Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 03:55

General

  • Target

    01a908923cbc76874658c47d432424a0.exe

  • Size

    86KB

  • MD5

    01a908923cbc76874658c47d432424a0

  • SHA1

    5397fdeeb8e9365b3d9a6b8f599e658e050de1d7

  • SHA256

    6ba75d8e032bf1a23d50f4426c9f00444bec1b5396f29042a72b652a515b4247

  • SHA512

    77b789fd17f8ea650ecb68a04238b195d1cfea9885f7fce637c83bfada95974326831b610509e18b5886fe48bb5ec0f70b57a835bc565af655a7ab0253614140

  • SSDEEP

    1536:Em65rG4SzbXVzjvf1nRmyr20DmjyleT0FfWU4f23F0Wbub7B4B/:E6HXVzhvI0FfWU4O10kuPKF

Malware Config

Extracted

Family

stealerium

C2

https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q

Signatures

  • Detect ZGRat V1 34 IoCs
  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
    "C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
      C:\Users\Admin\AppData\Local\Temp\01a908923cbc76874658c47d432424a0.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1664
      • C:\Users\Admin\AppData\Local\Temp\KORID0R.exe
        "C:\Users\Admin\AppData\Local\Temp\KORID0R.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:652
        • C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
          "C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:840
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 840 -s 720
            5⤵
              PID:872
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Checks processor information in registry
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:2412
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1556
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
                PID:752
              • C:\Windows\SysWOW64\netsh.exe
                netsh wlan show profile
                5⤵
                  PID:1956
                • C:\Windows\SysWOW64\findstr.exe
                  findstr All
                  5⤵
                    PID:1064
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2340
                  • C:\Windows\SysWOW64\chcp.com
                    chcp 65001
                    5⤵
                      PID:2408
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh wlan show networks mode=bssid
                      5⤵
                        PID:2328
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:2056

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\CabA47B.tmp

                Filesize

                65KB

                MD5

                ac05d27423a85adc1622c714f2cb6184

                SHA1

                b0fe2b1abddb97837ea0195be70ab2ff14d43198

                SHA256

                c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                SHA512

                6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

              • C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

                Filesize

                94KB

                MD5

                550628b16ef8c4e27c4081950cf8fd66

                SHA1

                ab11427c02cb53b70816b06d5a950b5f52c935eb

                SHA256

                09d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa

                SHA512

                e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01

              • C:\Users\Admin\AppData\Local\Temp\TarA4DC.tmp

                Filesize

                171KB

                MD5

                9c0c641c06238516f27941aa1166d427

                SHA1

                64cd549fb8cf014fcd9312aa7a5b023847b6c977

                SHA256

                4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                SHA512

                936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

              • C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\Browsers\Firefox\Bookmarks.txt

                Filesize

                105B

                MD5

                2e9d094dda5cdc3ce6519f75943a4ff4

                SHA1

                5d989b4ac8b699781681fe75ed9ef98191a5096c

                SHA256

                c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                SHA512

                d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              • C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\Directories\Videos.txt

                Filesize

                23B

                MD5

                1fddbf1169b6c75898b86e7e24bc7c1f

                SHA1

                d2091060cb5191ff70eb99c0088c182e80c20f8c

                SHA256

                a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

                SHA512

                20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

              • C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\System\Apps.txt

                Filesize

                6KB

                MD5

                90e05e64959dcc96ed6dfb89d65334a6

                SHA1

                76840a3fb0a3a37a497a2232912753f9a9e5733a

                SHA256

                5b7c50db5b426b201287418c6032f1b300370beb66534f8cca03cf3fa5d02876

                SHA512

                f9b909093eea8743f08ce5428909d5a3a4c087e4faf28c5617784c81e511505de37f1bbc9069fbedb8a0e0e45ec5880f70d1de34908ae45ff35706115e79f510

              • C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\System\Debug.txt

                Filesize

                1KB

                MD5

                beec1701396ac7524912ab02234005f6

                SHA1

                b734752ff28dbbaf63aaee72ff2e34fd9153e4d7

                SHA256

                f33b1e4564a0faf92e228c4005f12aa220f34eec04193d9991dc9df0ee47e06d

                SHA512

                cb88b209adf6daf6232355a2c6550c976ff3e731147009ec4a11efc838cbd6de11ada402e0b22b11e33ff500c8f04b15f664ab25e790a4ffa857beb8c6d8b997

              • C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\Admin@QVMRJQQO_en-US\System\ProductKey.txt

                Filesize

                29B

                MD5

                cad6c6bee6c11c88f5e2f69f0be6deb7

                SHA1

                289d74c3bebe6cca4e1d2e084482ad6d21316c84

                SHA256

                dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

                SHA512

                e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

              • C:\Users\Admin\AppData\Local\d9a3c6584315193a0f14ece8239e7693\msgid.dat

                Filesize

                19B

                MD5

                ef62bd9c27ebdd78b92d51329374d697

                SHA1

                89f915eb9057e7099a541d8b1e5dacc5779b94b5

                SHA256

                a7c73df21361821920b3b18665ab54b984320dcc512a5b71bb09415d270ca32e

                SHA512

                7060b4cfaeddd9729b08d1175f733501b567bc319ef589353a00ceed7c621540e3fcc0d6273f4637933893ea3a3fa31392f1c079d805929bc246d1635d11b1a6

