Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-01-2024 03:58

General

  • Target

    ac15ae1e49f4272e8d38b5fd5573ce35.exe

  • Size

    81KB

  • MD5

    ac15ae1e49f4272e8d38b5fd5573ce35

  • SHA1

    93a70b449926995d458b9513b8b36e988f73dc8a

  • SHA256

    c886e938dd26ca17bd29feea36d4c487483bb05d86b3c382e045b88925b27149

  • SHA512

    23d7977aeac5a2f1856861519b34dbbd4aa52ed003d4001b73435024266d258d765613a3be8a1e2ae67548f9eb69f662925d663f8321f1610f200af6258025f8

  • SSDEEP

    1536:D7Vs/tSdQLcSjAA0C0rEr2ofgNTX0g/+PmN/10BmglZqiqazVkP5tJCFPzRUR2lX:D5MmQLcxAarEDINTD/+Pmn0BmgnpzmcP

Malware Config

Extracted

Family

stealerium

C2

https://discordapp.com/api/webhooks/1197850806213431377/-zU9uA2NeaYEk4-ozdhgmNljI6NS_w_qcT_cbtxYxZdkUD3JeaKChZp4GXdod-MX3D1Q

Signatures

  • Detect ZGRat V1 34 IoCs
  • Stealerium

    An open source info stealer written in C# first seen in May 2022.

  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
    "C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
      C:\Users\Admin\AppData\Local\Temp\ac15ae1e49f4272e8d38b5fd5573ce35.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Local\Temp\build.exe
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:896
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:436
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show profile
            5⤵
              PID:1668
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              5⤵
                PID:2732
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                5⤵
                  PID:764
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:2296
            • C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]
              "C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]"
              3⤵
              • Drops startup file
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2376
              • C:\Users\Admin\AppData\Local\Temp\CamSnap.exe
                "C:\Users\Admin\AppData\Local\Temp\CamSnap.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2796
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2796 -s 712
          1⤵
            PID:1928
          • C:\Windows\SysWOW64\netsh.exe
            netsh wlan show networks mode=bssid
            1⤵
              PID:3016
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2744
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              1⤵
                PID:2916

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                Filesize

                344B

                MD5

                6ee8691f69adf3daed94e102a45e79dc

                SHA1

                8c82055615fe3fb35e985d8c81b3fc2ee9253342

                SHA256

                d2cb498f1f8e7f89d5e6448e4182bf97ba2458aa9a4bde76fa46e623ef7772ed

                SHA512

                20920364291fa3914ac95a7ad9573ab0ebe5b68453d5f0c8ce576ea00dffccb8e5647742515730dce5e02d8e7586c4fb3ce94611201761d055ca7c162ec546e9

              • C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\Browsers\Firefox\Bookmarks.txt

                Filesize

                105B

                MD5

                2e9d094dda5cdc3ce6519f75943a4ff4

                SHA1

                5d989b4ac8b699781681fe75ed9ef98191a5096c

                SHA256

                c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

                SHA512

                d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

              • C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\Directories\Videos.txt

                Filesize

                23B

                MD5

                1fddbf1169b6c75898b86e7e24bc7c1f

                SHA1

                d2091060cb5191ff70eb99c0088c182e80c20f8c

                SHA256

                a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

                SHA512

                20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

              • C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\Apps.txt

                Filesize

                1KB

                MD5

                93df10792e8a5a5afdba1e3cdf7238ae

                SHA1

                f191d257e69bf44686383ae25a079062c622cd4f

                SHA256

                3563af086891aa59852c419854e818366dbc0e2c5cdedb3b1d0db1e90a6442e3

                SHA512

                377d57cac7414c3cc8239599a9890eaba46bfed1bf8028afe42f5043243c43ee4dc123bc669255a04df5ae249fce906baf0e4043469865e6cf8f3a46814e3a9d

              • C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\Debug.txt

                Filesize

                1KB

                MD5

                a2efde5513517a0ff1b435cadd9ad5b8

                SHA1

                b91abb63ad8bc8ee7d71d93d73f1ee64d775a409

                SHA256

                3945e21d9a7fa10ba68d16f7c032bac739437462a45538fb7d376500e04e0418

                SHA512

                551b7c85d7ff9fbcbf1e5fba2c098f6446f9d834f903580f52254bfb1694277d77bb310e30ef5fa5e12334b2696585686b14a949644dddeddc6cee3707377d6f

              • C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\Admin@VTILVGXH_en-US\System\ProductKey.txt

                Filesize

                29B

                MD5

                cad6c6bee6c11c88f5e2f69f0be6deb7

                SHA1

                289d74c3bebe6cca4e1d2e084482ad6d21316c84

                SHA256

                dc288491fadc4a85e71085890e3d6a7746e99a317cd5ef09a30272dfb10398c0

                SHA512

                e02cf6bff8b4ebd7a1346ecb1667be36c3ef7415fff77c3b9cfb370f3d0dc861f74d3e0e49065699850ba6cc025cd68d14ceb73f3b512c2a9b28873a69aff097

