Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-08-2024 16:22
Behavioral task
behavioral1
Sample
81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe
Resource
win10v2004-20240802-en
General
-
Target
81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe
-
Size
976KB
-
MD5
902f14b6f32cc40a82d6a0f2c41208ec
-
SHA1
c01e5bc3e9dbb84a5b36841045055999fc0a16cf
-
SHA256
81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
-
SHA512
d55e184309e122ffbe3097bfb64b3e23829228cd16030dca5856bfa1725bc60c2da04bf04c8919ca658ca4b7b03e4be6e6bc9240b5816903609969213be2f97c
-
SSDEEP
24576:1Ibj07xMVrpydHnnDfiDw8PZIykCu3oxmv2GX:1+ukYxDqnZTlns2
Malware Config
Signatures
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
resource yara_rule behavioral2/memory/428-1-0x0000000000560000-0x000000000065A000-memory.dmp family_purelog_stealer behavioral2/files/0x00070000000234cf-1098.dat family_purelog_stealer -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 428 created 3512 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 56 PID 860 created 3512 860 jmhe.exe 56 PID 4928 created 3512 4928 jmhe.exe 56 -
Executes dropped EXE 4 IoCs
pid Process 860 jmhe.exe 4324 jmhe.exe 4928 jmhe.exe 3312 jmhe.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe" 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 428 set thread context of 3360 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 94 PID 860 set thread context of 4324 860 jmhe.exe 99 PID 4928 set thread context of 3312 4928 jmhe.exe 109 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Test Task17.job 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jmhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jmhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jmhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jmhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 860 jmhe.exe 4928 jmhe.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe Token: SeDebugPrivilege 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe Token: SeDebugPrivilege 860 jmhe.exe Token: SeDebugPrivilege 860 jmhe.exe Token: SeDebugPrivilege 4928 jmhe.exe Token: SeDebugPrivilege 4928 jmhe.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 428 wrote to memory of 3360 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 94 PID 428 wrote to memory of 3360 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 94 PID 428 wrote to memory of 3360 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 94 PID 428 wrote to memory of 3360 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 94 PID 428 wrote to memory of 3360 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 94 PID 428 wrote to memory of 3360 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 94 PID 428 wrote to memory of 3360 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 94 PID 428 wrote to memory of 3360 428 81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe 94 PID 860 wrote to memory of 4324 860 jmhe.exe 99 PID 860 wrote to memory of 4324 860 jmhe.exe 99 PID 860 wrote to memory of 4324 860 jmhe.exe 99 PID 860 wrote to memory of 4324 860 jmhe.exe 99 PID 860 wrote to memory of 4324 860 jmhe.exe 99 PID 860 wrote to memory of 4324 860 jmhe.exe 99 PID 860 wrote to memory of 4324 860 jmhe.exe 99 PID 860 wrote to memory of 4324 860 jmhe.exe 99 PID 4928 wrote to memory of 3312 4928 jmhe.exe 109 PID 4928 wrote to memory of 3312 4928 jmhe.exe 109 PID 4928 wrote to memory of 3312 4928 jmhe.exe 109 PID 4928 wrote to memory of 3312 4928 jmhe.exe 109 PID 4928 wrote to memory of 3312 4928 jmhe.exe 109 PID 4928 wrote to memory of 3312 4928 jmhe.exe 109 PID 4928 wrote to memory of 3312 4928 jmhe.exe 109 PID 4928 wrote to memory of 3312 4928 jmhe.exe 109
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe"C:\Users\Admin\AppData\Local\Temp\81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:428
-
-
C:\Users\Admin\AppData\Local\Temp\81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe"C:\Users\Admin\AppData\Local\Temp\81f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3360
-
-
C:\ProgramData\vqml\jmhe.exe"C:\ProgramData\vqml\jmhe.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4324
-
-
C:\ProgramData\vqml\jmhe.exe"C:\ProgramData\vqml\jmhe.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3312
-
-
C:\ProgramData\vqml\jmhe.exeC:\ProgramData\vqml\jmhe.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
-
C:\ProgramData\vqml\jmhe.exeC:\ProgramData\vqml\jmhe.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
976KB
MD5902f14b6f32cc40a82d6a0f2c41208ec
SHA1c01e5bc3e9dbb84a5b36841045055999fc0a16cf
SHA25681f91061c650c2d9fdeab6a9d8be220a93d46f930d5c435e4a00c511236a4caa
SHA512d55e184309e122ffbe3097bfb64b3e23829228cd16030dca5856bfa1725bc60c2da04bf04c8919ca658ca4b7b03e4be6e6bc9240b5816903609969213be2f97c
-
Filesize
230B
MD57e78d304114b1a2dc9abf2ae860dd825
SHA11bfd050b2e653a0db037b6c663f27027e52dfc5a
SHA256bd8b3740ae7a88cfa721e082ce9c312436a602f373864a27357e9af6bf3d7f3e
SHA5127744af2c4e21cc3a30671ea110d1cda461e96a4d92ea1c984e7db0c1bdb76f2e0b15eaccaf352ed7dfd2de44fa2e063a7bea9fee197dec08db080e1eed859cb2