Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/04/2024, 18:52

General

  • Target

    cheat.exe

  • Size

    567KB

  • MD5

    a0a7866d57bf5cf681e7af17b7ba4721

  • SHA1

    d728374e635b90ba2d3ae81d4f00065edd3453aa

  • SHA256

    1fbffb08b053442e0e1288de6b06025c03566d17fbb410ce409808b25840c477

  • SHA512

    9c057c965a05e0e4cf1ee7d466d6b7add7e650979806766e72db77c7351d1af2e7ec9f7e9eaeee43672856a4b566ee53c4838622487597cbf5d5420ea1bb8185

  • SSDEEP

    12288:37k30x7rHIJJoiP6yezrOFYjOoIj6gGxoYRpNvKPnhLe:3z4xPvorOAeTwyJ

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\cheat.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:840
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      PID:3984
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3988
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1276
    • C:\Windows\System32\2rnllz.exe
      "C:\Windows\System32\2rnllz.exe"
      1⤵
        PID:716
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1212

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Tmp4AC4.tmp

              Filesize

              2KB

              MD5

              1420d30f964eac2c85b2ccfe968eebce

              SHA1

              bdf9a6876578a3e38079c4f8cf5d6c79687ad750

              SHA256

              f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

              SHA512

              6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

            • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-275798769-4264537674-1142822080-1000\c6a5c8f2ee63bfd52af69814c94ad277_8a5f3b39-6e68-4fc5-bbb1-a0dd77d899e9

              Filesize

              2KB

              MD5

              0158fe9cead91d1b027b795984737614

              SHA1

              b41a11f909a7bdf1115088790a5680ac4e23031b

              SHA256

              513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

              SHA512

              c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

            • C:\Users\Public\Desktop\Google Chrome.lnk

              Filesize

              2KB

              MD5

              d47577c76235caa0d2334752ff9cf5a5

              SHA1

              2d33470ef846bb21c0770e48fc500c42fdcf32f5

              SHA256

              9893f40fa36f889a9cd24a04f9f71e062c9d85d75d280ecd5a9e2ceed836b614

              SHA512

              35b3ef74b03795e6bcd06f13baab0cc9e88ade6186291dde43ab392dabf165c338969ec5aa8ceb3bc1f884a9520b6c4cf606dea665fdc7bf01d8a59e254838d5

            • C:\Users\Public\Desktop\Microsoft Edge.lnk

              Filesize

              2KB

              MD5

              f33a1e232cd3c3964a6e58fd81596890

              SHA1

              6137286851f786d608404671691ec53a90998aa2

              SHA256

              e42f417d791116784806634a5fd9dbe0b6e79eba14f49e6e102520b69cc426a2

              SHA512

              5268075741346742a732d2b888393d9aed70bcd51bb1004b8f852eab9615b5adc45d0c7227ce5f9c26fa8fbdcef39b0a9477dc8994d3836435f95d2b0133fa1f

            • memory/840-0-0x0000000000420000-0x00000000004B4000-memory.dmp

              Filesize

              592KB

            • memory/840-7-0x00000000752C0000-0x0000000075A70000-memory.dmp

              Filesize

              7.7MB

            • memory/840-8-0x00000000028A0000-0x00000000048A0000-memory.dmp

              Filesize

              32.0MB

            • memory/840-39-0x00000000028A0000-0x00000000048A0000-memory.dmp

              Filesize

              32.0MB

            • memory/840-1-0x00000000752C0000-0x0000000075A70000-memory.dmp

              Filesize

              7.7MB

            • memory/3984-37-0x00000000091C0000-0x00000000091FC000-memory.dmp

              Filesize

              240KB

            • memory/3984-12-0x0000000005A20000-0x0000000005A30000-memory.dmp

              Filesize

              64KB

            • memory/3984-30-0x00000000084D0000-0x0000000008546000-memory.dmp

              Filesize

              472KB

            • memory/3984-31-0x0000000008C90000-0x0000000008CAE000-memory.dmp

              Filesize

              120KB

            • memory/3984-34-0x0000000009620000-0x0000000009C38000-memory.dmp

              Filesize

              6.1MB

            • memory/3984-35-0x0000000009230000-0x000000000933A000-memory.dmp

              Filesize

              1.0MB

            • memory/3984-36-0x0000000009160000-0x0000000009172000-memory.dmp

              Filesize

              72KB

            • memory/3984-10-0x0000000005D40000-0x00000000062E4000-memory.dmp

              Filesize

              5.6MB

            • memory/3984-38-0x0000000009340000-0x000000000938C000-memory.dmp

              Filesize

              304KB

            • memory/3984-11-0x0000000005790000-0x0000000005822000-memory.dmp

              Filesize

              584KB

            • memory/3984-40-0x0000000074F80000-0x0000000075730000-memory.dmp

              Filesize

              7.7MB

            • memory/3984-41-0x0000000005A20000-0x0000000005A30000-memory.dmp

              Filesize

              64KB

            • memory/3984-4-0x0000000000400000-0x0000000000490000-memory.dmp

              Filesize

              576KB

            • memory/3984-13-0x0000000005920000-0x000000000592A000-memory.dmp

              Filesize

              40KB

            • memory/3984-9-0x0000000074F80000-0x0000000075730000-memory.dmp

              Filesize

              7.7MB

            • memory/3988-66-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB

            • memory/3988-72-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB

            • memory/3988-73-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB

            • memory/3988-74-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB

            • memory/3988-75-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB

            • memory/3988-76-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB

            • memory/3988-77-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB

            • memory/3988-71-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB

            • memory/3988-67-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB

            • memory/3988-65-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp

              Filesize

              4KB