              • C:\Users\Admin\AppData\Local\65d18dcf4e2d411cc2fd0a8d707b34a8\msgid.dat

                Filesize

                19B

                MD5

                a4350f1904865bc46f3d72a225592712

                SHA1

                5677e63c7d182ae35bada0c77c91e7515828da43

                SHA256

                516fd2e78c32dd8269d8816f2d0be0f4e26565eb931a0b6fe08de603ee2a7747

                SHA512

                68eda9663995b10267a47a94aac4ee93bcb1b2358bc819ec5a2fbedced01bffda07a18e6af9192222490339c0f6f76e9fea1dd27a7b8c67673e1aab52c010e5a

              • C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

                Filesize

                35KB

                MD5

                c4a2268064694b49bd6488c02cf529c6

                SHA1

                862e09bc1b0014a2b6dea6b6ab5bdafe28291307

                SHA256

                7c6ccf9ad96d0996df00fdc954aef16c076e362525f28734d5c927afd76d32a9

                SHA512

                2824eb99cff9ccfa89ca84518e5dbba01049cd174062a798f2996f0a4f9ee40bc022a902bff06d471ceff56d01ee7f48bd3d58dc15fb802eefff855766f0a906

              • C:\Users\Admin\AppData\Local\Temp\@dr@[email protected]

                Filesize

                123KB

                MD5

                3987fc707ff5370a67d6480c00b1769f

                SHA1

                3d20c1558d8291ff65d91b201b259ee0a3dcbe5d

                SHA256

                25101656f4e7f74c0f9a32fb8f7c6cd9f23523e40dc9166b86f4a8f2b8236644

                SHA512

                72a52ac37d454053bbd4bf7d989482601524a0544a961bc88569ad62dbf1de9b24cd54fb59b1cf3d3d8f5cca9d1a0c7944399b0a80b6433872a08e8b25d20624

              • C:\Users\Admin\AppData\Local\Temp\CabA01.tmp

                Filesize

                65KB

                MD5

                ac05d27423a85adc1622c714f2cb6184

                SHA1

                b0fe2b1abddb97837ea0195be70ab2ff14d43198

                SHA256

                c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                SHA512

                6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

              • C:\Users\Admin\AppData\Local\Temp\CamSnap.exe

                Filesize

                94KB

                MD5

                550628b16ef8c4e27c4081950cf8fd66

                SHA1

                ab11427c02cb53b70816b06d5a950b5f52c935eb

                SHA256

                09d95d73ac6828138201142cc519ac46a0456db2ea71240c3fa51d569b0242aa

                SHA512

                e74009391d29a1c305edf099ed506c0d573e6b3bc1ea7230545af2d0fbefb02122a99b9810cdf3686634fe61cc560cc61a1939da1913167941b755dceda5ed01

              • C:\Users\Admin\AppData\Local\Temp\TarA33.tmp

                Filesize

                36KB

                MD5

                b4fcb5edddc0f75933bddac35e0db0ab

                SHA1

                22e1f640798959f312dee7fe7c36e8b4021d256a

                SHA256

                0bb006acb80281859bc82b95907a741307d2b6573ad9b436e39ab822ab640bce

                SHA512

                6fef2b7e85651d49242b6e4dbc57743f3ef5741b05133e3a0d8085527143ae5d073fa239cb542204c12b476dce22ee12098dde391f372e416fac843177857189

              • C:\Users\Admin\AppData\Local\Temp\build.exe

                Filesize

                57KB

                MD5

                25b2e18f1b3139316ae257ae9e14db25

                SHA1

                395f087ebe9eebae191020a2a94de10361f4d980

                SHA256

                d4c9179981b81f25f4a9ce969f08d21949e9b384e3ef83425b76d240e1c6d168

                SHA512

                a0f60becc10e375d670c3ea1151113deea7430b39a72805b7df0ab2af6194d4786c1af858151dc814af481d3963038ad6a412218479105d943393dbafcb90b74

              • C:\Users\Admin\AppData\Local\Temp\build.exe

                Filesize

                99KB

                MD5

                468acfd8e7a6bd0d7ee5b7c7e9fc2326

                SHA1

                9b1dbcccf56babb3361b91e05ade3cd4fb59e06f

                SHA256

                81d8442e67dabd490b108f55ea9500ef2174e3d765d6e471b205b8fd9fc68762

                SHA512

                c2bdb698a39b9b32d1e8f90ba293623624b279ce76c90351c74fab4ae31072daa1f2f1abe443e55f0ac71862b07171d45728bc6019afb64929d0333d214ea8d6

              • \Users\Admin\AppData\Local\Temp\@dr@[email protected]

                Filesize

                68KB

                MD5

                56444d83014c9ab8d4c1fd75a090573e

                SHA1

                ab88bc95077fcc8ba01c45a5b1255d1e13b247d2

                SHA256

                b3b724b62af1d56eba721cc92a86f0698810f069f8b1dc3637209256bf8164ad

                SHA512

                1c7a956f29627366a876d2c3714f48eecd2bcf7a1f29ec93513089ed392721346603e73162867f6b69167df7f4176161a9366004fff1c5544bba12019436a271

