purelogs | 60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
03/12/2023, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe
Size

1.3MB
MD5

28995fd2b7e5c574cd5c910d2f1fa923
SHA1

38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a
SHA256

60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc
SHA512

ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325
SSDEEP

24576:CIf0vEXsfmUSIPhLNdG0LwXtvhJmyNDnG:xfWtdPzdG0UU

Score

10^/10

purelogs zgrat rat stealer

Malware Config

Signatures

Detect PureLogs payload 7 IoCs

resource	yara_rule
behavioral1/memory/3068-0-0x0000000000B50000-0x0000000000C96000-memory.dmp	family_purelogs
behavioral1/files/0x003400000001463e-2225.dat	family_purelogs
behavioral1/files/0x003400000001463e-2227.dat	family_purelogs
behavioral1/files/0x003400000001463e-2228.dat	family_purelogs
behavioral1/memory/1656-2229-0x00000000003D0000-0x0000000000516000-memory.dmp	family_purelogs
behavioral1/files/0x003400000001463e-2232.dat	family_purelogs
behavioral1/files/0x003400000001463e-2242.dat	family_purelogs

Detect ZGRat V1 28 IoCs

resource	yara_rule
behavioral1/memory/2808-21-0x000000001AFC0000-0x000000001B0A4000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-22-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-27-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-25-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-23-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-29-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-31-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-35-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-33-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-37-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-39-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-45-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-43-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-53-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-55-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-57-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-51-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-49-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-47-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-41-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-59-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-63-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-61-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-65-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-69-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-67-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-71-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-73-0x000000001AFC0000-0x000000001B0A0000-memory.dmp	family_zgrat_v1

PureLogs
PureLogs is an infostealer written in C#.
stealer purelogs
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 2 IoCs

pid	Process
1656	MajorRevision.exe
1368	MajorRevision.exe

Loads dropped DLL 2 IoCs

pid	Process
1644	taskeng.exe
1656	MajorRevision.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 2808	3068	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe	29
PID 1656 set thread context of 1368	1656	MajorRevision.exe	34

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe
Token: SeDebugPrivilege	2808	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe
Token: SeDebugPrivilege	1656	MajorRevision.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2808	3068	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe	29
PID 3068 wrote to memory of 2808	3068	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe	29
PID 3068 wrote to memory of 2808	3068	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe	29
PID 3068 wrote to memory of 2808	3068	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe	29
PID 3068 wrote to memory of 2808	3068	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe	29
PID 3068 wrote to memory of 2808	3068	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe	29
PID 3068 wrote to memory of 2808	3068	60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe	29
PID 1644 wrote to memory of 1656	1644	taskeng.exe	33
PID 1644 wrote to memory of 1656	1644	taskeng.exe	33
PID 1644 wrote to memory of 1656	1644	taskeng.exe	33
PID 1656 wrote to memory of 1368	1656	MajorRevision.exe	34
PID 1656 wrote to memory of 1368	1656	MajorRevision.exe	34
PID 1656 wrote to memory of 1368	1656	MajorRevision.exe	34
PID 1656 wrote to memory of 1368	1656	MajorRevision.exe	34
PID 1656 wrote to memory of 1368	1656	MajorRevision.exe	34
PID 1656 wrote to memory of 1368	1656	MajorRevision.exe	34
PID 1656 wrote to memory of 1368	1656	MajorRevision.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe
"C:\Users\Admin\AppData\Local\Temp\60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe
  C:\Users\Admin\AppData\Local\Temp\60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

C:\Windows\system32\taskeng.exe
taskeng.exe {A4AEBE0D-F65B-400F-97F8-244AC432434E} S-1-5-21-1861898231-3446828954-4278112889-1000:PTZSFKIF\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\tltwzpgtk\MajorRevision.exe
  C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\tltwzpgtk\MajorRevision.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\tltwzpgtk\MajorRevision.exe
    C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\tltwzpgtk\MajorRevision.exe
    3⤵
    - Executes dropped EXE
    PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\tltwzpgtk\MajorRevision.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\tltwzpgtk\MajorRevision.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
C:\Users\Admin\AppData\Local\IsFamilyOrAssembly\tltwzpgtk\MajorRevision.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
\Users\Admin\AppData\Local\IsFamilyOrAssembly\tltwzpgtk\MajorRevision.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
\Users\Admin\AppData\Local\IsFamilyOrAssembly\tltwzpgtk\MajorRevision.exe

Filesize
1.3MB

MD5
28995fd2b7e5c574cd5c910d2f1fa923

SHA1
38d8be92979b5a6cbb7a45df58cc1d41ce5f7a9a

SHA256
60c0ab0cdcb4e608b2b400d19ad7e6b0705a85628bdf9b8ca42efe16cb07ccbc

SHA512
ad33ea0538c85b21123a71bfb79fab22ba96e45d1f95da0d38b69eeee96d0fc91da620b5a30c771f66600593ccc57293a2073a4888930b9aa8de7bc735da7325

Download Submit
memory/1368-2248-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1368-2247-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1656-2246-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1656-2231-0x00000000021B0000-0x0000000002230000-memory.dmp

Filesize
512KB

Download
memory/1656-2230-0x000007FEF5670000-0x000007FEF605C000-memory.dmp

Filesize
9.9MB

Download
memory/1656-2229-0x00000000003D0000-0x0000000000516000-memory.dmp

Filesize
1.3MB

Download
memory/2808-53-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-41-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-7-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2808-20-0x000000001AF40000-0x000000001AFC0000-memory.dmp

Filesize
512KB

Download
memory/2808-21-0x000000001AFC0000-0x000000001B0A4000-memory.dmp

Filesize
912KB

Download
memory/2808-22-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-27-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-25-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-23-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-29-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-31-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-35-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-33-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-37-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-39-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-45-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-43-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-9-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2808-55-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-57-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-51-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-49-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-47-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-19-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-59-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-63-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-61-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-65-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-69-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-67-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-71-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-73-0x000000001AFC0000-0x000000001B0A0000-memory.dmp

Filesize
896KB

Download
memory/2808-2220-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/2808-2221-0x00000000005B0000-0x0000000000606000-memory.dmp

Filesize
344KB

Download
memory/2808-2222-0x0000000000820000-0x0000000000874000-memory.dmp

Filesize
336KB

Download
memory/2808-2224-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-15-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2808-13-0x000007FFFFFDC000-0x000007FFFFFDD000-memory.dmp

Filesize
4KB

Download
memory/2808-11-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3068-0-0x0000000000B50000-0x0000000000C96000-memory.dmp

Filesize
1.3MB

Download
memory/3068-18-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/3068-6-0x00000000004F0000-0x000000000053C000-memory.dmp

Filesize
304KB

Download
memory/3068-5-0x000000001B130000-0x000000001B1F8000-memory.dmp

Filesize
800KB

Download
memory/3068-4-0x00000000021B0000-0x0000000002278000-memory.dmp

Filesize
800KB

Download
memory/3068-3-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/3068-2-0x000000001B050000-0x000000001B130000-memory.dmp

Filesize
896KB

Download
memory/3068-1-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download