Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2024 01:58

General

  • Target

    NEW ORDER.exe

  • Size

    2.9MB

  • MD5

    fdf78fc377c3344eed18f78d7bb9563e

  • SHA1

    110e53a7d33151433e31e5124debc11d91aa5e4f

  • SHA256

    88670303d986c2ab42c91bf120273ceb7df2754708fc871820ca084e1678f670

  • SHA512

    10cadaa7d927f3ec4502ea140498d8025ce5d48b5d052e014c4a80854045da526a3ec621f421a73e6700175dbdbc6b549f8a98a833f112147bccb0394b5c3f7d

  • SSDEEP

    49152:5k29QKZE+YNvZfzj8jDa9HEZUGVdljgxaG9YSy7+wiiLhKCVHtojtXcbQlG0:51aKZE+ovZf/869KVdF5GlD3ZCxtoJc6

Malware Config

Signatures

  • Detect ZGRat V1 35 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

  • PureLog Stealer payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4304
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      2⤵
      • Loads dropped DLL
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Costura\492059BB4ED4FD9BB5CC046DCF3C0FA2\32\sqlite.interop.dll

    Filesize

    1.4MB

    MD5

    8929875293899eb698a3422a3ee56879

    SHA1

    e4703914ce1b51eafaa44160a8f4729cfa5475a7

    SHA256

    91a7df1934f4955d98ee2e30658e9f36fc595bb471256a5fc3ba16bbcc391a08

    SHA512

    2e6845f657ecc056746fb9cda66161e9eb1b0fe0fcbda9226cbb3c626711542fdc4aeb308c3c14cb22b9c12c1be4433de5afe7f498e38de4fefe4ea0c9c74a4b

  • C:\Users\Admin\AppData\Local\Temp\Mjprzpru.tmp

    Filesize

    124KB

    MD5

    9618e15b04a4ddb39ed6c496575f6f95

    SHA1

    1c28f8750e5555776b3c80b187c5d15a443a7412

    SHA256

    a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

    SHA512

    f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

  • C:\Users\Admin\AppData\Local\Temp\Udhgt.tmp

    Filesize

    148KB

    MD5

    90a1d4b55edf36fa8b4cc6974ed7d4c4

    SHA1

    aba1b8d0e05421e7df5982899f626211c3c4b5c1

    SHA256

    7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

    SHA512

    ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

  • memory/1184-7101-0x0000000006260000-0x0000000006281000-memory.dmp

    Filesize

    132KB

  • memory/1184-7092-0x0000000008BC0000-0x0000000008C52000-memory.dmp

    Filesize

    584KB

  • memory/1184-7100-0x00000000062B0000-0x00000000062EC000-memory.dmp

    Filesize

    240KB

  • memory/1184-7096-0x00000000061E0000-0x000000000622C000-memory.dmp

    Filesize

    304KB

  • memory/1184-7095-0x0000000005E80000-0x00000000061D4000-memory.dmp

    Filesize

    3.3MB

  • memory/1184-7094-0x0000000005CB0000-0x0000000005D1C000-memory.dmp

    Filesize

    432KB

  • memory/1184-7093-0x0000000005D60000-0x0000000005DDA000-memory.dmp

    Filesize

    488KB

  • memory/1184-4791-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

  • memory/1184-7091-0x00000000088B0000-0x0000000008916000-memory.dmp

    Filesize

    408KB

  • memory/1184-7140-0x0000000074AA0000-0x0000000075250000-memory.dmp

    Filesize

    7.7MB

  • memory/1184-7086-0x0000000008280000-0x00000000085CC000-memory.dmp

    Filesize

    3.3MB

  • memory/1184-7085-0x0000000006DE0000-0x0000000007022000-memory.dmp

    Filesize

    2.3MB

  • memory/1184-7084-0x0000000074AA0000-0x0000000075250000-memory.dmp

    Filesize

    7.7MB

  • memory/1184-7083-0x0000000005100000-0x000000000519E000-memory.dmp

    Filesize

    632KB

  • memory/1184-4794-0x0000000004EF0000-0x0000000005006000-memory.dmp

    Filesize

    1.1MB

  • memory/1184-4792-0x0000000074AA0000-0x0000000075250000-memory.dmp

    Filesize

    7.7MB

  • memory/4304-26-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-4787-0x00000000073A0000-0x0000000007944000-memory.dmp

    Filesize

    5.6MB

  • memory/4304-36-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-38-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-40-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-42-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-44-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-46-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-48-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-50-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-52-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-54-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-56-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-58-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-60-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-62-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-64-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-66-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-68-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-2113-0x0000000074AA0000-0x0000000075250000-memory.dmp

    Filesize

    7.7MB

  • memory/4304-4784-0x00000000057E0000-0x00000000057E1000-memory.dmp

    Filesize

    4KB

  • memory/4304-4785-0x0000000006CC0000-0x0000000006DE8000-memory.dmp

    Filesize

    1.2MB

  • memory/4304-4786-0x0000000002860000-0x00000000028AC000-memory.dmp

    Filesize

    304KB

  • memory/4304-34-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-4788-0x00000000059F0000-0x0000000005A44000-memory.dmp

    Filesize

    336KB

  • memory/4304-32-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-4793-0x0000000074AA0000-0x0000000075250000-memory.dmp

    Filesize

    7.7MB

  • memory/4304-30-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-28-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-0-0x0000000000400000-0x00000000006EE000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-24-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-22-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-20-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-18-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-16-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-14-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-12-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-10-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-8-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-6-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-5-0x00000000053B0000-0x000000000568B000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-4-0x00000000053B0000-0x0000000005692000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-3-0x0000000005060000-0x0000000005340000-memory.dmp

    Filesize

    2.9MB

  • memory/4304-2-0x0000000005050000-0x0000000005060000-memory.dmp

    Filesize

    64KB

  • memory/4304-1-0x0000000074AA0000-0x0000000075250000-memory.dmp

    Filesize

    7.7MB