Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-01-2024 03:55
Static task
static1
Behavioral task
behavioral1
Sample
31118351b8b0db68e9c1bc3ad1da8e7c.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
31118351b8b0db68e9c1bc3ad1da8e7c.exe
Resource
win10v2004-20231222-en
General
-
Target
31118351b8b0db68e9c1bc3ad1da8e7c.exe
-
Size
2.5MB
-
MD5
31118351b8b0db68e9c1bc3ad1da8e7c
-
SHA1
adb461d4d199ea7367b65b185f47a10401e2ba97
-
SHA256
1d72f409f9089ba57b151f5836df00ba70480f1530c67b1a2c81fc9b50b7cbe2
-
SHA512
a9a3575d49a76da29df558023ea3d79e5fa9216c6ec58dc802b98ec12dfcaea71ae74b863626860f81aebd4ed1f5b7f76f90bdd84dc5a7e1741eb2bf52b73aa1
-
SSDEEP
49152:ywoUZ8Cps0BJDmN8wjp+ps8M+1tgVO8jrHWvrYz93513:E0LSNFUps8M+MVvr2zMn
Malware Config
Extracted
stealerium
https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral1/memory/2468-4-0x0000000006370000-0x000000000657A000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-5-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-8-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-6-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-10-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-14-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-12-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-16-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-20-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-24-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-22-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-18-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-26-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-28-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-30-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-32-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-34-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-38-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-36-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-40-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-42-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-44-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-46-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-48-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-52-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-54-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-50-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-56-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-58-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-60-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-62-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-64-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-66-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 behavioral1/memory/2468-68-0x0000000006370000-0x0000000006574000-memory.dmp family_zgrat_v1 -
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
31118351b8b0db68e9c1bc3ad1da8e7c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 31118351b8b0db68e9c1bc3ad1da8e7c.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 31118351b8b0db68e9c1bc3ad1da8e7c.exe Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 31118351b8b0db68e9c1bc3ad1da8e7c.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 icanhazip.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
31118351b8b0db68e9c1bc3ad1da8e7c.exedescription pid process target process PID 2468 set thread context of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2064 1392 WerFault.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
31118351b8b0db68e9c1bc3ad1da8e7c.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 31118351b8b0db68e9c1bc3ad1da8e7c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 31118351b8b0db68e9c1bc3ad1da8e7c.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
31118351b8b0db68e9c1bc3ad1da8e7c.exe31118351b8b0db68e9c1bc3ad1da8e7c.exepid process 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
31118351b8b0db68e9c1bc3ad1da8e7c.exe31118351b8b0db68e9c1bc3ad1da8e7c.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe Token: SeDebugPrivilege 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe Token: SeRestorePrivilege 2368 msiexec.exe Token: SeTakeOwnershipPrivilege 2368 msiexec.exe Token: SeSecurityPrivilege 2368 msiexec.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
