Overview

overview

10

Static

static

10

64b5879480...6a.exe

windows7-x64

10

64b5879480...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe

  • Size

    924KB

  • MD5

    de64bb0f39113e48a8499d3401461cf8

  • SHA1

    8d78c2d4701e4596e87e3f09adde214a2a2033e8

  • SHA256

    64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a

  • SHA512

    35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179

  • SSDEEP

    24576:NAHFp2K15zXnjfQb6+jFb5RIAJTOcA4gnPdCPPd7wm:WHf15zM5JbtA4wPdCnd75

Score
10/10
purelogstealerdiscoverypersistencestealer

Malware Config

Signatures

  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

    stealerpurelogstealer
  • PureLog Stealer payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3444
      • C:\Users\Admin\AppData\Local\Temp\64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe
        "C:\Users\Admin\AppData\Local\Temp\64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3140
      • C:\Users\Admin\AppData\Local\Temp\64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe
        "C:\Users\Admin\AppData\Local\Temp\64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4532
      • C:\ProgramData\cxvvx\xsow.exe
        "C:\ProgramData\cxvvx\xsow.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2760
      • C:\ProgramData\cxvvx\xsow.exe
        "C:\ProgramData\cxvvx\xsow.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4840
    • C:\ProgramData\cxvvx\xsow.exe
      C:\ProgramData\cxvvx\xsow.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088
    • C:\ProgramData\cxvvx\xsow.exe
      C:\ProgramData\cxvvx\xsow.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2120

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\cxvvx\xsow.exe
      Filesize

      924KB

      MD5

      de64bb0f39113e48a8499d3401461cf8

      SHA1

      8d78c2d4701e4596e87e3f09adde214a2a2033e8

      SHA256

      64b58794801f282e92571676e3571afc5c59033c262406bf0d36e1d6ef3cda6a

      SHA512

      35b7cdcfb866dcdc79be34066a9ad5a8058b80e68925aeb23708606149841022de17e9d205389c13803c01e356174a2f657773df7d53f889e4e1fc1d68074179

      Download Submit

    • C:\Windows\Tasks\Test Task17.job
      Filesize

      232B

      MD5

      c0b05e832f215c0244a4f631755e1190

      SHA1

      00b57220a3e6ece88303fc1c223ed4fff3526f79

      SHA256

      ff582f0d565c5fbff87657e1b1c71c8a2fdc6b37be66bbeed2af559908639b45

      SHA512

      b0da395eb3c69ba312d6d8b270c997835fa775a8e70a0e32816533c1c2a2b7b4a20ab09f837d971ccf747b91089ac6447a0a2238c98fa03c707f23997704b2f5

      Download Submit

    • memory/2088-1101-0x000000007496E000-0x000000007496F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-1102-0x0000000074960000-0x0000000075110000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2088-2175-0x0000000074960000-0x0000000075110000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2088-2190-0x0000000074960000-0x0000000075110000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2088-2182-0x0000000074960000-0x0000000075110000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2088-2181-0x000000007496E000-0x000000007496F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-2180-0x0000000074960000-0x0000000075110000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2088-2179-0x0000000074960000-0x0000000075110000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2760-2189-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3140-14-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-42-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-64-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-62-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-60-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-58-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-56-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-54-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-48-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-46-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-40-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-34-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-32-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-30-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-26-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-22-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-20-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-18-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-16-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-68-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-12-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-10-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-5-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-50-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-44-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-66-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-38-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-36-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-29-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-24-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-8-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-1077-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3140-1078-0x0000000005250000-0x00000000052A8000-memory.dmp

      Filesize

      352KB

      Download

    • memory/3140-1079-0x00000000052B0000-0x00000000052FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3140-1083-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3140-1084-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3140-1085-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3140-1086-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3140-52-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-6-0x00000000050F0000-0x00000000051C8000-memory.dmp

      Filesize

      864KB

      Download

    • memory/3140-4-0x00000000050F0000-0x00000000051CE000-memory.dmp

      Filesize

      888KB

      Download

    • memory/3140-3-0x0000000004FA0000-0x000000000507C000-memory.dmp

      Filesize

      880KB

      Download

    • memory/3140-2-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3140-1-0x0000000000540000-0x000000000062E000-memory.dmp

      Filesize

      952KB

      Download

    • memory/3140-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3140-1087-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3140-1088-0x0000000005C50000-0x00000000061F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3140-1089-0x0000000005390000-0x00000000053E4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/3140-1095-0x0000000074FF0000-0x00000000757A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4532-1096-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download