Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
3c9da20ad78d24df53b661b7129959e0.exe
Resource
win7-20231215-en
General
-
Target
3c9da20ad78d24df53b661b7129959e0.exe
-
Size
412KB
-
MD5
3c9da20ad78d24df53b661b7129959e0
-
SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611
-
SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
-
SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4
-
SSDEEP
12288:eDmrLy4dMMrASo/n7zUvOTdlzAarl6LmH6RPz5N:um9MMo7zUKdlzlJ62qPP
Malware Config
Signatures
-
Detect ZGRat V1 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-10-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 behavioral1/memory/2708-11-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 behavioral1/memory/2708-14-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 behavioral1/memory/2708-17-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 behavioral1/memory/2708-19-0x0000000000400000-0x000000000045A000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-10-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2708-11-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2708-14-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2708-17-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2708-19-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
Drops startup file 1 IoCs
Processes:
RegAsm.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe RegAsm.exe -
Executes dropped EXE 1 IoCs
Processes:
qemu-ga.exepid Process 1496 qemu-ga.exe -
Loads dropped DLL 1 IoCs
Processes:
RegAsm.exepid Process 2708 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
3c9da20ad78d24df53b661b7129959e0.exedescription pid Process procid_target PID 2468 set thread context of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RegAsm.exepid Process 2708 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid Process Token: SeDebugPrivilege 2708 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
3c9da20ad78d24df53b661b7129959e0.exeRegAsm.exedescription pid Process procid_target PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2468 wrote to memory of 2708 2468 3c9da20ad78d24df53b661b7129959e0.exe 27 PID 2708 wrote to memory of 1496 2708 RegAsm.exe 29 PID 2708 wrote to memory of 1496 2708 RegAsm.exe 29 PID 2708 wrote to memory of 1496 2708 RegAsm.exe 29 PID 2708 wrote to memory of 1496 2708 RegAsm.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c9da20ad78d24df53b661b7129959e0.exe"C:\Users\Admin\AppData\Local\Temp\3c9da20ad78d24df53b661b7129959e0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"3⤵
- Executes dropped EXE
PID:1496
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79