Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-03-2024 01:58

General

  • Target

    NEW ORDER.exe

  • Size

    2.9MB

  • MD5

    fdf78fc377c3344eed18f78d7bb9563e

  • SHA1

    110e53a7d33151433e31e5124debc11d91aa5e4f

  • SHA256

    88670303d986c2ab42c91bf120273ceb7df2754708fc871820ca084e1678f670

  • SHA512

    10cadaa7d927f3ec4502ea140498d8025ce5d48b5d052e014c4a80854045da526a3ec621f421a73e6700175dbdbc6b549f8a98a833f112147bccb0394b5c3f7d

  • SSDEEP

    49152:5k29QKZE+YNvZfzj8jDa9HEZUGVdljgxaG9YSy7+wiiLhKCVHtojtXcbQlG0:51aKZE+ovZf/869KVdF5GlD3ZCxtoJc6

Malware Config

Signatures

  • Detect ZGRat V1 35 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

  • PureLog Stealer payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      2⤵
      • Loads dropped DLL
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2312

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Tpmdx.tmp

    Filesize

    148KB

    MD5

    90a1d4b55edf36fa8b4cc6974ed7d4c4

    SHA1

    aba1b8d0e05421e7df5982899f626211c3c4b5c1

    SHA256

    7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

    SHA512

    ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

  • \Users\Admin\AppData\Local\Temp\Costura\492059BB4ED4FD9BB5CC046DCF3C0FA2\32\sqlite.interop.dll

    Filesize

    1.4MB

    MD5

    8929875293899eb698a3422a3ee56879

    SHA1

    e4703914ce1b51eafaa44160a8f4729cfa5475a7

    SHA256

    91a7df1934f4955d98ee2e30658e9f36fc595bb471256a5fc3ba16bbcc391a08

    SHA512

    2e6845f657ecc056746fb9cda66161e9eb1b0fe0fcbda9226cbb3c626711542fdc4aeb308c3c14cb22b9c12c1be4433de5afe7f498e38de4fefe4ea0c9c74a4b

  • memory/1660-1-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

  • memory/1660-0-0x0000000000940000-0x0000000000C2E000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-2-0x0000000004BC0000-0x0000000004C00000-memory.dmp

    Filesize

    256KB

  • memory/1660-3-0x0000000004EE0000-0x00000000051C0000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-4-0x00000000051C0000-0x00000000054A2000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-5-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-8-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-6-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-10-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-12-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-14-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-16-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-18-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-20-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-22-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-24-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-26-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-28-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-30-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-32-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-34-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-36-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-38-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-40-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-42-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-44-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-46-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-48-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-50-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-52-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-54-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-56-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-58-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-60-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-62-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-64-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-66-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-68-0x00000000051C0000-0x000000000549B000-memory.dmp

    Filesize

    2.9MB

  • memory/1660-4783-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

  • memory/1660-4784-0x0000000002030000-0x0000000002031000-memory.dmp

    Filesize

    4KB

  • memory/1660-4785-0x0000000007230000-0x0000000007358000-memory.dmp

    Filesize

    1.2MB

  • memory/1660-4786-0x00000000004B0000-0x00000000004FC000-memory.dmp

    Filesize

    304KB

  • memory/1660-4787-0x0000000002250000-0x00000000022A4000-memory.dmp

    Filesize

    336KB

  • memory/1660-4797-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2312-4801-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

  • memory/2312-4803-0x0000000004780000-0x0000000004896000-memory.dmp

    Filesize

    1.1MB

  • memory/2312-4804-0x0000000004740000-0x0000000004780000-memory.dmp

    Filesize

    256KB

  • memory/2312-4802-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2312-7093-0x0000000004FB0000-0x000000000504E000-memory.dmp

    Filesize

    632KB

  • memory/2312-7094-0x00000000744C0000-0x0000000074BAE000-memory.dmp

    Filesize

    6.9MB

  • memory/2312-7095-0x0000000004740000-0x0000000004780000-memory.dmp

    Filesize

    256KB

  • memory/2312-7096-0x0000000007120000-0x0000000007362000-memory.dmp

    Filesize

    2.3MB

  • memory/2312-7097-0x0000000008630000-0x000000000897C000-memory.dmp

    Filesize

    3.3MB

  • memory/2312-7102-0x0000000008B80000-0x0000000008BFA000-memory.dmp

    Filesize

    488KB

  • memory/2312-7103-0x0000000005460000-0x00000000054CC000-memory.dmp

    Filesize

    432KB

  • memory/2312-7106-0x0000000002130000-0x0000000002150000-memory.dmp

    Filesize

    128KB