Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 16:01
Static task
static1
Behavioral task
behavioral1
Sample
chooseadvancepro/chooseadvancepro.exe
Resource
win10v2004-20240226-en
General
-
Target
chooseadvancepro/chooseadvancepro.exe
-
Size
8.4MB
-
MD5
c619f9f5947e27fafad1cb1d62d17311
-
SHA1
ac04371cd219632c08e0a4b60bad49a259dd4444
-
SHA256
e200ee556b9cc7354becc3f397c4b8d0225c38ea8c9d17182e552cc0fe48056d
-
SHA512
eaf023fdc896dd4b5267a137feb69fc649fe8a7b4e42fe22638c0d52a4a31e4c575cfae20f10bb9af9f3b4809db98cf2ce0724ed8c8047040eb8c2c961ea374e
-
SSDEEP
196608:kgdA+F6/H8nOikJSs3uzhSHFnDnArEYtW8xq2/v1dstbTZjIKKv:k1/cnzkJSSuhiDWEojIbThYv
Malware Config
Extracted
lumma
https://colorfulequalugliess.shop/api
Signatures
-
Detect ZGRat V1 33 IoCs
Processes:
resource yara_rule behavioral1/memory/2336-36-0x00000000053E0000-0x0000000005684000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-37-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-38-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-40-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-42-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-44-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-46-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-48-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-50-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-52-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-54-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-56-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-58-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-60-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-62-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-64-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-66-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-68-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-70-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-72-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-74-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-76-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-78-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-80-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-82-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-84-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-86-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-88-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-90-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-92-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-94-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-96-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 behavioral1/memory/2336-98-0x00000000053E0000-0x000000000567E000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\choosieadvanceress.exe family_purelog_stealer behavioral1/memory/2336-32-0x0000000000490000-0x0000000000740000-memory.dmp family_purelog_stealer -
Executes dropped EXE 2 IoCs
Processes:
chooseadvance.exechoosieadvanceress.exepid process 3232 chooseadvance.exe 2336 choosieadvanceress.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
chooseadvancepro.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" chooseadvancepro.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
chooseadvance.exedescription pid process target process PID 3232 set thread context of 968 3232 chooseadvance.exe AddInProcess32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3040 968 WerFault.exe AddInProcess32.exe 3660 968 WerFault.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chooseadvance.exepid process 3232 chooseadvance.exe 3232 chooseadvance.exe 3232 chooseadvance.exe 3232 chooseadvance.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
chooseadvance.exechoosieadvanceress.exedescription pid process Token: SeDebugPrivilege 3232 chooseadvance.exe Token: SeDebugPrivilege 2336 choosieadvanceress.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
chooseadvancepro.exechooseadvance.exedescription pid process target process PID 2924 wrote to memory of 3232 2924 chooseadvancepro.exe chooseadvance.exe PID 2924 wrote to memory of 3232 2924 chooseadvancepro.exe chooseadvance.exe PID 2924 wrote to memory of 3232 2924 chooseadvancepro.exe chooseadvance.exe PID 3232 wrote to memory of 1032 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 1032 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 1032 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 1032 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 1032 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 1032 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 1032 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 1032 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 1032 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 968 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 968 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 968 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 968 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 968 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 968 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 968 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 968 3232 chooseadvance.exe AddInProcess32.exe PID 3232 wrote to memory of 968 3232 chooseadvance.exe AddInProcess32.exe PID 2924 wrote to memory of 2336 2924 chooseadvancepro.exe choosieadvanceress.exe PID 2924 wrote to memory of 2336 2924 chooseadvancepro.exe choosieadvanceress.exe PID 2924 wrote to memory of 2336 2924 chooseadvancepro.exe choosieadvanceress.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\chooseadvancepro\chooseadvancepro.exe"C:\Users\Admin\AppData\Local\Temp\chooseadvancepro\chooseadvancepro.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chooseadvance.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chooseadvance.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:1032
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"3⤵PID:968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 10284⤵
- Program crash
PID:3040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 10444⤵
- Program crash
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\choosieadvanceress.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\choosieadvanceress.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 968 -ip 9681⤵PID:4140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 968 -ip 9681⤵PID:1692
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
MD5ae661d4cdd37d798914620cbb193d517
SHA1e68a5885a227149023d832850a829710462c3d74
SHA256ec0e25c1c82ca1b12410d338ac26ba87df1e9304a02b8025e194f2b57ae7c8a6
SHA512d7deee88a73ab817effe2a407ca96c52642e787fd2326d35d3a043d7bf54ea7f2e91e6fdab2ececc39097cf3f33a77a67b12bdfcf5da18464b1b9d4b79ba3516
-
Filesize
2.7MB
MD57d217a21635e862835187ff4e26b326f
SHA1d7d17b7d1901c5b7c43aa67aed8515517fd03d14
SHA2560e42afa4a92d84417171db2ded81c005110400c333e03399e80ac1ccfd1990f3
SHA5127387036ff3ca4c3d7ece24b57b18526b6e20f42652ca4be61360275c18852f0e67b31a246e97f166020f475e581152cbc480484730e8ff55bc7bc29a3cb38acb