purelogstealer | 9c4b7f8a8732beb18b38ad4a4a853727cfb3da38666b45c4051c76801536bf22

Analysis

max time kernel
134s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG79600253.exe
Size

66KB
MD5

2451fe4d6f61c5160d2c938c144a8a53
SHA1

ab101316ff60cda1b7a4bfc1d535c234c0d60936
SHA256

9c4b7f8a8732beb18b38ad4a4a853727cfb3da38666b45c4051c76801536bf22
SHA512

abc4246b910ac8c997d9f0ec07116f9035e97a2a0410b90414c4ce8bd3deaf2a05c19428749d3ffd486e01ac70979df7a54231b521331092d5d2cbbe7bc95329
SSDEEP

1536:Puca4wJAD99k/5/CuojaFLEf2X9JT8GJQ2Hs3hGH:HaP09NgJAGJQ2HpH

Score

10^/10

purelogstealer persistence stealer

Malware Config

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023380-4893.dat	family_purelog_stealer
behavioral2/memory/4692-4901-0x0000000000D50000-0x0000000000D6A000-memory.dmp	family_purelog_stealer

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	IMG79600253.exe

Executes dropped EXE 1 IoCs

pid	Process
4692	Mrmjzj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uvef = "C:\\Users\\Admin\\AppData\\Roaming\\uvef.exe"	IMG79600253.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uvef = "C:\\Users\\Admin\\AppData\\Roaming\\uvef.exe"	Mrmjzj.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3508 set thread context of 2652	3508	IMG79600253.exe	92
PID 4692 set thread context of 2560	4692	Mrmjzj.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4080	2652	WerFault.exe	92

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2560	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	IMG79600253.exe
Token: SeDebugPrivilege	3508	IMG79600253.exe
Token: SeDebugPrivilege	4692	Mrmjzj.exe
Token: SeDebugPrivilege	4692	Mrmjzj.exe
Token: SeDebugPrivilege	2560	RegAsm.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4692	3508	IMG79600253.exe	91
PID 3508 wrote to memory of 4692	3508	IMG79600253.exe	91
PID 3508 wrote to memory of 4692	3508	IMG79600253.exe	91
PID 3508 wrote to memory of 2652	3508	IMG79600253.exe	92
PID 3508 wrote to memory of 2652	3508	IMG79600253.exe	92
PID 3508 wrote to memory of 2652	3508	IMG79600253.exe	92
PID 3508 wrote to memory of 2652	3508	IMG79600253.exe	92
PID 3508 wrote to memory of 2652	3508	IMG79600253.exe	92
PID 3508 wrote to memory of 2652	3508	IMG79600253.exe	92
PID 3508 wrote to memory of 2652	3508	IMG79600253.exe	92
PID 3508 wrote to memory of 2652	3508	IMG79600253.exe	92
PID 3508 wrote to memory of 2652	3508	IMG79600253.exe	92
PID 4692 wrote to memory of 2560	4692	Mrmjzj.exe	101
PID 4692 wrote to memory of 2560	4692	Mrmjzj.exe	101
PID 4692 wrote to memory of 2560	4692	Mrmjzj.exe	101
PID 4692 wrote to memory of 2560	4692	Mrmjzj.exe	101
PID 4692 wrote to memory of 2560	4692	Mrmjzj.exe	101
PID 4692 wrote to memory of 2560	4692	Mrmjzj.exe	101
PID 4692 wrote to memory of 2560	4692	Mrmjzj.exe	101
PID 4692 wrote to memory of 2560	4692	Mrmjzj.exe	101

C:\Users\Admin\AppData\Local\Temp\IMG79600253.exe
"C:\Users\Admin\AppData\Local\Temp\IMG79600253.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\Mrmjzj.exe
  "C:\Users\Admin\AppData\Local\Temp\Mrmjzj.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 572
    3⤵
    - Program crash
    PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2652 -ip 2652
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mrmjzj.exe

Filesize
93KB

MD5
93e85d15ef93ddf8ac964f84d9bec664

SHA1
e3d58cca51afd2449a11a8a18c5a0f871dbca59c

SHA256
816bb9cdaa18ffba5dbcedf69298718caac8a4ff6c674300a9299d0584a236c9

SHA512
acd703192f69af97cd6d288ad43b3b6dc6e711c7747f25af05a0f0fe3619b5c503857d0f6dbe93b4d5dd411b8f0a51cf25b8596396c756cf7f3faed57b00c49c

Download Submit
\??\c:\users\admin\appdata\roaming\uvef.exe

Filesize
93KB

MD5
79fefc82f4031ede1780a7f28f9321be

SHA1
b418bdb6987a028736cf5af5be26f00c62a9a2b3

SHA256
c6b24c286af025d86df4b6d5dce48a6a4308cb5316633c6ae60a7cf8139e4f52

SHA512
f1ff69ea03f8e845c27c59f05a991d61c9b5399477ab334152bd0f7aa948655ecd767f915dce3fa31f81fcba8e84b0468c99f57250ec442cfde063719b67c20a

Download Submit
memory/2560-9813-0x0000000000800000-0x00000000008BA000-memory.dmp

Filesize
744KB

Download
memory/2560-9814-0x0000000004CF0000-0x0000000004DB6000-memory.dmp

Filesize
792KB

Download
memory/2560-10670-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/2560-10669-0x0000000004FA0000-0x0000000004FF6000-memory.dmp

Filesize
344KB

Download
memory/2560-10668-0x0000000004F90000-0x0000000004F98000-memory.dmp

Filesize
32KB

Download
memory/3508-19-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-7-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-5-0x00000000073A0000-0x0000000007432000-memory.dmp

Filesize
584KB

Download
memory/3508-9-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-16-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-21-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-27-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-29-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-47-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-55-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-53-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-51-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-49-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-45-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-43-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-41-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-39-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-37-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-35-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-33-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-25-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-23-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-31-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-3-0x00000000070D0000-0x0000000007306000-memory.dmp

Filesize
2.2MB

Download
memory/3508-17-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-14-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-11-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-4-0x00000000078B0000-0x0000000007E54000-memory.dmp

Filesize
5.6MB

Download
memory/3508-6-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-57-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-65-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-63-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-61-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-59-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-69-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-67-0x00000000070D0000-0x0000000007300000-memory.dmp

Filesize
2.2MB

Download
memory/3508-4886-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3508-4888-0x0000000005860000-0x00000000058AC000-memory.dmp

Filesize
304KB

Download
memory/3508-4887-0x00000000057F0000-0x0000000005862000-memory.dmp

Filesize
456KB

Download
memory/3508-4900-0x0000000005BD0000-0x0000000005C24000-memory.dmp

Filesize
336KB

Download
memory/3508-4910-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3508-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/3508-1-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/3508-2-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4692-4924-0x0000000002F80000-0x0000000002F86000-memory.dmp

Filesize
24KB

Download
memory/4692-4925-0x0000000006740000-0x0000000006A06000-memory.dmp

Filesize
2.8MB

Download
memory/4692-9806-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4692-9807-0x0000000006600000-0x0000000006702000-memory.dmp

Filesize
1.0MB

Download
memory/4692-9808-0x0000000006A00000-0x0000000006A66000-memory.dmp

Filesize
408KB

Download
memory/4692-9815-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4692-4923-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4692-4903-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/4692-4901-0x0000000000D50000-0x0000000000D6A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads