Analysis
-
max time kernel
26s -
max time network
27s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10/04/2024, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
cheat.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cheat.exe
Resource
win10v2004-20240226-en
General
-
Target
cheat.exe
-
Size
567KB
-
MD5
a0a7866d57bf5cf681e7af17b7ba4721
-
SHA1
d728374e635b90ba2d3ae81d4f00065edd3453aa
-
SHA256
1fbffb08b053442e0e1288de6b06025c03566d17fbb410ce409808b25840c477
-
SHA512
9c057c965a05e0e4cf1ee7d466d6b7add7e650979806766e72db77c7351d1af2e7ec9f7e9eaeee43672856a4b566ee53c4838622487597cbf5d5420ea1bb8185
-
SSDEEP
12288:37k30x7rHIJJoiP6yezrOFYjOoIj6gGxoYRpNvKPnhLe:3z4xPvorOAeTwyJ
Malware Config
Signatures
-
Detect ZGRat V1 5 IoCs
resource yara_rule behavioral1/memory/2172-7-0x0000000000400000-0x0000000000490000-memory.dmp family_zgrat_v1 behavioral1/memory/2172-8-0x0000000000400000-0x0000000000490000-memory.dmp family_zgrat_v1 behavioral1/memory/2172-10-0x0000000000400000-0x0000000000490000-memory.dmp family_zgrat_v1 behavioral1/memory/2172-15-0x0000000000400000-0x0000000000490000-memory.dmp family_zgrat_v1 behavioral1/memory/2172-13-0x0000000000400000-0x0000000000490000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
resource yara_rule behavioral1/memory/2172-7-0x0000000000400000-0x0000000000490000-memory.dmp family_redline behavioral1/memory/2172-8-0x0000000000400000-0x0000000000490000-memory.dmp family_redline behavioral1/memory/2172-10-0x0000000000400000-0x0000000000490000-memory.dmp family_redline behavioral1/memory/2172-15-0x0000000000400000-0x0000000000490000-memory.dmp family_redline behavioral1/memory/2172-13-0x0000000000400000-0x0000000000490000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2928 set thread context of 2172 2928 cheat.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2448 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2172 RegAsm.exe Token: SeBackupPrivilege 2172 RegAsm.exe Token: SeSecurityPrivilege 2172 RegAsm.exe Token: SeSecurityPrivilege 2172 RegAsm.exe Token: SeSecurityPrivilege 2172 RegAsm.exe Token: SeSecurityPrivilege 2172 RegAsm.exe Token: SeDebugPrivilege 2448 taskmgr.exe Token: SeBackupPrivilege 2172 RegAsm.exe Token: SeSecurityPrivilege 2172 RegAsm.exe Token: SeSecurityPrivilege 2172 RegAsm.exe Token: SeSecurityPrivilege 2172 RegAsm.exe Token: SeSecurityPrivilege 2172 RegAsm.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe -
Suspicious use of SendNotifyMessage 41 IoCs
pid Process 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe 2448 taskmgr.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2156 2928 cheat.exe 29 PID 2928 wrote to memory of 2156 2928 cheat.exe 29 PID 2928 wrote to memory of 2156 2928 cheat.exe 29 PID 2928 wrote to memory of 2156 2928 cheat.exe 29 PID 2928 wrote to memory of 2156 2928 cheat.exe 29 PID 2928 wrote to memory of 2156 2928 cheat.exe 29 PID 2928 wrote to memory of 2156 2928 cheat.exe 29 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30 PID 2928 wrote to memory of 2172 2928 cheat.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\cheat.exe"C:\Users\Admin\AppData\Local\Temp\cheat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2156
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8