Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
13-02-2024 01:59
Behavioral task
behavioral1
Sample
3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe
Resource
win10v2004-20231215-en
General
-
Target
3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe
-
Size
5KB
-
MD5
c034a0b410854a329c4c6518049778e3
-
SHA1
8d07e1fc68f288871193f3097de62dd5e71c338c
-
SHA256
3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6
-
SHA512
093bfcd6b72fbf8d514b42e62ac49542d188a83414d4a55f9357dd92431da95ab3e6113349c183eeade40ebd6b46dc3ede3687fba178fdc0267a0a760e03ae80
-
SSDEEP
48:6RT+77Uf77v3JfzwDtqYQKsF3YJAOakTTK8L+psVtiOl0BqFSpfbNtm:7gz7Q/4oJ9RTCjzNt
Malware Config
Extracted
purecrypter
https://taastruck.vn/Pkzzw.pdf
Signatures
-
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2460 2180 WerFault.exe 19 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2180 3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2460 2180 3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe 28 PID 2180 wrote to memory of 2460 2180 3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe 28 PID 2180 wrote to memory of 2460 2180 3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe 28 PID 2180 wrote to memory of 2460 2180 3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe"C:\Users\Admin\AppData\Local\Temp\3a6666e2820fa42ca7b386d7c1029637a717f01c8c550474a0c05a48df3276c6.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 10762⤵
- Program crash
PID:2460
-