Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 14:02
Behavioral task
behavioral1
Sample
ATM Dekont E-Maili pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ATM Dekont E-Maili pdf.exe
Resource
win10v2004-20240226-en
General
-
Target
ATM Dekont E-Maili pdf.exe
-
Size
320KB
-
MD5
857f57632320c296ed42603d5dc50753
-
SHA1
5383f9059896b7f871d7c974ed887aced42789f7
-
SHA256
7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719
-
SHA512
269b4f8961667c44edef79527cb70b5b53e5dd062fc4a4e28ab79ba4049415c29499b0cb1f9f0967a03dda197a3ff3784316e73171e479449daa461230da4930
-
SSDEEP
6144:6PBJmR7777rL0DWuRbao46Li4/bPrCt9UHNxizH+zyfw4spWJy:6PmjuRbn4qjTPOtQNxDzyo4spl
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/3440-4-0x00000162EBE00000-0x00000162EBFF4000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-5-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-6-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-8-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-10-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-12-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-14-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-16-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-18-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-20-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-24-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-22-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-26-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-28-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-30-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-32-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-34-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-36-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-38-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-40-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-44-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-42-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-46-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-48-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-52-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-50-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-54-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-56-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-58-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-60-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-62-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-64-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-66-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 behavioral2/memory/3440-68-0x00000162EBE00000-0x00000162EBFED000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3440-0-0x00000162D1770000-0x00000162D17C4000-memory.dmp family_purelog_stealer -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4556-4789-0x0000000140000000-0x0000000140024000-memory.dmp family_snakekeylogger -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ATM Dekont E-Maili pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssssssssssss = "C:\\Users\\Admin\\AppData\\Roaming\\ssssssssssss.exe" ATM Dekont E-Maili pdf.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 72 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ATM Dekont E-Maili pdf.exedescription pid process target process PID 3440 set thread context of 4556 3440 ATM Dekont E-Maili pdf.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 4556 MSBuild.exe 4556 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ATM Dekont E-Maili pdf.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3440 ATM Dekont E-Maili pdf.exe Token: SeDebugPrivilege 4556 MSBuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ATM Dekont E-Maili pdf.exedescription pid process target process PID 3440 wrote to memory of 4556 3440 ATM Dekont E-Maili pdf.exe MSBuild.exe PID 3440 wrote to memory of 4556 3440 ATM Dekont E-Maili pdf.exe MSBuild.exe PID 3440 wrote to memory of 4556 3440 ATM Dekont E-Maili pdf.exe MSBuild.exe PID 3440 wrote to memory of 4556 3440 ATM Dekont E-Maili pdf.exe MSBuild.exe PID 3440 wrote to memory of 4556 3440 ATM Dekont E-Maili pdf.exe MSBuild.exe PID 3440 wrote to memory of 4556 3440 ATM Dekont E-Maili pdf.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ATM Dekont E-Maili pdf.exe"C:\Users\Admin\AppData\Local\Temp\ATM Dekont E-Maili pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4556