purelogs | d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

Analysis

max time kernel
148s
max time network
144s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
03/12/2023, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe
Size

1.2MB
MD5

ba30ecbbd32cbd96717cd1c7556d8a5b
SHA1

c6a0abe5f547383129058c847271019d31fec8b7
SHA256

d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e
SHA512

c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45
SSDEEP

24576:i2nhtFQReM4sclf0ILvRvhdKOPGnqEWMoBgRl0MZNNx:isGefsclL6OPGqJBgjlrN

Score

10^/10

purelogs xmrig zgrat miner rat stealer

Malware Config

Signatures

Detect PureLogs payload 4 IoCs

resource	yara_rule
behavioral1/memory/4248-0-0x000001CCCA6E0000-0x000001CCCA820000-memory.dmp	family_purelogs
behavioral1/files/0x000700000001ab93-21.dat	family_purelogs
behavioral1/files/0x000700000001ab93-22.dat	family_purelogs
behavioral1/files/0x000700000001ab93-26.dat	family_purelogs

Detect ZGRat V1 1 IoCs

resource	yara_rule
behavioral1/memory/1260-11-0x000002354D660000-0x000002354D760000-memory.dmp	family_zgrat_v1

PureLogs
PureLogs is an infostealer written in C#.
stealer purelogs
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/4136-46-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-47-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-48-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-50-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-51-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-52-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-53-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-54-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-55-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-61-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-62-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4136-63-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
2892	TypeId.exe
916	TypeId.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4248 set thread context of 1260	4248	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe	72
PID 2892 set thread context of 916	2892	TypeId.exe	74
PID 916 set thread context of 768	916	TypeId.exe	75
PID 768 set thread context of 3500	768	RegSvcs.exe	76
PID 3500 set thread context of 4136	3500	RegSvcs.exe	77

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4248	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe
2892	TypeId.exe
768	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe
3500	RegSvcs.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
648	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe
Token: SeDebugPrivilege	1260	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe
Token: SeDebugPrivilege	2892	TypeId.exe
Token: SeDebugPrivilege	916	TypeId.exe
Token: SeDebugPrivilege	768	RegSvcs.exe
Token: SeDebugPrivilege	3500	RegSvcs.exe
Token: SeLockMemoryPrivilege	4136	AddInProcess.exe
Token: SeLockMemoryPrivilege	4136	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4136	AddInProcess.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4248 wrote to memory of 1260	4248	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe	72
PID 4248 wrote to memory of 1260	4248	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe	72
PID 4248 wrote to memory of 1260	4248	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe	72
PID 4248 wrote to memory of 1260	4248	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe	72
PID 4248 wrote to memory of 1260	4248	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe	72
PID 4248 wrote to memory of 1260	4248	d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe	72
PID 2892 wrote to memory of 916	2892	TypeId.exe	74
PID 2892 wrote to memory of 916	2892	TypeId.exe	74
PID 2892 wrote to memory of 916	2892	TypeId.exe	74
PID 2892 wrote to memory of 916	2892	TypeId.exe	74
PID 2892 wrote to memory of 916	2892	TypeId.exe	74
PID 2892 wrote to memory of 916	2892	TypeId.exe	74
PID 916 wrote to memory of 768	916	TypeId.exe	75
PID 916 wrote to memory of 768	916	TypeId.exe	75
PID 916 wrote to memory of 768	916	TypeId.exe	75
PID 916 wrote to memory of 768	916	TypeId.exe	75
PID 916 wrote to memory of 768	916	TypeId.exe	75
PID 916 wrote to memory of 768	916	TypeId.exe	75
PID 768 wrote to memory of 3500	768	RegSvcs.exe	76
PID 768 wrote to memory of 3500	768	RegSvcs.exe	76
PID 768 wrote to memory of 3500	768	RegSvcs.exe	76
PID 768 wrote to memory of 3500	768	RegSvcs.exe	76
PID 768 wrote to memory of 3500	768	RegSvcs.exe	76
PID 768 wrote to memory of 3500	768	RegSvcs.exe	76
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77
PID 3500 wrote to memory of 4136	3500	RegSvcs.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe
"C:\Users\Admin\AppData\Local\Temp\d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248
- C:\Users\Admin\AppData\Local\Temp\d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe
  C:\Users\Admin\AppData\Local\Temp\d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1260

C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
  C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3500
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RegSvcs.exe.log

Filesize
1KB

MD5
c59f53fdcc8060e77447ed9ebf9dc926

SHA1
0f1d44782f283b315a2ad6fe37727bdc188ea21c

SHA256
cf0159b7d6cca6fe61a234db3b0902459af8a6af8b9f3e5d5c52bbb4231cd44d

SHA512
1e504b99e4bc4dbf23b7545bfb2101f51ef81558eeacac41e1c9192ecf81e6017a72e89e273023df5bd806ae71ced6cef5c0f00cf91974e75a208638bfe07f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TypeId.exe.log

Filesize
1KB

MD5
c59f53fdcc8060e77447ed9ebf9dc926

SHA1
0f1d44782f283b315a2ad6fe37727bdc188ea21c

SHA256
cf0159b7d6cca6fe61a234db3b0902459af8a6af8b9f3e5d5c52bbb4231cd44d

SHA512
1e504b99e4bc4dbf23b7545bfb2101f51ef81558eeacac41e1c9192ecf81e6017a72e89e273023df5bd806ae71ced6cef5c0f00cf91974e75a208638bfe07f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e.exe.log

