Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21/09/2024, 18:16
General
-
Target
PureWind.exe
-
Size
450KB
-
MD5
3994a103924fedb63c154557879c5f67
-
SHA1
fc029fa96c267f6c3830a80f357671a73b44138d
-
SHA256
6e9cba8c9d1fc6916444dcfbfbdca8439d85790c3e2fb8cfcc54c54b969d9073
-
SHA512
59cf6a3c18af23d92720fa0103cb38a757628761fcf8a783619a477cca183fcb99a6668d67332f527a2d04c7d716a40440f89e73b5269af90f8d04d4a80f711a
-
SSDEEP
12288:rB69jlHPdUzi8Rb1WdeMJzZ7KYuShPckIp3I4FdEV:AVPedghF7KrG0TFI4FdM
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PureWind.exe"C:\Users\Admin\AppData\Local\Temp\PureWind.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\PureWind 清风小说浏览器\2.0.09.1029\2009.10.28T05.28\Virtual\STUBEXE\7.1.343\@APPDATALOCAL@\Temp\PureWind.exe"C:\Users\Admin\AppData\Local\Temp\PureWind.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\PureWind 清风小说浏览器\2.0.09.1029\2009.10.28T05.28\Native\STUBEXE\7.1.343\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 14163⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5cc916bb53ad5f0f5e044bf650cde5994
SHA1a2e92e9f6c105b17a24ab23464ed0bdb6234a324
SHA256c29b37a047b565ed5a8145d8fac578ce3eaeea2106dda7346dfaecf1188fb6c9
SHA512cab3e2642cbb50e8163a36e4c6511d4cc825b38558b81f1a329c60d4ea2e43ce08ae1ed0202706feaa62127ebe6206f82a47347bde56fdbd1719178b5ca8f8f4
-
Filesize
17KB
MD5512508fcf8fb9ce6fd3e49bfe553e9d3
SHA10704979d5e5ad75aa271178d9e594511f413fae1
SHA25656d73eaf88474ba28d872e9bd7252d84f8982713063eb022618d1d8b2111baf4
SHA512c5cf416b7d7352681850eb3161dd6e573255e60173f990e9e47afdb45c98a3576d8111e6055eada6d9d14c0c90df8e12be31b2607fec958e48985b4eea840cd4
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
220KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
4KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
36KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
160KB
-
Filesize
440KB