Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-03-2024 14:01

General

  • Target

    ATM Dekont E-Maili pdf.exe

  • Size

    320KB

  • MD5

    857f57632320c296ed42603d5dc50753

  • SHA1

    5383f9059896b7f871d7c974ed887aced42789f7

  • SHA256

    7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719

  • SHA512

    269b4f8961667c44edef79527cb70b5b53e5dd062fc4a4e28ab79ba4049415c29499b0cb1f9f0967a03dda197a3ff3784316e73171e479449daa461230da4930

  • SSDEEP

    6144:6PBJmR7777rL0DWuRbao46Li4/bPrCt9UHNxizH+zyfw4spWJy:6PmjuRbn4qjTPOtQNxDzyo4spl

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

  • PureLog Stealer payload 1 IoCs
  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

  • Snake Keylogger payload 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ATM Dekont E-Maili pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\ATM Dekont E-Maili pdf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3672-4791-0x0000000140000000-0x0000000140024000-memory.dmp

    Filesize

    144KB

  • memory/3672-4790-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

    Filesize

    10.8MB

  • memory/3672-4792-0x00000224B5DC0000-0x00000224B5DD0000-memory.dmp

    Filesize

    64KB

  • memory/3672-4793-0x00000224B5EE0000-0x00000224B5F30000-memory.dmp

    Filesize

    320KB

  • memory/3672-4794-0x00000224B6100000-0x00000224B62C2000-memory.dmp

    Filesize

    1.8MB

  • memory/3672-4796-0x00000224B5DC0000-0x00000224B5DD0000-memory.dmp

    Filesize

    64KB

  • memory/3672-4795-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

    Filesize

    10.8MB

  • memory/5048-32-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-38-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-4-0x0000029BCB4D0000-0x0000029BCB6C4000-memory.dmp

    Filesize

    2.0MB

  • memory/5048-5-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-6-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-8-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-10-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-12-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-14-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-16-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-18-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-20-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-22-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-24-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-26-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-28-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-30-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-2-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

    Filesize

    10.8MB

  • memory/5048-34-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-40-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-42-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-3-0x0000029BCB3C0000-0x0000029BCB3D0000-memory.dmp

    Filesize

    64KB

  • memory/5048-36-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-44-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-46-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-50-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-48-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-56-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-58-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-60-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-54-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-52-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-62-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-64-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-66-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-68-0x0000029BCB4D0000-0x0000029BCB6BD000-memory.dmp

    Filesize

    1.9MB

  • memory/5048-2763-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

    Filesize

    10.8MB

  • memory/5048-1-0x0000029BB11C0000-0x0000029BB11CC000-memory.dmp

    Filesize

    48KB

  • memory/5048-0-0x0000029BB0DC0000-0x0000029BB0E14000-memory.dmp

    Filesize

    336KB

  • memory/5048-3548-0x0000029BCB3C0000-0x0000029BCB3D0000-memory.dmp

    Filesize

    64KB

  • memory/5048-4783-0x0000029BB11D0000-0x0000029BB11D1000-memory.dmp

    Filesize

    4KB

  • memory/5048-4784-0x0000029BB2B10000-0x0000029BB2B4A000-memory.dmp

    Filesize

    232KB

  • memory/5048-4785-0x0000029BCB370000-0x0000029BCB3BC000-memory.dmp

    Filesize

    304KB

  • memory/5048-4789-0x00007FF832910000-0x00007FF8333D1000-memory.dmp

    Filesize

    10.8MB