Analysis
-
max time kernel
101s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
17-03-2024 08:12
Behavioral task
behavioral1
Sample
002f6f310a1ea664bfe07e5dd7045676.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
002f6f310a1ea664bfe07e5dd7045676.exe
Resource
win10v2004-20240226-en
General
-
Target
002f6f310a1ea664bfe07e5dd7045676.exe
-
Size
5.6MB
-
MD5
002f6f310a1ea664bfe07e5dd7045676
-
SHA1
104e60ea49811a2b33442c5192b0d5f539fd235e
-
SHA256
c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c
-
SHA512
3caad6aaa12f9dc5e5e7ddbbebe166b90e5721233619c8f31ad02754b0060889cb6cc36688b1b725e526e8c5e263b40ebb943c9bcf8938a56ce69c122076cb85
-
SSDEEP
98304:V2wSiJSTjLc3oYusZhfoFH/Ydc4ajxG/zSDZyqBJEJaO6JrRe7kEcEAL:gw1gT84Y1ha/YdAftyziJrRnE
Malware Config
Signatures
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2156-4-0x00000000068A0000-0x0000000006DAA000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-5-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-6-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-8-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-10-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-12-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-14-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-16-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-18-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-20-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-22-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-24-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-26-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-28-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-30-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-32-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-34-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-36-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-38-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-40-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-42-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-44-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-46-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-48-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-50-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-52-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-54-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-56-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-58-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-60-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-62-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-64-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-66-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/2156-68-0x00000000068A0000-0x0000000006DA5000-memory.dmp family_zgrat_v1 behavioral1/memory/1628-4808-0x00000000053E0000-0x0000000005606000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2156-0-0x0000000000C00000-0x000000000119C000-memory.dmp family_purelog_stealer -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
002f6f310a1ea664bfe07e5dd7045676.exedescription pid process Token: SeDebugPrivilege 2156 002f6f310a1ea664bfe07e5dd7045676.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
002f6f310a1ea664bfe07e5dd7045676.exedescription pid process target process PID 2156 wrote to memory of 2292 2156 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 2156 wrote to memory of 2292 2156 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 2156 wrote to memory of 2292 2156 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 2156 wrote to memory of 2292 2156 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 2156 wrote to memory of 1800 2156 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 2156 wrote to memory of 1800 2156 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 2156 wrote to memory of 1800 2156 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 2156 wrote to memory of 1800 2156 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe"C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMAAwADIAZgA2AGYAMwAxADAAYQAxAGUAYQA2ADYANABiAGYAZQAwADcAZQA1AGQAZAA3ADAANAA1ADYANwA2AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAwADAAMgBmADYAZgAzADEAMABhADEAZQBhADYANgA0AGIAZgBlADAANwBlADUAZABkADcAMAA0ADUANgA3ADYALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbABhAHMAeAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAASQBsAGEAcwB4AC4AZQB4AGUA2⤵PID:2292
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=2⤵PID:1800
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://google.com/3⤵PID:1272