              • \Users\Admin\AppData\Local\Temp\build.exe

                Filesize

                64KB

                MD5

                51b0bca51ca74d831ee1714d72f4f82a

                SHA1

                c45951f29491c64ad3847b9fc23741806c7db66d

                SHA256

                3a1cb2eb8e1f6195a3c17220efef67dd84c746ea5617c103eae6d21f188f9d44

                SHA512

                cfa62537b800a95ce79c04ffd7be8ab3997688527b9e3ffa5f80171d0c91b97ddc463181f8749ea40f3a4b3e0ad1b288b1808f5f46c219b93ae0c49056c66c47

              • memory/896-1034-0x0000000002120000-0x000000000212A000-memory.dmp

                Filesize

                40KB

              • memory/896-1035-0x0000000002130000-0x0000000002138000-memory.dmp

                Filesize

                32KB

              • memory/896-1036-0x00000000043B0000-0x00000000043CE000-memory.dmp

                Filesize

                120KB

              • memory/896-997-0x0000000004290000-0x0000000004322000-memory.dmp

                Filesize

                584KB

              • memory/896-999-0x00000000005A0000-0x00000000005A8000-memory.dmp

                Filesize

                32KB

              • memory/896-998-0x00000000006B0000-0x00000000006D6000-memory.dmp

                Filesize

                152KB

              • memory/896-993-0x0000000004570000-0x00000000045B0000-memory.dmp

                Filesize

                256KB

              • memory/896-1115-0x0000000074270000-0x000000007495E000-memory.dmp

                Filesize

                6.9MB

              • memory/896-1116-0x0000000004570000-0x00000000045B0000-memory.dmp

                Filesize

                256KB

              • memory/896-1162-0x0000000006600000-0x000000000667A000-memory.dmp

                Filesize

                488KB

              • memory/896-1231-0x0000000005A10000-0x0000000005AC2000-memory.dmp

                Filesize

                712KB

              • memory/896-979-0x0000000000140000-0x00000000002D2000-memory.dmp

                Filesize

                1.6MB

              • memory/896-980-0x0000000074270000-0x000000007495E000-memory.dmp

                Filesize

                6.9MB

              • memory/896-1315-0x0000000004570000-0x00000000045B0000-memory.dmp

                Filesize

                256KB

              • memory/896-1328-0x0000000004570000-0x00000000045B0000-memory.dmp

                Filesize

                256KB

              • memory/1260-33-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-5-0x0000000007CC0000-0x000000000822A000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-61-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-63-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-65-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-67-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-69-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-59-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-938-0x0000000000460000-0x0000000000461000-memory.dmp

                Filesize

                4KB

              • memory/1260-940-0x0000000000590000-0x00000000005DC000-memory.dmp

                Filesize

                304KB

              • memory/1260-939-0x00000000084C0000-0x00000000089C2000-memory.dmp

                Filesize

                5.0MB

              • memory/1260-954-0x0000000074960000-0x000000007504E000-memory.dmp

                Filesize

                6.9MB

              • memory/1260-1-0x0000000074960000-0x000000007504E000-memory.dmp

                Filesize

                6.9MB

              • memory/1260-2-0x0000000004B50000-0x0000000004B90000-memory.dmp

                Filesize

                256KB

              • memory/1260-3-0x0000000000250000-0x0000000000256000-memory.dmp

                Filesize

                24KB

              • memory/1260-55-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-47-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-53-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-4-0x0000000000270000-0x0000000000276000-memory.dmp

                Filesize

                24KB

              • memory/1260-51-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-49-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-13-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-41-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-45-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-43-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-6-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-57-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-7-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-39-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-9-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-37-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-0-0x0000000001300000-0x000000000131A000-memory.dmp

                Filesize

                104KB

              • memory/1260-35-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-31-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-29-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-27-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-25-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-23-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-21-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-19-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-17-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-15-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/1260-11-0x0000000007CC0000-0x0000000008224000-memory.dmp

                Filesize

                5.4MB

              • memory/2376-984-0x000000001C050000-0x000000001C0D0000-memory.dmp

                Filesize

                512KB

              • memory/2376-1119-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

                Filesize

                9.9MB

              • memory/2376-1163-0x000000001C050000-0x000000001C0D0000-memory.dmp

                Filesize

                512KB

              • memory/2376-983-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

                Filesize

                9.9MB

              • memory/2376-982-0x0000000000970000-0x0000000000AE8000-memory.dmp

                Filesize

                1.5MB

              • memory/2704-981-0x0000000074270000-0x000000007495E000-memory.dmp

                Filesize

                6.9MB

              • memory/2704-959-0x0000000005510000-0x0000000005550000-memory.dmp

                Filesize

                256KB

              • memory/2704-957-0x0000000000400000-0x0000000000C0A000-memory.dmp

                Filesize

                8.0MB

              • memory/2704-958-0x0000000074270000-0x000000007495E000-memory.dmp

                Filesize

                6.9MB

              • memory/2796-1164-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

                Filesize

                9.9MB

              • memory/2796-992-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

                Filesize

                9.9MB

              • memory/2796-991-0x0000000000CF0000-0x0000000000D0E000-memory.dmp

                Filesize

                120KB