Analysis
-
max time kernel
85s -
max time network
89s -
platform
windows11-21h2_x64 -
resource
win11-20231222-en -
resource tags
-
submitted
27/01/2024, 14:26
General
-
Target
driver1.exe
-
Size
513KB
-
MD5
ecd563c8ea2125310eada2daac93251a
-
SHA1
1d8e53b0d094b51f5db03d8bdffbeafde33ddaf0
-
SHA256
77fbf732a2e1869f995d5d5d38a1ac0b35edba9a83ed557d8abb45dec9bbd604
-
SHA512
be722be655e3ec4aef28651f9fe21cfa48af3abe2aa2c8158e991d75115bcaf8ceebf31737c54cae565c86fa275c252bf68dae5cb2e257c232cea7e61277bece
-
SSDEEP
6144:Vy55yyymLLkkGGt/+9bBfgcqVXCtKPIszeQYsqRCbIW/Ib4YzCm/Db+3Hsj0OrPJ:VL2yttQYsqREcYmL63MoWyw/539HDn
Malware Config
Signatures
-
Detect ZGRat V1 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\driver1.exe"C:\Users\Admin\AppData\Local\Temp\driver1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1013f5aa9057bf0b3c0c24824de9d075434501354
SHA2569b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA5127446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79
-
Filesize
32.0MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
32.0MB
-
Filesize
7.7MB
-
Filesize
536KB
-
Filesize
304KB
-
Filesize
472KB
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
240KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
5.2MB
-
Filesize
6.1MB
-
Filesize
7.7MB
-
Filesize
352KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
10.8MB