Analysis
-
max time kernel
136s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-08-2024 04:20
Behavioral task
behavioral1
Sample
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe
Resource
win11-20240802-en
General
-
Target
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe
-
Size
924KB
-
MD5
de64bb0f39113e48a8499d3401461cf8
-
SHA1
8d78c2d4701e4596e87e3f09adde214a2a2033e8
-
SHA256
64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a
-
SHA512
35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179
-
SSDEEP
24576:NAHFp2K15zXnjfQb6+jFb5RIAJTOcA4gnPdCPPd7wm:WHf15zM5JbtA4wPdCnd75
Malware Config
Signatures
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/2648-1-0x00000000007E0000-0x00000000008CE000-memory.dmp family_purelog_stealer behavioral1/files/0x000700000002347d-1098.dat family_purelog_stealer -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 2648 created 3580 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 56 PID 4172 created 3580 4172 rfsi.exe 56 -
Executes dropped EXE 3 IoCs
pid Process 4172 rfsi.exe 2904 rfsi.exe 5028 rfsi.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\afasdfga = "C:\\Users\\Admin\\AppData\\Roaming\\afasdfga.exe" 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2648 set thread context of 2236 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 96 PID 4172 set thread context of 2904 4172 rfsi.exe 110 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Test Task17.job 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfsi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rfsi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 4172 rfsi.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe Token: SeDebugPrivilege 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe Token: SeDebugPrivilege 4172 rfsi.exe Token: SeDebugPrivilege 4172 rfsi.exe Token: SeDebugPrivilege 5028 rfsi.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2236 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 96 PID 2648 wrote to memory of 2236 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 96 PID 2648 wrote to memory of 2236 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 96 PID 2648 wrote to memory of 2236 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 96 PID 2648 wrote to memory of 2236 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 96 PID 2648 wrote to memory of 2236 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 96 PID 2648 wrote to memory of 2236 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 96 PID 2648 wrote to memory of 2236 2648 64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe 96 PID 4172 wrote to memory of 2904 4172 rfsi.exe 110 PID 4172 wrote to memory of 2904 4172 rfsi.exe 110 PID 4172 wrote to memory of 2904 4172 rfsi.exe 110 PID 4172 wrote to memory of 2904 4172 rfsi.exe 110 PID 4172 wrote to memory of 2904 4172 rfsi.exe 110 PID 4172 wrote to memory of 2904 4172 rfsi.exe 110 PID 4172 wrote to memory of 2904 4172 rfsi.exe 110 PID 4172 wrote to memory of 2904 4172 rfsi.exe 110
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe"C:\Users\Admin\AppData\Local\Temp\64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe"C:\Users\Admin\AppData\Local\Temp\64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\ProgramData\dpvron\rfsi.exe"C:\ProgramData\dpvron\rfsi.exe"2⤵
- Executes dropped EXE
PID:2904
-
-
C:\ProgramData\dpvron\rfsi.exeC:\ProgramData\dpvron\rfsi.exe1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
-
C:\ProgramData\dpvron\rfsi.exeC:\ProgramData\dpvron\rfsi.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
924KB
MD5de64bb0f39113e48a8499d3401461cf8
SHA18d78c2d4701e4596e87e3f09adde214a2a2033e8
SHA25664b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a
SHA51235b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179