Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
24-12-2023 20:35
General
-
Target
113f59d0bd4384226e40c17bf899935d.exe
-
Size
955KB
-
MD5
113f59d0bd4384226e40c17bf899935d
-
SHA1
4bf159402cefe87d328182fee0e82297b1fff5c5
-
SHA256
b77f7c59b071608e552cf6ccae6f9e0e3f6790d83ec7d163713b0eedc6eccf25
-
SHA512
d8e3717916475013e8ec8cc5a5fef303c4467fe66b944f1031ee73ad964a6a699d3c872a305173ac7565e5000ade605e8cef1cbe3ca9438ac1f85993a69a3b78
-
SSDEEP
12288:gFrXv++Cjkemhes5D9Bq1U50kb9zU9uRyM3/CsUABjFG3CiEN4/PosRbOt/kUQQj:gFrpCDsz2SCyiJA+O9ENGZOMb
Malware Config
Signatures
-
A310logger
A310 Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Detect ZGRat V1 1 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 7 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
A310logger Executable 8 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"C:\Users\Admin\AppData\Local\Temp\113f59d0bd4384226e40c17bf899935d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"1⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD563c363fd0c4e207d06b22aea2786d585
SHA191902fcddbee90a15acefde10b1feaec076520bf
SHA256d0e92c48567fc9f6d3a707ed4f59f538d90a987c1b0d7deee179049271766b23
SHA512d671aed9f2cb68ea917f8c5b0f9344fd8c7192be742efcaec3c6c82ec5a738d912f85e760f25abf6b182d4b1f074cb62c182f38c08ca649074123326eea63be6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5458b85ac42a9e8cc8cff6a6587f995bb
SHA1f2377eda42228106dbe264caaa73f54c5a7fa26a
SHA2564d432a5bfc5d97c6c598456f6d976674ea6a8383b61864369bfafc41ab32e128
SHA512c64cb8b9fafd779da8ae5060c632e42b15df2db4723ab7c6844752d32001ae343ae7428313e662826f45742287e67bc1fb841942f69c7db1b9eb64e2234e7c40
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5ceb75ea5170f8d14eaa694fb4372f9ad
SHA1da24db9b37db4414ee108116b8683fa2fb31f995
SHA256daa37aa8e03a06fcf87bf3d21822a7c96d542fc99b3acd30244bb6b19ced2d3a
SHA5121a614805d8785fdbef8a1ee0f1525fd44ab32fb07ef95321c530536ecfba3e78f5a0a55a7e0eebcde9f5cee03a47e9a22cd20ef03a1f9dcc4db2349a986fd623
-
C:\Users\Admin\AppData\Local\Temp\Tar35F4.tmpFilesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\MZ.exeFilesize
20KB
MD51bad0cbd09b05a21157d8255dc801778
SHA1ff284bba12f011b72e20d4c9537d6c455cdbf228
SHA256218073bda7a00e780704c1289d5e22ad27bb3ba11f210afa18af33a6ad5176e9
SHA5124fea56812eba1f1bba17f20d06b509e2a3b4e138562e53c230d0736d596abed4a6a3e43e26936fcd6d107924c8bba41885f34901afa4fd0d37d7e4a93c9b8533
-
memory/644-134-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmpFilesize
9.6MB
-
memory/644-135-0x000007FEF5D10000-0x000007FEF66AD000-memory.dmpFilesize
9.6MB
-
memory/1084-185-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmpFilesize
9.6MB
-
memory/1084-184-0x0000000000B30000-0x0000000000BB0000-memory.dmpFilesize
512KB
-
memory/1084-183-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmpFilesize
9.6MB
-
memory/1084-186-0x000007FEF5370000-0x000007FEF5D0D000-memory.dmpFilesize
9.6MB
-
memory/1612-189-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1644-154-0x0000000073910000-0x0000000073EBB000-memory.dmpFilesize
5.7MB
-
memory/1644-153-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1644-151-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/1644-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1644-155-0x00000000001F0000-0x0000000000230000-memory.dmpFilesize
256KB
-
memory/1644-156-0x0000000073910000-0x0000000073EBB000-memory.dmpFilesize
5.7MB
-
memory/1644-187-0x0000000073910000-0x0000000073EBB000-memory.dmpFilesize
5.7MB
-
memory/2376-137-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2376-21-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2376-9-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2376-7-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2376-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2376-15-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2376-17-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2376-5-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2840-39-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/2840-37-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/2840-22-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2840-24-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2840-36-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2840-26-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2840-28-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2840-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2840-32-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/2840-136-0x00000000743A0000-0x000000007494B000-memory.dmpFilesize
5.7MB
-
memory/2840-38-0x0000000000640000-0x0000000000680000-memory.dmpFilesize
256KB
-
memory/2840-34-0x0000000000400000-0x0000000000418000-memory.dmpFilesize
96KB
-
memory/3040-18-0x0000000074AD0000-0x00000000751BE000-memory.dmpFilesize
6.9MB
-
memory/3040-1-0x0000000074AD0000-0x00000000751BE000-memory.dmpFilesize
6.9MB
-
memory/3040-4-0x0000000000520000-0x0000000000536000-memory.dmpFilesize
88KB
-
memory/3040-3-0x0000000000A30000-0x0000000000AA8000-memory.dmpFilesize
480KB
-
memory/3040-2-0x0000000005070000-0x00000000050B0000-memory.dmpFilesize
256KB
-
memory/3040-0-0x0000000001070000-0x0000000001164000-memory.dmpFilesize
976KB