Analysis
-
max time kernel
137s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 09:28
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Program.Unwanted.4610.15239.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Program.Unwanted.4610.15239.exe
Resource
win10v2004-20240226-en
General
-
Target
SecuriteInfo.com.Program.Unwanted.4610.15239.exe
-
Size
481KB
-
MD5
3a44104fb5d035d1cd725732e94a5e8d
-
SHA1
cb3f89df88e1468bca9d5ca01d22588791884ecb
-
SHA256
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
-
SHA512
eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1
-
SSDEEP
6144:5rtQDr7b6OdSo1qwmHR91YiOU35YyaLPTTNMGL2w9BBfdN3MVqRw6aPMGGmG1H:5JQDr2oE1YpUCycTNbJBJ3MB2
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/928-4-0x0000000005FD0000-0x0000000006256000-memory.dmp family_zgrat_v1 behavioral2/memory/928-5-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-6-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-8-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-10-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-12-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-14-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-16-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-18-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-20-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-22-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-24-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-26-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-28-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-30-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-32-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-34-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-36-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-38-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-40-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-42-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-44-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-46-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-48-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-50-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-52-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-54-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-56-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-58-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-60-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-62-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-64-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-66-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 behavioral2/memory/928-68-0x0000000005FD0000-0x0000000006250000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/928-0-0x0000000000C40000-0x0000000000CBC000-memory.dmp family_purelog_stealer -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SecuriteInfo.com.Program.Unwanted.4610.15239.exeSecuriteInfo.com.Program.Unwanted.4610.15239.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" SecuriteInfo.com.Program.Unwanted.4610.15239.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckje = "C:\\Users\\Admin\\AppData\\Roaming\\deebf\\ckje.exe" SecuriteInfo.com.Program.Unwanted.4610.15239.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Program.Unwanted.4610.15239.exedescription pid process target process PID 928 set thread context of 2564 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SecuriteInfo.com.Program.Unwanted.4610.15239.exepid process 2564 SecuriteInfo.com.Program.Unwanted.4610.15239.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
SecuriteInfo.com.Program.Unwanted.4610.15239.exepid process 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Program.Unwanted.4610.15239.exeSecuriteInfo.com.Program.Unwanted.4610.15239.exedescription pid process Token: SeDebugPrivilege 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe Token: SeDebugPrivilege 2564 SecuriteInfo.com.Program.Unwanted.4610.15239.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
SecuriteInfo.com.Program.Unwanted.4610.15239.exedescription pid process target process PID 928 wrote to memory of 2572 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2572 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2572 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 3800 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 3800 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 3800 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 3408 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 3408 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 3408 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 3448 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 3448 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 3448 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2564 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2564 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2564 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2564 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2564 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2564 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2564 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe PID 928 wrote to memory of 2564 928 SecuriteInfo.com.Program.Unwanted.4610.15239.exe SecuriteInfo.com.Program.Unwanted.4610.15239.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exe2⤵PID:2572
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exe2⤵PID:3800
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exe2⤵PID:3408
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exe2⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Program.Unwanted.4610.15239.exe2⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Program.Unwanted.4610.15239.exe.log
Filesize1KB
MD5435e0068bcb9090064eedccd2e18bfca
SHA19329bc444452d8ac807b085e0428b159e8eed352
SHA2565721053800850afc4469bf2d079768d6d3444c6cb64394978830355ec1babdc6
SHA5126c26cac18fff415ce13c12cef4656596b32d41d918c34419e39de16b27fecd4c4c912301c2293bb9c101df41ebf08a996fa26c2460c5934c5de44f01f8aab9f6