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1272 CREDAT:275457 /prefetch:24⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe"C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe"2⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exeC:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe2⤵PID:812
-
C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exeC:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe2⤵PID:1912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD515af83e8c1ff15b667743737c96ee619
SHA160b05919b43774c97a347c55be4c02d6e05e05de
SHA256f2c58b76f9ffba03aa8082e301fc3b6398ca24546010c01759f9a10067c41af3
SHA512cd96306c784931d9219a9c8342036e84877d852cd474f4c0acf2d6c3d9c3e8135ce31205a4eb1dc4b916e6374cd5a2ed2aeb0f08a213b322f509b46132ca32a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5dd16e24ece18b7769691b26162e0dc09
SHA1f696a251d6197e91c938d965cfe1c483d7e839f4
SHA25654b6a419cda5ed800582b793fcf2db88a444797aeb3e3ce07967c297f370d69c
SHA512b5ec53006eabf1c4c81d3162d4503fc19a5fd58caec1d6c5bb12382608cdd8383559f85f13fbbf11451a160804f9279ab971b8b110b96eae2724eed7c0ffcb9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD590c7bd4c4531b48cd6c7b43854d138a8
SHA1d29b8439db2c050707eeff968c1cf91203f457ce
SHA256e5e796bef7338f80eadf247f9db8fe4f90b89e7e838dd739d3488a53fdb8652d
SHA512ca7bfa8517791735ac676faf5e36e611184ac2a408fdb80f04d6d15e96317b7ff937254632b0ff231155b7b6ec3efff3e83a48f37e930a4d6b4d9e4a6f2011d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5defb7ad4eccc1fd2db9dd992f39f826f
SHA14fe0cbebf7f339fef2354ad82038bc0282b56e69
SHA25668c434a711650576015ffc09b4b99489611859188720498f98e8fc39796e00f6
SHA512cc436e67c151da7d5774f09fa977042ee41ae9cf969c6438464bf806d7d75295d4eb780adfb21d7d2cf0773d5d7547bcb773941116d0a9ef163f2fbf5b43219a
-
Filesize
98B
MD5e9d00661c4a0d30df6b3295573141d07
SHA185cd184a5e7b8765faeec2dc0d5c7943d802ffe6
SHA256be5939d661a664d4bebe670b8df6c4ba2223c373443e0764d4572b7e487ad4ce
SHA51208247f4abb18ea330f65c801319e7692122b7e69d0b5666d569feddceb298eff84447be2fe93901963fe2f6f14d580f76084559485ee00bcb483b521ef10410e
-
Filesize
5KB
MD5241f5b0c947717d7f3668db16c65c243
SHA1e1e835f739335d91297edde443fa74fa2fb2a4a4
SHA256805bda216960e0b5da47645f8e9da2fe94eabab14080a33a063e998f5e455229
SHA512f35c8fa7c88a41fb5f568bec44e64063955893426cbdde923953945229f008c3dce7be0924093aa4c654c8343adc591e83074f790edd7671347439b71292fe6b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\673IEUYT\styles__ltr[1].css
Filesize55KB
MD5eb4bc511f79f7a1573b45f5775b3a99b
SHA1d910fb51ad7316aa54f055079374574698e74b35
SHA2567859a62e04b0acb06516eb12454de6673883ecfaeaed6c254659bca7cd59c050
SHA512ec9bdf1c91b6262b183fd23f640eac22016d1f42db631380676ed34b962e01badda91f9cbdfa189b42fe3182a992f1b95a7353af41e41b2d6e1dab17e87637a0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\recaptcha__en[1].js
Filesize501KB
MD55a8547555d71e5846135a48dcc7ec3dc
SHA1bdf99d0037d631ca1d24efa343781f55a11afb05
SHA2567a01932abc324cbdf143534bd8dc0e665e045a2ae8a0d234d24f2d3ad9ebc619
SHA512863d425b41d6b439618ccd38d5ea46d5ad6cf3c145a476e0a8596903cfaac4a2d04d40f5cd4f92ac74bdd73dfaaec9f4661c6a71116dfc78b6a41f7d3bd801e6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IFGNZ1XG\favicon[2].ico
Filesize5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
1.4MB
MD56ef52aff6b078e83398237aef75ba64f
SHA11038ff8b5bb89f8c115342c751d1016d453a844a
SHA2568390179d35422eb4f1c5e3799e2bf6f2f817b703bf5106cf431435d393664177
SHA512656f2db7f93b0e9156c9ea0b668ba6c88ea2efd1d4f2a900eea977d195a4d9711bb635972ca220758ae27f0535a0bc6b7272e06e8b88b78c8492b81960ed36b6
-
Filesize
2.5MB
MD5e61fd850ef377d0b0cee33c5014d1bb2
SHA10a612adb064f5e0d8f17eaf87885e7bfbfbff90d
SHA25652dd9c5e85d9920d971b9a65860fc9f09acd99e48effeeb728cc5ad3be46acf6
SHA5127df846f43a784a80be9bdf965f49c17c57987b3bb28b5647173a99775d810c2d8042464451427f1649330d0efc1a2bcb542474c6e6e2579be7d8368f9fe42c75
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD560397c7ff9ff3c4a68d294b36facbfcd
SHA14b59f76dfa014634c77fa166c38a20d206c49ea2
SHA256a21132c54fc1435810fe282b7e6cd2cb03665af5cbf966467108bce81f0baa9e
SHA512a2044dc771f236c40976b013b9db8ccfb8714d4585600043af5113aa0ecefaf2bccd093a390603ad4c0df42ed53ac0662e0a0f6531234f4585feb6e8866b9957
-
Filesize
1.6MB
MD55acb17c7f730d4b0edbed092086de163
SHA1d8de30e4b5213c25eb109fee7c1427d386968cd6
SHA256d9cb847d9a48bb6fbe85f4e0657ff1ece5bdbcac9f43e47efc317ecefa375899
SHA51296f84cd6a72aac4fbbf6cddd063ac3e7b2c6f831e0bbb50b5e6417fc629db75a8083d208f2a1fcbb15666751d13f6ab3585b98c5168de4a04748e292b588b7c8