Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-03-2024 02:17

General

  • Target

    dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe

  • Size

    481KB

  • MD5

    3a44104fb5d035d1cd725732e94a5e8d

  • SHA1

    cb3f89df88e1468bca9d5ca01d22588791884ecb

  • SHA256

    dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08

  • SHA512

    eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1

  • SSDEEP

    6144:5rtQDr7b6OdSo1qwmHR91YiOU35YyaLPTTNMGL2w9BBfdN3MVqRw6aPMGGmG1H:5JQDr2oE1YpUCycTNbJBJ3MB2

Malware Config

Signatures

  • Detect ZGRat V1 34 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

  • PureLog Stealer payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe
    "C:\Users\Admin\AppData\Local\Temp\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Users\Admin\AppData\Local\Temp\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe
      C:\Users\Admin\AppData\Local\Temp\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      PID:4748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08.exe.log

    Filesize

    1KB

    MD5

    435e0068bcb9090064eedccd2e18bfca

    SHA1

    9329bc444452d8ac807b085e0428b159e8eed352

    SHA256

    5721053800850afc4469bf2d079768d6d3444c6cb64394978830355ec1babdc6

    SHA512

    6c26cac18fff415ce13c12cef4656596b32d41d918c34419e39de16b27fecd4c4c912301c2293bb9c101df41ebf08a996fa26c2460c5934c5de44f01f8aab9f6

  • memory/1872-0-0x0000000000950000-0x00000000009CC000-memory.dmp

    Filesize

    496KB

  • memory/1872-1-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/1872-2-0x0000000005420000-0x0000000005430000-memory.dmp

    Filesize

    64KB

  • memory/1872-3-0x00000000052C0000-0x00000000052CA000-memory.dmp

    Filesize

    40KB

  • memory/1872-4-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/1872-5-0x0000000005D30000-0x0000000005FB6000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-6-0x0000000005420000-0x0000000005430000-memory.dmp

    Filesize

    64KB

  • memory/1872-7-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-8-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-10-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-12-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-14-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-16-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-18-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-20-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-22-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-24-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-26-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-28-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-30-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-32-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-34-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-36-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-38-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-40-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-42-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-44-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-46-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-48-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-50-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-52-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-54-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-56-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-58-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-60-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-62-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-64-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-66-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-68-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-70-0x0000000005D30000-0x0000000005FB0000-memory.dmp

    Filesize

    2.5MB

  • memory/1872-4783-0x0000000000D90000-0x0000000000D91000-memory.dmp

    Filesize

    4KB

  • memory/1872-4784-0x00000000013C0000-0x000000000148E000-memory.dmp

    Filesize

    824KB

  • memory/1872-4785-0x0000000000FA0000-0x0000000000FEC000-memory.dmp

    Filesize

    304KB

  • memory/1872-4786-0x00000000071D0000-0x0000000007262000-memory.dmp

    Filesize

    584KB

  • memory/1872-4787-0x0000000007820000-0x0000000007DC4000-memory.dmp

    Filesize

    5.6MB

  • memory/1872-4788-0x00000000073E0000-0x0000000007446000-memory.dmp

    Filesize

    408KB

  • memory/1872-4795-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4748-4793-0x0000000000400000-0x00000000004A8000-memory.dmp

    Filesize

    672KB

  • memory/4748-4794-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4748-4796-0x0000000004F90000-0x0000000004FA0000-memory.dmp

    Filesize

    64KB

  • memory/4748-4797-0x0000000004DF0000-0x0000000004EB4000-memory.dmp

    Filesize

    784KB

  • memory/4748-5646-0x0000000002990000-0x0000000002991000-memory.dmp

    Filesize

    4KB

  • memory/4748-5647-0x0000000004F30000-0x0000000004F86000-memory.dmp

    Filesize

    344KB

  • memory/4748-5649-0x00000000052F0000-0x00000000052FA000-memory.dmp

    Filesize

    40KB

  • memory/4748-5650-0x0000000074740000-0x0000000074EF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4748-5651-0x0000000004F90000-0x0000000004FA0000-memory.dmp

    Filesize

    64KB