Overview

overview

10

Static

static

10

1160b9510c...b9.exe

windows7-x64

10

1160b9510c...b9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 06:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1160b9510cfb408faee17ec57fb728b9.exe

  • Size

    1.5MB

  • MD5

    1160b9510cfb408faee17ec57fb728b9

  • SHA1

    283cc745e5532ba5a53f78b6a4a564a4f655cdbb

  • SHA256

    3041de101c4097ef99160b98653a51d3a92b487da293e08f019fb85cb54edd35

  • SHA512

    29182201305adcca77616caab939f6fcb77f1d032ac47babcbe389d33585fd39c45033752979edda70454c690651d8eb3f34937c80fdb063bc69f4d65b2ebd61

  • SSDEEP

    24576:hmgk70TrcnXpatsCu7IfLKZnikPhhUF54clNf7+6uHAW92zt/sWu2BSMCqDoRRP:hmgkQTA5Qw7CSikJo54clgLH+tkWJ0N7

Score
10/10
echelonzgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 35 IoCs
  • Detects Echelon Stealer payload 2 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1160b9510cfb408faee17ec57fb728b9.exe
    "C:\Users\Admin\AppData\Local\Temp\1160b9510cfb408faee17ec57fb728b9.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
    • C:\ProgramData\Decoder.exe
      "C:\ProgramData\Decoder.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
  • C:\Windows\system32\timeout.exe
    timeout 4
    1⤵
    • Delays execution with timeout.exe
    PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Decoder.exe
    Filesize

    490KB

    MD5

    c29c0d495ed13e703f433d53bdffdab8

    SHA1

    74ed36e6b6027b61abcfe2956670ffd9de7fd71a

    SHA256

    20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b

    SHA512

    fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426

    Download Submit
  • C:\Users\Admin\AppData\Local\ScallyMilano\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit
  • C:\Users\Admin\AppData\Local\ScallyMilano\ProcessList.txt
    Filesize

    199B

    MD5

    ebd697759e22c1a18c707f3e815e21f3

    SHA1

    a9e028678c2bc1589250488b24e7b0ea4fac992d

    SHA256

    5dd6bbf9e4f02b5caa933c370e9610688352f4f6702dac1d237076aeb1b7d445

    SHA512

    fed3b00951dc59f922c0420f74aa37fca5f906d3ba0b8e04672feefcab0f4e9c0e1b10427e7a20697423d335739032d51134ed75d31f1e1b5d1369814119401d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\.cmd
    Filesize

    28B

    MD5

    217407484aac2673214337def8886072

    SHA1

    0f8c4c94064ce1f7538c43987feb5bb2d7fec0c6

    SHA256

    467c28ed423f513128575b1c8c6674ee5671096ff1b14bc4c32deebd89fc1797

    SHA512

    8466383a1cb71ea8b049548fd5a41aaf01c0423743b886cd3cb5007f66bff87d8d5cfa67344451f4490c8f26e4ebf9e306075d5cfc655dc62f0813a456cf1330

    Download Submit
  • memory/2536-0-0x0000000000CC0000-0x0000000000E44000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2536-1-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2536-2-0x000000001B200000-0x000000001B280000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2536-3-0x0000000000AF0000-0x0000000000B66000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2536-15-0x000007FEF59B0000-0x000007FEF639C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2752-20-0x00000000049B0000-0x00000000049F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2752-21-0x00000000049F0000-0x0000000004A8A000-memory.dmp
    Filesize

    616KB

    Download
  • memory/2752-19-0x00000000049B0000-0x00000000049F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2752-27-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-41-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-59-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-63-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-61-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-75-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-85-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-83-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-81-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-79-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-77-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-73-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-71-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-69-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-67-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-65-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-57-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-55-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-53-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-51-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-49-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-47-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-45-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-43-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-39-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-37-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-35-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-33-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-470-0x00000000049B0000-0x00000000049F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2752-31-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-29-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-25-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-23-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-22-0x00000000049F0000-0x0000000004A84000-memory.dmp
    Filesize

    592KB

    Download
  • memory/2752-18-0x00000000049B0000-0x00000000049F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2752-17-0x00000000744D0000-0x0000000074BBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2752-16-0x0000000004A90000-0x0000000004B2C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2752-493-0x00000000744D0000-0x0000000074BBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2752-504-0x00000000049B0000-0x00000000049F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2752-507-0x00000000049B0000-0x00000000049F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2752-508-0x00000000049B0000-0x00000000049F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2752-537-0x00000000049B0000-0x00000000049F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2752-541-0x00000000052E0000-0x0000000005356000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2752-555-0x00000000744D0000-0x0000000074BBE000-memory.dmp
    Filesize

    6.9MB

    Download