Overview

overview

10

Static

static

3

PureLogSte...xb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 00:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PureLogStealer-0xb.exe

  • Size

    193KB

  • MD5

    98609581725d9cf7f5200dbb02266cd6

  • SHA1

    5f8a127fb69172947c6212b3a466279794b702a4

  • SHA256

    01b57b7ab116a353b5d7d778b62c1a99f7f9f10e6af3a524aa13b9e3a588d751

  • SHA512

    1cfa89386dd206ba5be5a981f4942deb76b71f7dcc5a09f9cf605e87a0128983bce1a8d22300e08e0751321a47c6252575d93fa9d81e847944b2c9fc5aaa2d0d

  • SSDEEP

    6144:pS4OgfnRtcCUsnzUCpM69/KImQi/6ebl:srg/jcy

Score
10/10
defense_evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
    "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2948
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c F: & attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4924
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:1836
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:3996
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:4020
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:2700
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2124
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:2244
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:5412
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:2248
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:5036
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:868
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:5952
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:3472
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill.exe /im Explorer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4832
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
      C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
      2⤵
        PID:4348
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" -startup
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
        C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe -startup
        2⤵
          PID:4168
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" --init
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:6088
        • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
          C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe --init
          2⤵
            PID:1176
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" /setup
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2040
          • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
            C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe /setup
            2⤵
              PID:5184
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" --wininit
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:404
            • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
              C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe --wininit
              2⤵
                PID:4404
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c AWindowsService.exe
              1⤵
                PID:4852
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskhost.exe
                1⤵
                  PID:4864
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c windowsx-c.exe
                  1⤵
                    PID:4876
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c System.exe
                    1⤵
                      PID:5032
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c _default64.exe
                      1⤵
                        PID:4808
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c native.exe
                        1⤵
                          PID:4968
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ux-cryptor.exe
                          1⤵
                            PID:5596
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c crypt0rsx.exe
                            1⤵
                              PID:4688

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PureLogStealer-0xb.exe.log
                              Filesize

                              1KB

                              MD5

                              2d2a235f1b0f4b608c5910673735494b

                              SHA1

                              23a63f6529bfdf917886ab8347092238db0423a0

                              SHA256

                              c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

                              SHA512

                              10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

                              Download Submit

                            • C:\Users\Public\Desktop\info-Locker.txt
                              Filesize

                              101B

                              MD5

                              13c5a9e07545a04295bc9fb28cf3168b

                              SHA1

                              b0085192a9007f9235c1d99beea41dbe599e32d1

                              SHA256

                              e9527645426a1ce8f4befb9690747ccda0431b09ac2b003d0704b1d7e4c1b304

                              SHA512

                              2801993ca230f3cf4e8da9500f39a4604b19c5e78c96cf7ccf8da49e51d94278430b4701f0fdf8206df484b1ee9326d424035923fe7486b20a68e2f07c9f052e

                              Download Submit

                            • memory/2948-0-0x00007FFC3A653000-0x00007FFC3A655000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/2948-1-0x0000000000830000-0x0000000000866000-memory.dmp

                              Filesize

                              216KB

                              Download

                            • memory/2948-2-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2948-24-0x00007FFC3A653000-0x00007FFC3A655000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/2948-25-0x00007FFC3A650000-0x00007FFC3B111000-memory.dmp

                              Filesize

                              10.8MB

                              Download