Analysis
-
max time kernel
24s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-08-2024 10:12
Behavioral task
behavioral1
Sample
45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
Resource
win10v2004-20240802-en
General
-
Target
45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
-
Size
2.0MB
-
MD5
d4f9d1afe2b5bf3633642526c01625d2
-
SHA1
f553184ae1cf84c9d12ae7ea8262e1cec6442577
-
SHA256
45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3
-
SHA512
dcb89b0095fd7ab16ecfd3e4d43d1d6358e612fda3fbdc1cc1dd8d49c69fe60759c20b5f28ec758a6a577626b796f4e2ee66aa7e1f01cfc008c0af6cf52b5c82
-
SSDEEP
49152:Be7O00O0FTsQTv1YcXKpRaV6NL4ZlEhLHSjqKoe:U7j0OWVTdYcfV6NL4ZlEpyjqKoe
Malware Config
Signatures
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
resource yara_rule behavioral1/memory/1400-1-0x00000000003F0000-0x00000000005F2000-memory.dmp family_purelog_stealer -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\Humfa = "C:\\Users\\Admin\\AppData\\Roaming\\Humfa.exe" 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1400 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1400 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe Token: SeDebugPrivilege 1400 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1400 wrote to memory of 4524 1400 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe 29 PID 1400 wrote to memory of 4524 1400 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe 29 PID 1400 wrote to memory of 4524 1400 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe"C:\Users\Admin\AppData\Local\Temp\45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1400 -s 6242⤵PID:4524
-