Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-03-2024 01:58
Behavioral task
behavioral1
Sample
NEW ORDER.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
NEW ORDER.exe
Resource
win10v2004-20240226-en
General
-
Target
NEW ORDER.exe
-
Size
2.9MB
-
MD5
fdf78fc377c3344eed18f78d7bb9563e
-
SHA1
110e53a7d33151433e31e5124debc11d91aa5e4f
-
SHA256
88670303d986c2ab42c91bf120273ceb7df2754708fc871820ca084e1678f670
-
SHA512
10cadaa7d927f3ec4502ea140498d8025ce5d48b5d052e014c4a80854045da526a3ec621f421a73e6700175dbdbc6b549f8a98a833f112147bccb0394b5c3f7d
-
SSDEEP
49152:5k29QKZE+YNvZfzj8jDa9HEZUGVdljgxaG9YSy7+wiiLhKCVHtojtXcbQlG0:51aKZE+ovZf/869KVdF5GlD3ZCxtoJc6
Malware Config
Signatures
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-4-0x00000000051C0000-0x00000000054A2000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-5-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-8-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-6-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-10-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-12-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-14-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-16-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-18-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-20-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-22-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-24-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-26-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-28-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-30-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-32-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-34-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-36-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-38-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-40-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-42-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-44-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-46-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-48-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-50-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-52-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-54-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-56-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-58-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-60-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-62-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-64-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-66-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/1660-68-0x00000000051C0000-0x000000000549B000-memory.dmp family_zgrat_v1 behavioral1/memory/2312-7096-0x0000000007120000-0x0000000007362000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1660-0-0x0000000000940000-0x0000000000C2E000-memory.dmp family_purelog_stealer -
Loads dropped DLL 1 IoCs
Processes:
MSBuild.exepid process 2312 MSBuild.exe -
Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW ORDER.exedescription pid process target process PID 1660 set thread context of 2312 1660 NEW ORDER.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
MSBuild.exepid process 2312 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEW ORDER.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1660 NEW ORDER.exe Token: SeDebugPrivilege 2312 MSBuild.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NEW ORDER.exedescription pid process target process PID 1660 wrote to memory of 2312 1660 NEW ORDER.exe MSBuild.exe PID 1660 wrote to memory of 2312 1660 NEW ORDER.exe MSBuild.exe PID 1660 wrote to memory of 2312 1660 NEW ORDER.exe MSBuild.exe PID 1660 wrote to memory of 2312 1660 NEW ORDER.exe MSBuild.exe PID 1660 wrote to memory of 2312 1660 NEW ORDER.exe MSBuild.exe PID 1660 wrote to memory of 2312 1660 NEW ORDER.exe MSBuild.exe PID 1660 wrote to memory of 2312 1660 NEW ORDER.exe MSBuild.exe PID 1660 wrote to memory of 2312 1660 NEW ORDER.exe MSBuild.exe PID 1660 wrote to memory of 2312 1660 NEW ORDER.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2312
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2
-
Filesize
1.4MB
MD58929875293899eb698a3422a3ee56879
SHA1e4703914ce1b51eafaa44160a8f4729cfa5475a7
SHA25691a7df1934f4955d98ee2e30658e9f36fc595bb471256a5fc3ba16bbcc391a08
SHA5122e6845f657ecc056746fb9cda66161e9eb1b0fe0fcbda9226cbb3c626711542fdc4aeb308c3c14cb22b9c12c1be4433de5afe7f498e38de4fefe4ea0c9c74a4b