Analysis

  • max time kernel
    296s
  • max time network
    280s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/04/2024, 23:35

General

  • Target

    VALO STRIKE/VALO STRIKE.exe

  • Size

    908KB

  • MD5

    d39ffc7d850cc3a5f2b55cb51729b4dd

  • SHA1

    3ea25c22239beef9e28fe8ac2d2e9858593dfe0a

  • SHA256

    02bc75d88f6bb8577a6825692bcd65b4ec941356b935edb8c6ec746cfcc2a39c

  • SHA512

    07075833b2b74275906c85437d04ee99a7e668a0d3cdcc7a6eeb88ced5ff0208f9873e3136b660708675e2b7225f0ca2a0169f0c4c09d32a3ca4decb39100750

  • SSDEEP

    6144:5PZHfaiAuNkAbQuek6f6YZC9sOjftfzg1sjn03pRrx5tFFq9rMbhTz:RZ/aduNBbGDf6YgX7g1w0NXFw9AVTz

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VALO STRIKE\VALO STRIKE.exe
    "C:\Users\Admin\AppData\Local\Temp\VALO STRIKE\VALO STRIKE.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4796
  • C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\SearchIndexer.exe /Embedding
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Windows\system32\SearchProtocolHost.exe
      "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
      2⤵
      • Modifies data under HKEY_USERS
      PID:4676
    • C:\Windows\system32\SearchFilterHost.exe
      "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
      2⤵
      • Modifies data under HKEY_USERS
      PID:5100
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3756
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
      1⤵
        PID:1868

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/4156-24-0x000001A985A20000-0x000001A985A30000-memory.dmp

              Filesize

              64KB

            • memory/4156-40-0x000001A985C50000-0x000001A985C60000-memory.dmp

              Filesize

              64KB

            • memory/4156-56-0x000001A98A010000-0x000001A98A018000-memory.dmp

              Filesize

              32KB

            • memory/4796-1-0x0000000077621000-0x0000000077741000-memory.dmp

              Filesize

              1.1MB

            • memory/4796-0-0x0000000000B30000-0x0000000000BE4000-memory.dmp

              Filesize

              720KB

            • memory/4796-5-0x0000000074B80000-0x0000000075330000-memory.dmp

              Filesize

              7.7MB

            • memory/4796-6-0x0000000005640000-0x0000000005BE4000-memory.dmp

              Filesize

              5.6MB

            • memory/4796-7-0x0000000005130000-0x00000000051C2000-memory.dmp

              Filesize

              584KB

            • memory/4796-8-0x0000000005290000-0x00000000052A0000-memory.dmp

              Filesize

              64KB

            • memory/4796-9-0x0000000005120000-0x000000000512A000-memory.dmp

              Filesize

              40KB

            • memory/4796-10-0x0000000006790000-0x0000000006DA8000-memory.dmp

              Filesize

              6.1MB

            • memory/4796-11-0x00000000062C0000-0x00000000063CA000-memory.dmp

              Filesize

              1.0MB

            • memory/4796-12-0x00000000061E0000-0x00000000061F2000-memory.dmp

              Filesize

              72KB

            • memory/4796-13-0x0000000006240000-0x000000000627C000-memory.dmp

              Filesize

              240KB

            • memory/4796-14-0x00000000063D0000-0x000000000641C000-memory.dmp

              Filesize

              304KB

            • memory/4796-15-0x0000000006540000-0x00000000065A6000-memory.dmp

              Filesize

              408KB

            • memory/4796-16-0x0000000006EB0000-0x0000000006F26000-memory.dmp

              Filesize

              472KB

            • memory/4796-17-0x0000000006520000-0x000000000653E000-memory.dmp

              Filesize

              120KB

            • memory/4796-18-0x0000000005290000-0x00000000052A0000-memory.dmp

              Filesize

              64KB

            • memory/4796-19-0x0000000008680000-0x0000000008842000-memory.dmp

              Filesize

              1.8MB

            • memory/4796-20-0x0000000008D80000-0x00000000092AC000-memory.dmp

              Filesize

              5.2MB

            • memory/4796-23-0x0000000074B80000-0x0000000075330000-memory.dmp

              Filesize

              7.7MB

            • memory/5100-60-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-61-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-62-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-63-0x00000242BAC30000-0x00000242BAC40000-memory.dmp

              Filesize

              64KB

            • memory/5100-64-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-66-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-67-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-65-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-68-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-69-0x00000242BAC40000-0x00000242BAC41000-memory.dmp

              Filesize

              4KB

            • memory/5100-70-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-71-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-74-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-75-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-73-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-78-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-79-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-77-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-76-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-72-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-80-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-81-0x00000242BAC60000-0x00000242BAC70000-memory.dmp

              Filesize

              64KB

            • memory/5100-82-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-83-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-84-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-87-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-86-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-85-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-91-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-90-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-89-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-88-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-98-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-99-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-100-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-101-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-106-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-107-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-112-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-113-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-122-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-123-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-124-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-127-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-130-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-135-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-136-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-147-0x00000242BAC40000-0x00000242BAC41000-memory.dmp

              Filesize

              4KB

            • memory/5100-148-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-149-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-156-0x00000242BAC60000-0x00000242BAC70000-memory.dmp

              Filesize

              64KB

            • memory/5100-157-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-158-0x00000242BC380000-0x00000242BC390000-memory.dmp

              Filesize

              64KB

            • memory/5100-161-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-168-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-169-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-170-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-171-0x00000242BC380000-0x00000242BC390000-memory.dmp

              Filesize

              64KB

            • memory/5100-175-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-177-0x00000242BAC20000-0x00000242BAC30000-memory.dmp

              Filesize

              64KB

            • memory/5100-176-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-178-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-180-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-179-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-181-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-183-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-184-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-185-0x00000242BC320000-0x00000242BC330000-memory.dmp

              Filesize

              64KB

            • memory/5100-187-0x00000242BC380000-0x00000242BC390000-memory.dmp

              Filesize

              64KB