              • \Users\Admin\AppData\Local\Temp\KORID0R.exe

                Filesize

                1.4MB

                MD5

                222b8cba0f63d84500e3743f6532dfc4

                SHA1

                7fd3d70518259831c933236e9516b8aba7910821

                SHA256

                93796d923cb11c16352528f9c1e80df197df567d1d03819d7d21899fd64e424f

                SHA512

                4c728ea58bc42f29f585f2b1e4704418aa27f6464176967f4d7a3d46a10e24508d12cdc3035d4dfb32fc26f9714b13b05b4d81c4c7129246076b6f4e786a7162

              • \Users\Admin\AppData\Local\Temp\build.exe

                Filesize

                1.6MB

                MD5

                23c3a4f4136d15ceaca2a2a6af88ab59

                SHA1

                0f67a288d3d943282f0f28274dd6c8c29c40ea24

                SHA256

                7bde84ef1142b6460f2818f5a3137c1cdc508148c875caf7a91ac69ae026f942

                SHA512

                5741470ef32f6fca036220d0b57b9ec8ec4997dba23eb35a3cfa60631c30419c306925c22ed7247df26ef3d044130514c81470fce62d605e7f78184acd032fc9

              • memory/652-1036-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

                Filesize

                9.9MB

              • memory/652-1119-0x000000001BBE0000-0x000000001BC60000-memory.dmp

                Filesize

                512KB

              • memory/652-980-0x0000000000EE0000-0x0000000001058000-memory.dmp

                Filesize

                1.5MB

              • memory/652-981-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

                Filesize

                9.9MB

              • memory/652-983-0x000000001BBE0000-0x000000001BC60000-memory.dmp

                Filesize

                512KB

              • memory/840-1120-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

                Filesize

                9.9MB

              • memory/840-991-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

                Filesize

                9.9MB

              • memory/840-990-0x0000000000E80000-0x0000000000E9E000-memory.dmp

                Filesize

                120KB

              • memory/1664-979-0x00000000741B0000-0x000000007489E000-memory.dmp

                Filesize

                6.9MB

              • memory/1664-956-0x00000000741B0000-0x000000007489E000-memory.dmp

                Filesize

                6.9MB

              • memory/1664-958-0x0000000005560000-0x00000000055A0000-memory.dmp

                Filesize

                256KB

              • memory/1664-957-0x0000000000400000-0x0000000000C0A000-memory.dmp

                Filesize

                8.0MB

              • memory/2412-1121-0x0000000002200000-0x0000000002240000-memory.dmp

                Filesize

                256KB

              • memory/2412-992-0x0000000002200000-0x0000000002240000-memory.dmp

                Filesize

                256KB

              • memory/2412-996-0x0000000005030000-0x00000000050C2000-memory.dmp

                Filesize

                584KB

              • memory/2412-997-0x0000000000690000-0x00000000006B6000-memory.dmp

                Filesize

                152KB

              • memory/2412-998-0x0000000000800000-0x0000000000808000-memory.dmp

                Filesize

                32KB

              • memory/2412-1033-0x0000000000930000-0x000000000093A000-memory.dmp

                Filesize

                40KB

              • memory/2412-982-0x00000000741B0000-0x000000007489E000-memory.dmp

                Filesize

                6.9MB

              • memory/2412-1034-0x0000000000940000-0x0000000000948000-memory.dmp

                Filesize

                32KB

              • memory/2412-1035-0x00000000020E0000-0x00000000020FE000-memory.dmp

                Filesize

                120KB

              • memory/2412-1115-0x00000000741B0000-0x000000007489E000-memory.dmp

                Filesize

                6.9MB

              • memory/2412-978-0x0000000000330000-0x00000000004C2000-memory.dmp

                Filesize

                1.6MB

              • memory/2412-1116-0x0000000002200000-0x0000000002240000-memory.dmp

                Filesize

                256KB

              • memory/2412-1164-0x0000000006B70000-0x0000000006BEA000-memory.dmp

                Filesize

                488KB

              • memory/2412-1231-0x0000000006D10000-0x0000000006DC2000-memory.dmp

                Filesize

                712KB

              • memory/2412-1347-0x0000000002200000-0x0000000002240000-memory.dmp

                Filesize

                256KB

              • memory/3000-35-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-33-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-939-0x0000000000410000-0x000000000045C000-memory.dmp

                Filesize

                304KB

              • memory/3000-952-0x0000000074230000-0x000000007491E000-memory.dmp

                Filesize

                6.9MB

              • memory/3000-937-0x00000000003A0000-0x00000000003A1000-memory.dmp

                Filesize

                4KB

              • memory/3000-936-0x0000000074230000-0x000000007491E000-memory.dmp

                Filesize

                6.9MB

              • memory/3000-53-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-55-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-57-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-59-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-61-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-63-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-65-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-67-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-49-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-51-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-47-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-45-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-43-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-41-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-39-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-938-0x00000000087B0000-0x0000000008CB0000-memory.dmp

                Filesize

                5.0MB

              • memory/3000-0-0x00000000011B0000-0x00000000011CC000-memory.dmp

                Filesize

                112KB

              • memory/3000-37-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-29-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-31-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-27-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-25-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-23-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-21-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-19-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-17-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-15-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-13-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-11-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-9-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-7-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-5-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-4-0x00000000080A0000-0x0000000008604000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-3-0x00000000080A0000-0x000000000860A000-memory.dmp

                Filesize

                5.4MB

              • memory/3000-2-0x0000000004C00000-0x0000000004C40000-memory.dmp

                Filesize

                256KB

              • memory/3000-1-0x0000000074230000-0x000000007491E000-memory.dmp

                Filesize

                6.9MB