ca557f

SHA512
74e31990671df052fc295f2720bd625e7d566d3500fabb9d15fd66b0bd684ba3e0300d74ad36be37cfbee1317426aa4f4f3d9cbbebd34943c514549f59d3980a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\purpsi.exe

Filesize
698KB

MD5
000697c598f1084a90510b8e75224af5

SHA1
a8e3f180f20ddf3071141a9193e54cfb310cf1b8

SHA256
f6b906c4d745b8aaaae44fe9b50b0749fb2868b71fee8a62c71e01ba5c7eda27

SHA512
e60c4ee8177aec5995589e5a64a8e1187991b0de77c900bdc9f2e2f4cb4ca3eafd3154fdbd5c8330c929cea46066395a52adb25cd31505bb778fa8ffb265b5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\purpsis.tga

Filesize
23KB

MD5
028b331d9855a12d7aed53f6be0a2c22

SHA1
8183adb2fce9db362d43ff2763714b7daeec9df1

SHA256
b39d1ecd6a24416869e5b7471d4cf0ce498cb84d6f2e804b34c282263dfe2d85

SHA512
2f83b7c21d0f7645bdd0d94f85544fa91f37c55f85c60eecf6e1ce7933ea7d6c51dc0ac56581c501c0268948938a7934797cd38641a96e3277428aaa8143ffed

Download Submit
C:\Users\Admin\AppData\Local\Temp\pck1e240600171\startscreen.tga

Filesize
1.1MB

MD5
29e1c74623e0268abe5e40c2be13ba6b

SHA1
ad79a43516f3371f86155a74fb89d0124942e02f

SHA256
4427b6fc996ade2df7ec5b4ccf777a7ff7eec5df6bc17260110f7403b75776f3

SHA512
20731cdbf0a31373f1bcb2ba44ac605b4ef1f77069fd4769bc931e2a3a87963d870000ba14fa1196fd9d7ea1d66ec7abcc410310ccb470b3e5a41c3627dbe361

Download Submit
memory/2076-91-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads