Analysis
-
max time kernel
137s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2024 02:30
Behavioral task
behavioral1
Sample
7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe
Resource
win10v2004-20240226-en
General
-
Target
7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe
-
Size
320KB
-
MD5
857f57632320c296ed42603d5dc50753
-
SHA1
5383f9059896b7f871d7c974ed887aced42789f7
-
SHA256
7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719
-
SHA512
269b4f8961667c44edef79527cb70b5b53e5dd062fc4a4e28ab79ba4049415c29499b0cb1f9f0967a03dda197a3ff3784316e73171e479449daa461230da4930
-
SSDEEP
6144:6PBJmR7777rL0DWuRbao46Li4/bPrCt9UHNxizH+zyfw4spWJy:6PmjuRbn4qjTPOtQNxDzyo4spl
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/3972-4-0x00000216E5510000-0x00000216E5704000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-5-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-6-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-8-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-10-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-14-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-12-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-16-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-18-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-20-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-22-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-24-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-26-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-28-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-30-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-32-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-34-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-36-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-38-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-40-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-42-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-48-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-54-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-56-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-58-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-52-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-60-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-62-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-50-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-46-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-44-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-66-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-68-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 behavioral2/memory/3972-64-0x00000216E5510000-0x00000216E56FD000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3972-0-0x00000216CAC70000-0x00000216CACC4000-memory.dmp family_purelog_stealer -
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1732-4788-0x0000000140000000-0x0000000140024000-memory.dmp family_snakekeylogger behavioral2/memory/1732-4791-0x000002040D080000-0x000002040D090000-memory.dmp family_snakekeylogger -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1732-4788-0x0000000140000000-0x0000000140024000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1732-4788-0x0000000140000000-0x0000000140024000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables with potential process hoocking 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1732-4788-0x0000000140000000-0x0000000140024000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DotNetProcHook -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssssssssssss = "C:\\Users\\Admin\\AppData\\Roaming\\ssssssssssss.exe" 7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 70 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exedescription pid process target process PID 3972 set thread context of 1732 3972 7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1732 MSBuild.exe 1732 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 3972 7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe Token: SeDebugPrivilege 1732 MSBuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exedescription pid process target process PID 3972 wrote to memory of 1732 3972 7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe MSBuild.exe PID 3972 wrote to memory of 1732 3972 7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe MSBuild.exe PID 3972 wrote to memory of 1732 3972 7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe MSBuild.exe PID 3972 wrote to memory of 1732 3972 7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe MSBuild.exe PID 3972 wrote to memory of 1732 3972 7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe MSBuild.exe PID 3972 wrote to memory of 1732 3972 7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe"C:\Users\Admin\AppData\Local\Temp\7199c9f3d8524e27b8fd14131f0992eb16433d0aa21563805f7fee29e773e719.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1732