Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 02:17
Behavioral task
behavioral1
Sample
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe
Resource
win10v2004-20240226-en
General
-
Target
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe
-
Size
481KB
-
MD5
3a44104fb5d035d1cd725732e94a5e8d
-
SHA1
cb3f89df88e1468bca9d5ca01d22588791884ecb
-
SHA256
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
-
SHA512
eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1
-
SSDEEP
6144:5rtQDr7b6OdSo1qwmHR91YiOU35YyaLPTTNMGL2w9BBfdN3MVqRw6aPMGGmG1H:5JQDr2oE1YpUCycTNbJBJ3MB2
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/1872-5-0x0000000005D30000-0x0000000005FB6000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-7-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-8-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-10-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-12-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-14-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-16-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-18-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-20-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-22-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-24-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-26-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-28-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-30-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-32-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-34-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-36-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-38-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-40-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-42-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-44-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-46-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-48-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-50-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-52-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-54-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-56-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-58-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-60-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-62-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-64-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-66-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-68-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 behavioral2/memory/1872-70-0x0000000005D30000-0x0000000005FB0000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1872-0-0x0000000000950000-0x00000000009CC000-memory.dmp family_purelog_stealer -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exedcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckje = "C:\\Users\\Admin\\AppData\\Roaming\\deebf\\ckje.exe" dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exedescription pid process target process PID 1872 set thread context of 4748 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exepid process 4748 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exedcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exedescription pid process Token: SeDebugPrivilege 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe Token: SeDebugPrivilege 4748 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exedescription pid process target process PID 1872 wrote to memory of 4748 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe PID 1872 wrote to memory of 4748 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe PID 1872 wrote to memory of 4748 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe PID 1872 wrote to memory of 4748 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe PID 1872 wrote to memory of 4748 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe PID 1872 wrote to memory of 4748 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe PID 1872 wrote to memory of 4748 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe PID 1872 wrote to memory of 4748 1872 dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe"C:\Users\Admin\AppData\Local\Temp\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Local\Temp\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exeC:\Users\Admin\AppData\Local\Temp\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe2⤵
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:4748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe.log
Filesize1KB
MD5435e0068bcb9090064eedccd2e18bfca
SHA19329bc444452d8ac807b085e0428b159e8eed352
SHA2565721053800850afc4469bf2d079768d6d3444c6cb64394978830355ec1babdc6
SHA5126c26cac18fff415ce13c12cef4656596b32d41d918c34419e39de16b27fecd4c4c912301c2293bb9c101df41ebf08a996fa26c2460c5934c5de44f01f8aab9f6