Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-08-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe
Resource
win10v2004-20240802-en
General
-
Target
3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe
-
Size
1.8MB
-
MD5
fb3d62b3c36fc0b603ce2accc9890f6d
-
SHA1
c72bcf7e3b3e16d25489e5cca7a7758dd4ac3e40
-
SHA256
3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d
-
SHA512
a599b7ff1cde3a20b952e5534a34a0f0d4ef84d87439c5fb72239a299a44b5c26d22f43866b6a029977c070b962f064b1c0b1dcbfdee3471beb670307c46bf54
-
SSDEEP
49152:91/zoFDkcrRFgUNLOhdYQ8N1gnzqWjBx4XDATJHIQFahwVl/e:9pcBaUpOTYLunz7jb8cTJIh8l/
Malware Config
Extracted
amadey
4.41
fed3aa
http://185.215.113.16
-
install_dir
44111dbc49
-
install_file
axplong.exe
-
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
-
url_paths
/Jo89Ku7d/index.php
Signatures
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
resource yara_rule behavioral1/files/0x000600000001934d-27.dat family_purelog_stealer behavioral1/memory/1512-37-0x0000000001100000-0x00000000011EE000-memory.dmp family_purelog_stealer -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ axplong.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion axplong.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion axplong.exe -
Executes dropped EXE 2 IoCs
pid Process 2460 axplong.exe 1512 Mswgoudnv.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Wine axplong.exe -
Loads dropped DLL 7 IoCs
pid Process 1952 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe 2460 axplong.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe 2792 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe" Mswgoudnv.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1952 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe 2460 axplong.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\axplong.job 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2792 1512 WerFault.exe 33 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axplong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mswgoudnv.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1952 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe 2460 axplong.exe 1512 Mswgoudnv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1512 Mswgoudnv.exe Token: SeDebugPrivilege 1512 Mswgoudnv.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1952 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1952 wrote to memory of 2460 1952 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe 30 PID 1952 wrote to memory of 2460 1952 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe 30 PID 1952 wrote to memory of 2460 1952 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe 30 PID 1952 wrote to memory of 2460 1952 3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe 30 PID 2460 wrote to memory of 1512 2460 axplong.exe 33 PID 2460 wrote to memory of 1512 2460 axplong.exe 33 PID 2460 wrote to memory of 1512 2460 axplong.exe 33 PID 2460 wrote to memory of 1512 2460 axplong.exe 33 PID 1512 wrote to memory of 2792 1512 Mswgoudnv.exe 34 PID 1512 wrote to memory of 2792 1512 Mswgoudnv.exe 34 PID 1512 wrote to memory of 2792 1512 Mswgoudnv.exe 34 PID 1512 wrote to memory of 2792 1512 Mswgoudnv.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe"C:\Users\Admin\AppData\Local\Temp\3a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"C:\Users\Admin\AppData\Local\Temp\1000177001\Mswgoudnv.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 6244⤵
- Loads dropped DLL
- Program crash
PID:2792
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5de64bb0f39113e48a8499d3401461cf8
SHA18d78c2d4701e4596e87e3f09adde214a2a2033e8
SHA25664b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a
SHA51235b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179
-
Filesize
1.8MB
MD5fb3d62b3c36fc0b603ce2accc9890f6d
SHA1c72bcf7e3b3e16d25489e5cca7a7758dd4ac3e40
SHA2563a6433a0ac5db18a54c9b40a75981a6bf2c72343c7b82202afe5561ecafcc50d
SHA512a599b7ff1cde3a20b952e5534a34a0f0d4ef84d87439c5fb72239a299a44b5c26d22f43866b6a029977c070b962f064b1c0b1dcbfdee3471beb670307c46bf54