Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
18-03-2024 01:58
Behavioral task
behavioral1
Sample
NEW ORDER.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
NEW ORDER.exe
Resource
win10v2004-20240226-en
General
-
Target
NEW ORDER.exe
-
Size
2.9MB
-
MD5
fdf78fc377c3344eed18f78d7bb9563e
-
SHA1
110e53a7d33151433e31e5124debc11d91aa5e4f
-
SHA256
88670303d986c2ab42c91bf120273ceb7df2754708fc871820ca084e1678f670
-
SHA512
10cadaa7d927f3ec4502ea140498d8025ce5d48b5d052e014c4a80854045da526a3ec621f421a73e6700175dbdbc6b549f8a98a833f112147bccb0394b5c3f7d
-
SSDEEP
49152:5k29QKZE+YNvZfzj8jDa9HEZUGVdljgxaG9YSy7+wiiLhKCVHtojtXcbQlG0:51aKZE+ovZf/869KVdF5GlD3ZCxtoJc6
Malware Config
Signatures
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral2/memory/4304-4-0x00000000053B0000-0x0000000005692000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-5-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-6-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-8-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-10-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-12-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-14-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-16-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-18-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-20-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-22-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-24-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-26-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-28-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-30-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-32-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-34-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-36-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-38-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-40-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-42-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-44-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-46-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-48-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-50-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-52-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-54-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-56-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-58-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-60-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-62-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-64-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-66-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/4304-68-0x00000000053B0000-0x000000000568B000-memory.dmp family_zgrat_v1 behavioral2/memory/1184-7085-0x0000000006DE0000-0x0000000007022000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4304-0-0x0000000000400000-0x00000000006EE000-memory.dmp family_purelog_stealer -
Loads dropped DLL 1 IoCs
Processes:
MSBuild.exepid process 1184 MSBuild.exe -
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
Processes:
MSBuild.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook MSBuild.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook MSBuild.exe Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW ORDER.exedescription pid process target process PID 4304 set thread context of 1184 4304 NEW ORDER.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1184 MSBuild.exe 1184 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEW ORDER.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4304 NEW ORDER.exe Token: SeDebugPrivilege 1184 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
NEW ORDER.exedescription pid process target process PID 4304 wrote to memory of 1184 4304 NEW ORDER.exe MSBuild.exe PID 4304 wrote to memory of 1184 4304 NEW ORDER.exe MSBuild.exe PID 4304 wrote to memory of 1184 4304 NEW ORDER.exe MSBuild.exe PID 4304 wrote to memory of 1184 4304 NEW ORDER.exe MSBuild.exe PID 4304 wrote to memory of 1184 4304 NEW ORDER.exe MSBuild.exe PID 4304 wrote to memory of 1184 4304 NEW ORDER.exe MSBuild.exe PID 4304 wrote to memory of 1184 4304 NEW ORDER.exe MSBuild.exe PID 4304 wrote to memory of 1184 4304 NEW ORDER.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD58929875293899eb698a3422a3ee56879
SHA1e4703914ce1b51eafaa44160a8f4729cfa5475a7
SHA25691a7df1934f4955d98ee2e30658e9f36fc595bb471256a5fc3ba16bbcc391a08
SHA5122e6845f657ecc056746fb9cda66161e9eb1b0fe0fcbda9226cbb3c626711542fdc4aeb308c3c14cb22b9c12c1be4433de5afe7f498e38de4fefe4ea0c9c74a4b
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
Filesize
148KB
MD590a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA2567cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2