File name:	3e727f238ad43bc08e820fd000146acd66d84583468701a830dcd4d200b2f44a.cmd
Full analysis:	https://app.any.run/tasks/a97af8a1-9bd3-4492-bbfd-da57b20a4f3a
Verdict:	Malicious activity
Threats:	First identified in March 2021, PureCrypter is a .NET-based loader that employs obfuscation techniques, such as SmartAssembly, to evade detection. It has been used to distribute malware families including AgentTesla, RedLine Stealer, and SnakeKeylogger. The malware is typically delivered through phishing campaigns and malicious downloads, often masquerading as legitimate files with extensions like .mp4 or .pdf. PureCrypter utilizes encryption and compression to conceal its payloads and can inject malicious code into legitimate processes to maintain persistence on the infected system. Malware Trends Tracker >>>
Analysis date:	July 18, 2024, 15:55:14
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	purecrypter pureminer netreactor
Indicators:
MIME:	text/plain
File info:	ASCII text, with very long lines (58014), with CRLF line terminators
MD5:	879EEE31C984C6050AC356727257417A
SHA1:	C02A9C76BCCF2890E87FD9E89CF0D24A9701C799
SHA256:	3E727F238AD43BC08E820FD000146ACD66D84583468701A830DCD4D200B2F44A
SSDEEP:	24576:7wbcSBEwAvAY/3Sn7dFcR7VsWjI2Ce/J4:7wlqCWZ5m


(PID) Process:	(7260) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(7260) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(7260) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(7260) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(8144) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(8144) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(8144) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(8144) cmd.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1484) ComputerDefaults.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(7456) powershell.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1

PID	Process	Filename		Type
7260	powershell.exe	C:\Windows \System32\ComputerDefaults.exe		executable
		MD5:D25A9E160E3B74EF2242023726F15416	SHA256:7B0334C329E40A542681BCAFF610AE58ADA8B1F77FF6477734C1B8B9A951EF4C
7260	powershell.exe	C:\Users\admin\AppData\Local\Temp\SC.cmd		text
		MD5:879EEE31C984C6050AC356727257417A	SHA256:3E727F238AD43BC08E820FD000146ACD66D84583468701A830DCD4D200B2F44A
7260	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_41khi5sl.lfm.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7260	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ezrn1kwg.3bz.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7260	powershell.exe	C:\Users\admin\AppData\Local\Temp\MLANG.dll		executable
		MD5:65D0E22E70DD47D9727415D5313773D3	SHA256:8C6D95686456455F0279A9D3D6B639E54B31668613974745329FE1FEE03A53B8
7456	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ae2vezb4.pny.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7260	powershell.exe	C:\Windows \System32\MLANG.dll		executable
		MD5:65D0E22E70DD47D9727415D5313773D3	SHA256:8C6D95686456455F0279A9D3D6B639E54B31668613974745329FE1FEE03A53B8
6764	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ComputerDefaults_242f58be848d8bf95b83bb546cb6f7e0c14d8c_cbb704b4_c0bede87-1eda-46b5-8f1a-9f8fb38bee26\Report.wer		—
		MD5:—	SHA256:—
7260	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SCV.cmd		text
		MD5:879EEE31C984C6050AC356727257417A	SHA256:3E727F238AD43BC08E820FD000146ACD66D84583468701A830DCD4D200B2F44A
7456	powershell.exe	C:\Users\admin\AppData\Roaming\SCV.cmd		text
		MD5:879EEE31C984C6050AC356727257417A	SHA256:3E727F238AD43BC08E820FD000146ACD66D84583468701A830DCD4D200B2F44A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7260	powershell.exe	GET	—	95.164.4.238:80	http://95.164.4.238/plugin3.dll	unknown	—	—	unknown
—	—	GET	200	20.223.36.55:443	https://fd.api.iris.microsoft.com/v4/api/selection?&asid=641F151CCD014425BC59FD5BBF2CAE90&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&arch=AMD64&chassis=1&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19045.4046&dinst=1661339444&dmret=0&flightbranch=&flightring=Retail&icluc=0&localid=w%3AAC7699B0-48EA-FD22-C8DC-06A02098A0F0&oem=DELL&osbranch=vb_release&oslocale=en-US&osret=1&ossku=Professional&osskuid=48&prccn=4&prccs=3094&prcmf=AuthenticAMD&procm=Intel%28R%29%20Core%28TM%29%20i5-6400%20CPU%20%40%202.70GHz&ram=4096&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=15.3&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=260281&frdsk=218544&lo=3609114&tsu=999644	unknown	binary	102 b	—
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	—
—	—	POST	200	4.209.32.198:443	https://licensing.mp.microsoft.com/v7.0/licenses/content	unknown	binary	8.06 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	20.199.58.43:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4716	svchost.exe	40.126.31.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
7856	svchost.exe	4.209.32.67:443	licensing.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
—	—	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6556	backgroundTaskHost.exe	20.31.169.57:443	fd.api.iris.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
2760	svchost.exe	40.113.103.199:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2760	svchost.exe	40.113.110.67:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
arc.msn.com	20.199.58.43	whitelisted
login.live.com	40.126.31.73 20.190.159.23 20.190.159.0 20.190.159.73 20.190.159.68 20.190.159.2 20.190.159.4 20.190.159.64	whitelisted
google.com	216.58.206.78	whitelisted
fd.api.iris.microsoft.com	20.31.169.57	whitelisted
client.wns.windows.com	40.113.110.67 40.113.103.199	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
licensing.mp.microsoft.com	4.209.32.67	whitelisted