Filesize
1KB

MD5
c59f53fdcc8060e77447ed9ebf9dc926

SHA1
0f1d44782f283b315a2ad6fe37727bdc188ea21c

SHA256
cf0159b7d6cca6fe61a234db3b0902459af8a6af8b9f3e5d5c52bbb4231cd44d

SHA512
1e504b99e4bc4dbf23b7545bfb2101f51ef81558eeacac41e1c9192ecf81e6017a72e89e273023df5bd806ae71ced6cef5c0f00cf91974e75a208638bfe07f20

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
1.2MB

MD5
ba30ecbbd32cbd96717cd1c7556d8a5b

SHA1
c6a0abe5f547383129058c847271019d31fec8b7

SHA256
d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

SHA512
c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
1.2MB

MD5
ba30ecbbd32cbd96717cd1c7556d8a5b

SHA1
c6a0abe5f547383129058c847271019d31fec8b7

SHA256
d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

SHA512
c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45

Download Submit
C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe

Filesize
1.2MB

MD5
ba30ecbbd32cbd96717cd1c7556d8a5b

SHA1
c6a0abe5f547383129058c847271019d31fec8b7

SHA256
d88b4a9076f8711e1d7f5593e626581c2d158a6f984baa6459f4f505e8748c3e

SHA512
c642f11ac4128410cf25096bc97963b73d04f10dee4e0f9b0dfd78a4ed93f4260882a2315b66327c9f4e766c15593fbc79c2b82093f0874044111170047f0d45

Download Submit
memory/768-41-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/768-36-0x000001191CAE0000-0x000001191CAF0000-memory.dmp

Filesize
64KB

Download
memory/768-35-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/916-37-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/916-29-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/916-30-0x000001742EDD0000-0x000001742EDE0000-memory.dmp

Filesize
64KB

Download
memory/916-33-0x000001742EDD0000-0x000001742EDE0000-memory.dmp

Filesize
64KB

Download
memory/916-34-0x000001742EDD0000-0x000001742EDE0000-memory.dmp

Filesize
64KB

Download
memory/1260-15-0x0000023533520000-0x0000023533528000-memory.dmp

Filesize
32KB

Download
memory/1260-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1260-17-0x000002354D5C0000-0x000002354D614000-memory.dmp

Filesize
336KB

Download
memory/1260-20-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/1260-16-0x0000023534E40000-0x0000023534E96000-memory.dmp

Filesize
344KB

Download
memory/1260-11-0x000002354D660000-0x000002354D760000-memory.dmp

Filesize
1024KB

Download
memory/1260-14-0x000002354D650000-0x000002354D660000-memory.dmp

Filesize
64KB

Download
memory/1260-12-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-23-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/2892-24-0x00000202E3B20000-0x00000202E3B30000-memory.dmp

Filesize
64KB

Download
memory/2892-31-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/3500-43-0x0000020F7FA00000-0x0000020F7FA10000-memory.dmp

Filesize
64KB

Download
memory/3500-58-0x0000020F7FA00000-0x0000020F7FA10000-memory.dmp

Filesize
64KB

Download
memory/3500-60-0x0000020F7FA00000-0x0000020F7FA10000-memory.dmp

Filesize
64KB

Download
memory/3500-59-0x0000020F7FA00000-0x0000020F7FA10000-memory.dmp

Filesize
64KB

Download
memory/3500-57-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/3500-45-0x0000020F7FA00000-0x0000020F7FA10000-memory.dmp

Filesize
64KB

Download
memory/3500-44-0x0000020F7FA00000-0x0000020F7FA10000-memory.dmp

Filesize
64KB

Download
memory/3500-42-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/4136-53-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-62-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-65-0x0000026DE11C0000-0x0000026DE11E0000-memory.dmp

Filesize
128KB

Download
memory/4136-64-0x0000026DE11C0000-0x0000026DE11E0000-memory.dmp

Filesize
128KB

Download
memory/4136-63-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-46-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-47-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-48-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-49-0x0000026DE1140000-0x0000026DE1160000-memory.dmp

Filesize
128KB

Download
memory/4136-50-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-51-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-52-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-54-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-55-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-61-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4136-56-0x0000026DE1180000-0x0000026DE11C0000-memory.dmp

Filesize
256KB

Download
memory/4248-5-0x000001CCE5090000-0x000001CCE5160000-memory.dmp

Filesize
832KB

Download
memory/4248-13-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/4248-6-0x000001CCE4DC0000-0x000001CCE4DD0000-memory.dmp

Filesize
64KB

Download
memory/4248-7-0x000001CCCC430000-0x000001CCCC47C000-memory.dmp

Filesize
304KB

Download
memory/4248-1-0x000001CCE4C80000-0x000001CCE4D6A000-memory.dmp

Filesize
936KB

Download
memory/4248-2-0x000001CCE4DD0000-0x000001CCE4EB8000-memory.dmp

Filesize
928KB

Download
memory/4248-3-0x00007FFC8C940000-0x00007FFC8D32C000-memory.dmp

Filesize
9.9MB

Download
memory/4248-4-0x000001CCE4EC0000-0x000001CCE4F90000-memory.dmp

Filesize
832KB

Download
memory/4248-0-0x000001CCCA6E0000-0x000001CCCA820000-memory.dmp

Filesize
1.2MB

Download