Analysis
-
max time kernel
98s -
max time network
100s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-12-2024 18:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Pure Crypter (1).zip
Resource
win11-20241007-en
windows11-21h2-x64
10 signatures
150 seconds
General
-
Target
Pure Crypter (1).zip
-
Size
573KB
-
MD5
daaf4e3e5063a7cfde66645f3773a074
-
SHA1
46a4e53bed8a45c310acc126070ec55eded1a48c
-
SHA256
e6ff503eac9d6fae82eeeeeddc60b922cf5ecc19097ce8740e5b758b6089eecd
-
SHA512
88311cb920d2a27f8d97dc5d88170675fd5881851ccdb30924d4c3d46ea64b33af1382aad7b32fe92f6cd520140ba33db3e8e646defe38bc0038d182c548c38b
-
SSDEEP
12288:mJ7f/zwebBE+hyCQAmNVxLZEr1J45WQMebBE+hyCQAmNVxLZEr1J45WQ1:mJ7jBPkCkNVx9Ef4cQLBPkCkNVx9Ef4D
Score
10/10
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/4612-110-0x0000000001280000-0x00000000012D6000-memory.dmp family_redline behavioral1/memory/5104-123-0x0000000001400000-0x0000000001456000-memory.dmp family_redline behavioral1/memory/2776-128-0x0000000000720000-0x0000000000776000-memory.dmp family_redline behavioral1/memory/4980-133-0x0000000000730000-0x0000000000786000-memory.dmp family_redline behavioral1/memory/564-153-0x0000000001370000-0x00000000013C6000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 5 IoCs
pid Process 4612 Pure Crypter.exe 5104 Pure Crypter.exe 2776 Pure Crypter.exe 4980 Pure Crypter.exe 564 Pure Crypter.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pure Crypter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pure Crypter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pure Crypter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pure Crypter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pure Crypter.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 4016 7zFM.exe Token: 35 4016 7zFM.exe Token: SeSecurityPrivilege 4016 7zFM.exe Token: SeDebugPrivilege 3576 taskmgr.exe Token: SeSystemProfilePrivilege 3576 taskmgr.exe Token: SeCreateGlobalPrivilege 3576 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4016 7zFM.exe 4016 7zFM.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe 3576 taskmgr.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Pure Crypter (1).zip"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4016
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1008
-
C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter.exe"C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4612
-
C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter.exe"C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5104
-
C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter.exe"C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776
-
C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter.exe"C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3576
-
C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter\Pure Crypter.exe"C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter\Pure Crypter.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:564
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Pure Crypter\Pure Crypter\MinGW Builder.bat" "1⤵PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD51cf45ba86c6825a3d79909a4797e873b
SHA1f3e738fada6cdfb83b437ce964ddf1bdf7d1b9c4
SHA25638a35e979d2a1611e925b21473e7a2210a4a4f72d1383412d2a38032a6d365d9
SHA512519a37deac7d64dad6645fe2aabe656d9aafec7c6e69009adb45a312d5ede96137115e9c895d4336a1c6f26e0d181b26eb1ec1844d9ec9e2c17f808d5f7ffafe
-
Filesize
506KB
MD5e5fb57e8214483fd395bd431cb3d1c4b
SHA160e22fc9e0068c8156462f003760efdcac82766b
SHA256e389fc5782f754918a10b020adcd8faa11c25658b8d6f8cbc49f9ac3a7637684
SHA512dc2ed0421db7dd5a3afeacb6a9f5017c97fc07d0b2d1745b50ede50087a58245d31d6669077a672b32541dbfa233ef87260a37be48de3bd407d8c587fc903d89
-
Filesize
1KB
MD54ea0e116a7da16745fe3d5cb811e8f42
SHA140d50a42a192196d4e93697369ea1801bbee5200
SHA256fbcbaf354febeee36e5b290b46e747dcd94109687a5d6d5c8b16175c35de8716
SHA5129f766bf079839cb1442c4cef7e7a96f926d4c0b09affc18bb8e8f289281ca173c33d52784b62f03957cfdb288c1333ea92ba8c88cd72ad3e2148176a951fda0e