Overview

overview

10

Static

static

3

payment_invoice.exe

windows7-x64

10

payment_invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    20-04-2024 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment_invoice.exe

  • Size

    3.0MB

  • MD5

    af9695cf3142c1fe17e398bf452c290c

  • SHA1

    295d6df899de93ff4835b067c31c502ce894d92e

  • SHA256

    566a2a768b83757d7c2398bf9f1f84deef8bb4b238da9431fff343b262227c6b

  • SHA512

    104579b73feecf2f7349fad6c0b13f04831192f1466a64ab6c9c5f7003a07923ca49ba22f6d2ab1ee894c2718c64a3c959091443573ed40045a1a013a09967e2

  • SSDEEP

    49152:eE73wg9RmvKdLKXFxeLjwGh9riL9uoebQJ/aldMW62ZrqrGyIEpK:eEzb9RyXF8wc9WxAbQqB5Zur9s

Score
10/10
zgratcollectionpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 35 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\payment_invoice.exe
    "C:\Users\Admin\AppData\Local\Temp\payment_invoice.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\payment_invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\payment_invoice.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2112
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'payment_invoice';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'payment_invoice' -Value '"C:\Users\Admin\AppData\Local\Temp\payment_invoice.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

1
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Erpbew.tmpdb
    Filesize

    148KB

    MD5

    90a1d4b55edf36fa8b4cc6974ed7d4c4

    SHA1

    aba1b8d0e05421e7df5982899f626211c3c4b5c1

    SHA256

    7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

    SHA512

    ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

    Download Submit
  • memory/1284-7234-0x000000006F3C0000-0x000000006F96B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1284-7231-0x000000006F3C0000-0x000000006F96B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1284-7232-0x000000006F3C0000-0x000000006F96B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1284-7233-0x0000000002C80000-0x0000000002CC0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2112-4912-0x00000000024A0000-0x00000000024E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2112-7194-0x00000000024E0000-0x000000000257E000-memory.dmp
    Filesize

    632KB

    Download
  • memory/2112-4909-0x0000000000130000-0x0000000000208000-memory.dmp
    Filesize

    864KB

    Download
  • memory/2112-4913-0x0000000004AB0000-0x0000000004BC6000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2112-7228-0x00000000024A0000-0x00000000024E0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2112-7227-0x0000000074690000-0x0000000074D7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2112-4911-0x0000000074690000-0x0000000074D7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2112-7197-0x00000000063A0000-0x000000000641A000-memory.dmp
    Filesize

    488KB

    Download
  • memory/2112-7196-0x0000000000C90000-0x0000000000C9A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2112-7195-0x0000000005BD0000-0x0000000005C40000-memory.dmp
    Filesize

    448KB

    Download
  • memory/2188-42-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-58-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-20-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-22-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-24-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-26-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-28-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-30-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-32-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-34-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-36-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-38-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-40-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-16-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-44-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-46-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-48-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-50-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-52-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-54-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-56-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-18-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-60-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-62-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-64-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-66-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-4883-0x0000000074690000-0x0000000074D7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2188-4884-0x0000000004D20000-0x0000000004D60000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2188-4885-0x0000000000A90000-0x0000000000A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2188-14-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-12-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-10-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-8-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-6-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-4-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-3-0x0000000004D60000-0x0000000005046000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-2-0x0000000004D60000-0x000000000504C000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2188-0-0x0000000000CC0000-0x0000000000FBA000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2188-1-0x0000000074690000-0x0000000074D7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2188-4886-0x0000000005C00000-0x0000000005D28000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/2188-4887-0x0000000000B90000-0x0000000000BDC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2188-4888-0x0000000004D20000-0x0000000004D60000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2188-4889-0x0000000004500000-0x0000000004554000-memory.dmp
    Filesize

    336KB

    Download
  • memory/2188-4910-0x0000000074690000-0x0000000074D7E000-memory.dmp
    Filesize

    6.9MB

    Download