31118351b8b0db68e9c1bc3ad1da8e7c.exe31118351b8b0db68e9c1bc3ad1da8e7c.execmd.execmd.exedescription pid process target process PID 2468 wrote to memory of 616 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 616 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 616 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 616 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 2468 wrote to memory of 1392 2468 31118351b8b0db68e9c1bc3ad1da8e7c.exe 31118351b8b0db68e9c1bc3ad1da8e7c.exe PID 1392 wrote to memory of 1968 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe cmd.exe PID 1392 wrote to memory of 1968 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe cmd.exe PID 1392 wrote to memory of 1968 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe cmd.exe PID 1392 wrote to memory of 1968 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe cmd.exe PID 1968 wrote to memory of 2028 1968 cmd.exe chcp.com PID 1968 wrote to memory of 2028 1968 cmd.exe chcp.com PID 1968 wrote to memory of 2028 1968 cmd.exe chcp.com PID 1968 wrote to memory of 2028 1968 cmd.exe chcp.com PID 1968 wrote to memory of 2620 1968 cmd.exe netsh.exe PID 1968 wrote to memory of 2620 1968 cmd.exe netsh.exe PID 1968 wrote to memory of 2620 1968 cmd.exe netsh.exe PID 1968 wrote to memory of 2620 1968 cmd.exe netsh.exe PID 1968 wrote to memory of 2732 1968 cmd.exe findstr.exe PID 1968 wrote to memory of 2732 1968 cmd.exe findstr.exe PID 1968 wrote to memory of 2732 1968 cmd.exe findstr.exe PID 1968 wrote to memory of 2732 1968 cmd.exe findstr.exe PID 1392 wrote to memory of 2788 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe cmd.exe PID 1392 wrote to memory of 2788 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe cmd.exe PID 1392 wrote to memory of 2788 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe cmd.exe PID 1392 wrote to memory of 2788 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe cmd.exe PID 2788 wrote to memory of 3000 2788 cmd.exe chcp.com PID 2788 wrote to memory of 3000 2788 cmd.exe chcp.com PID 2788 wrote to memory of 3000 2788 cmd.exe chcp.com PID 2788 wrote to memory of 3000 2788 cmd.exe chcp.com PID 2788 wrote to memory of 2640 2788 cmd.exe netsh.exe PID 2788 wrote to memory of 2640 2788 cmd.exe netsh.exe PID 2788 wrote to memory of 2640 2788 cmd.exe netsh.exe PID 2788 wrote to memory of 2640 2788 cmd.exe netsh.exe PID 1392 wrote to memory of 2064 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe WerFault.exe PID 1392 wrote to memory of 2064 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe WerFault.exe PID 1392 wrote to memory of 2064 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe WerFault.exe PID 1392 wrote to memory of 2064 1392 31118351b8b0db68e9c1bc3ad1da8e7c.exe WerFault.exe -
outlook_office_path 1 IoCs
Processes:
31118351b8b0db68e9c1bc3ad1da8e7c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 31118351b8b0db68e9c1bc3ad1da8e7c.exe -
outlook_win_path 1 IoCs
Processes:
31118351b8b0db68e9c1bc3ad1da8e7c.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 31118351b8b0db68e9c1bc3ad1da8e7c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe"C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exeC:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe2⤵PID:616
-
C:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exeC:\Users\Admin\AppData\Local\Temp\31118351b8b0db68e9c1bc3ad1da8e7c.exe2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1392 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2028
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵PID:2620
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:2732
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:3000
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵PID:2640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 26883⤵
- Program crash
PID:2064
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
Filesize
3KB
MD5b9f3ff2f21802bff33fcb17dae5d17de
SHA1e33e900c78f8f87dbdbe7b362eee95014d677511
SHA256a1910d820725246f1709cf322390e65117be0a1f8e892675fd270b596ffc4ad9
SHA512800ebcc00b38415a73b03000361914d63ecaac15ac242421a4f46877cfa85672add8aec0a9ee1466e191887718bc40b2e2519490e88a46ed76dee548bd936bdd
-
Filesize
6KB
MD590e05e64959dcc96ed6dfb89d65334a6
SHA176840a3fb0a3a37a497a2232912753f9a9e5733a
SHA2565b7c50db5b426b201287418c6032f1b300370beb66534f8cca03cf3fa5d02876
SHA512f9b909093eea8743f08ce5428909d5a3a4c087e4faf28c5617784c81e511505de37f1bbc9069fbedb8a0e0e45ec5880f70d1de34908ae45ff35706115e79f510
-
Filesize
1KB
MD581371eb8887a2b6d3e1f7ce85896f0f0
SHA10ee463973c122061e4fc3798332a98a095486909
SHA256d3d84c807876492074fe9017506614832d16c9d03f0f349284be8f798189974a
SHA512dbf8b9ddc859c43ba8357208429cc7a6ead110382bea359dbddd5f4bf80055adf525ede9d34c02d8fcf659bba473c09aa844f0e38c056a31cc5032acf962fabf
-
C:\Users\Admin\AppData\Local\9d1f7482b2d2b844fc5b50bef2f65af1\Admin@OZEMQECW_en-US\System\ProductKey.txt
Filesize29B
MD5cad6c6bee6c11c88f5e2f69f0be6deb7
SHA1289d74c3bebe6cca4e1d2e084482ad6d21316c84
SHA256dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0
SHA512e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06