“: \ users \ public \ windows \ svchost. exe processcmd c : \ users \ public \ windows \ svchost. exe c : \ users \ public \ windows \ instructions. pdf 1 eventsubid 701 - telemetry _ modified _ process _ create _ remotethread objectcmd " c : \ program files \ google \ chrome \ ap…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
98%
“] 80 [. ] 1 - 64 [. ] 40 [. ] 154 [. ] 96 the malware performs antivirus enumeration to discover all antivirus products installed on the system. 901 - telemetry _ amsi _ execute processfilepath c : \ windows \ syswow64 \ windowspowershell \ v1. 0 \ powershell. exe processcmd powe…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
98%
“##utable ( svchost. exe in a non - standard location ). processfilepath c : \ windows \ microsoft. net \ framework \ v4. 0. 30319 \ cvtres. exe processcmd / pnsfrzzsjllmotki7ueydomdrxmtjwys4xytfsm9qysweklu4uchbotiljlmlklmpozo / 2dprzdhwm9dm5lduixm9ezmdazndxrszslyvbtd0xgkwihwptyml…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
94%
“재직증명서 _ 원본. png " x - p " % i " ". \ _ \ invoice. pdf " " c : \ users \ public \ " - y a more detailed explanation of the components used in this stage follows below : - x → extract archive - - p " % i " → use dynamically retrieved password - output → c : \ users \ pu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
94%
“renderer - client - id = 9 - - time - ticks - at - unix - epoch = - 1770049222788996 - - launch - time - ticks = 353424829690 - - metrics - shmem - handle = 4156, i, 299084443807041640, 15390022656206001629, 2097152 - - field - trial - handle = 2068, i, 9344726561852850498, 17132…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
89%
“downloads and extracts a payload using a password from a remote source, cleans up evidence, and executes a potentially malicious file. the sequence is designed to deliver malware while minimizing detection. 2 - telemetry _ process _ create processcmd : cmd. exe / c start " " ". \…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
86%
“##uac ” running concurrently ) is a redundancy mechanism. if one loader is blocked or killed by an endpoint control, the other independently delivers and executes purelog stealer. both loaders share the same c & c address and registry persistence key. the assembly loaded by assem…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1620Reflective Code Loading
69%
“amsiscanbuffer with a mov eax, e _ invalidarg + jmp instruction so the function always returns " not malicious ". meanwhile, stage 2 dynamically scans forward from the entry point to find any conditional jump instructions ( jz / jnz ) and replaces them with unconditional jmps — e…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
66%
“##ly identify the final payload or confirm the true malware family behind the activity. although we were able to successfully reconstruct most of the infection chain, the absence of this file created a critical intelligence gap. at the time of initial response, incident response …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
63%
“while malicious actions continue in the background. start " " ". \ _ \ document. pdf " the purpose of this document is to distract the user and create a sense of legitimacy with the performed actions. the malware downloads an encrypted payload from an attacker - controlled infras…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
55%
“##voice. pdf " - quickdocshare [. ] com - dq [. ] bestshoppingday [. ] com - logs [. ] bestshopingday [. ] com ( strongly associated with purelog stealer ) 4 - telemetry _ process _ load _ image - processfilepath c : \ users \ public \ windows \ svchost. exe - processcmd " c : \ …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
43%
“during our investigation of this campaign include : - dll sideloading to initiate execution - encrypted payload delivered as a pdf file - remote password retrieval for decryption - renamed winrar utility used for extraction - python loader decrypting and executing a. net purelog …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
37%
“through a file disguised as a legal copyright violation notice. it ’ s considered a low ‑ cost, easy ‑ to ‑ use infostealer, making it accessible even to less ‑ skilled threat actors. the attack likely relies on phishing emails that lure victims into downloading a malicious execu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1056.001Keylogging
35%
“. before writing, it deletes any existing value to ensure the path is always current. this guarantees re - execution on every user login. the script captures the entire desktop at full resolution using windows gdi apis, extracts the raw 24 - bit bgr pixel data, reverses the botto…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
34%
“downloads and extracts a payload using a password from a remote source, cleans up evidence, and executes a potentially malicious file. the sequence is designed to deliver malware while minimizing detection. 2 - telemetry _ process _ create processcmd : cmd. exe / c start " " ". \…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
31%
“that leverage legitimate google ads infrastructure. identifying pivot artifacts using trendai vision one™ edr telemetry, we collected artifacts from the compromised endpoint. the execution of a malicious lure ( c : \ users [ redacted ] \ downloads \ notice of alleged violation of…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
We look into a stealthy multi‑stage attack campaign that delivers PureLog Stealer entirely in memory using encrypted, fileless techniques.