Analysis

  • max time kernel
    26s
  • max time network
    27s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    10/04/2024, 18:52

General

  • Target

    cheat.exe

  • Size

    567KB

  • MD5

    a0a7866d57bf5cf681e7af17b7ba4721

  • SHA1

    d728374e635b90ba2d3ae81d4f00065edd3453aa

  • SHA256

    1fbffb08b053442e0e1288de6b06025c03566d17fbb410ce409808b25840c477

  • SHA512

    9c057c965a05e0e4cf1ee7d466d6b7add7e650979806766e72db77c7351d1af2e7ec9f7e9eaeee43672856a4b566ee53c4838622487597cbf5d5420ea1bb8185

  • SSDEEP

    12288:37k30x7rHIJJoiP6yezrOFYjOoIj6gGxoYRpNvKPnhLe:3z4xPvorOAeTwyJ

Malware Config

Signatures

  • Detect ZGRat V1 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 5 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:2156
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        PID:2172
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2448

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Tmp1778.tmp

            Filesize

            2KB

            MD5

            1420d30f964eac2c85b2ccfe968eebce

            SHA1

            bdf9a6876578a3e38079c4f8cf5d6c79687ad750

            SHA256

            f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

            SHA512

            6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

          • memory/2172-8-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/2172-10-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/2172-5-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/2172-13-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/2172-7-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/2172-15-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/2172-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/2172-4-0x0000000000400000-0x0000000000490000-memory.dmp

            Filesize

            576KB

          • memory/2448-30-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

          • memory/2448-31-0x0000000140000000-0x00000001405E8000-memory.dmp

            Filesize

            5.9MB

          • memory/2928-1-0x00000000742C0000-0x00000000749AE000-memory.dmp

            Filesize

            6.9MB

          • memory/2928-6-0x00000000023A0000-0x00000000043A0000-memory.dmp

            Filesize

            32.0MB

          • memory/2928-16-0x00000000742C0000-0x00000000749AE000-memory.dmp

            Filesize

            6.9MB

          • memory/2928-0-0x0000000000F00000-0x0000000000F94000-memory.dmp

            Filesize

            592KB