PID	Process	Class	Message
7260	powershell.exe	Malware Command and Control Activity Detected	LOADER [ANY.RUN] PureLoader Download Attempt (LOAD)
—	—	Generic Protocol Command Decode	SURICATA HTTP Request unrecognized authorization method
7260	powershell.exe	Potentially Bad Traffic	ET INFO Dotted Quad Host DLL Request

General Info

3e727f238ad43bc08e820fd000146acd66d84583468701a830dcd4d200b2f44a.cmd

879EEE31C984C6050AC356727257417A

C02A9C76BCCF2890E87FD9E89CF0D24A9701C799

3E727F238AD43BC08E820FD000146ACD66D84583468701A830DCD4D200B2F44A

24576:7wbcSBEwAvAY/3Sn7dFcR7VsWjI2Ce/J4:7wlqCWZ5m

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

Uses AES cipher (POWERSHELL)

Dynamically loads an assembly (POWERSHELL)

Drops the executable file immediately after the start

Changes powershell execution policy (Bypass)

Create files in the Startup directory

Adds path to the Windows Defender exclusion list

Bypass execution policy to execute commands

Run PowerShell with an invisible window

PUREMINER has been detected (YARA)

PURECRYPTER has been detected (SURICATA)

SUSPICIOUS

Application launched itself

Starts CMD.EXE for commands execution

Executing commands from ".cmd" file

Starts POWERSHELL.EXE for commands execution

Uses base64 encoding (POWERSHELL)

Cryptography encrypted command line is found

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

The process hide an interactive prompt from the user

The process hides Powershell's copyright startup banner

The process bypasses the loading of PowerShell profile settings

Process checks specific path in scheduled tasks

Probably obfuscated PowerShell command line is found

Script adds exclusion path to Windows Defender

The process deletes folder without confirmation

Contacting a server suspected of hosting an CnC

Connects to unusual port

Executes application which crashes

INFO

Checks current location (POWERSHELL)

Uses string split method (POWERSHELL)

Uses string replace method (POWERSHELL)

Gets data length (POWERSHELL)

Reads Microsoft Office registry keys

Checks supported languages

Reads the computer name

Script raised an exception (POWERSHELL)

.NET Reactor protector has been detected

Disables trace logs

Checks proxy server information

Creates files or folders in the user directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules