Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 18:52
Static task
static1
Behavioral task
behavioral1
Sample
cheat.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cheat.exe
Resource
win10v2004-20240226-en
General
-
Target
cheat.exe
-
Size
567KB
-
MD5
a0a7866d57bf5cf681e7af17b7ba4721
-
SHA1
d728374e635b90ba2d3ae81d4f00065edd3453aa
-
SHA256
1fbffb08b053442e0e1288de6b06025c03566d17fbb410ce409808b25840c477
-
SHA512
9c057c965a05e0e4cf1ee7d466d6b7add7e650979806766e72db77c7351d1af2e7ec9f7e9eaeee43672856a4b566ee53c4838622487597cbf5d5420ea1bb8185
-
SSDEEP
12288:37k30x7rHIJJoiP6yezrOFYjOoIj6gGxoYRpNvKPnhLe:3z4xPvorOAeTwyJ
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/3984-4-0x0000000000400000-0x0000000000490000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/3984-4-0x0000000000400000-0x0000000000490000-memory.dmp family_redline -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 840 set thread context of 3984 840 cheat.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings taskmgr.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3988 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 3984 RegAsm.exe Token: SeBackupPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeBackupPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeDebugPrivilege 3988 taskmgr.exe Token: SeSystemProfilePrivilege 3988 taskmgr.exe Token: SeCreateGlobalPrivilege 3988 taskmgr.exe Token: SeBackupPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeBackupPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeBackupPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeBackupPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: 33 3988 taskmgr.exe Token: SeIncBasePriorityPrivilege 3988 taskmgr.exe Token: SeBackupPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeSecurityPrivilege 3984 RegAsm.exe Token: SeDebugPrivilege 1212 taskmgr.exe Token: SeSystemProfilePrivilege 1212 taskmgr.exe Token: SeCreateGlobalPrivilege 1212 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe 3988 taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 840 wrote to memory of 3984 840 cheat.exe 85 PID 840 wrote to memory of 3984 840 cheat.exe 85 PID 840 wrote to memory of 3984 840 cheat.exe 85 PID 840 wrote to memory of 3984 840 cheat.exe 85 PID 840 wrote to memory of 3984 840 cheat.exe 85 PID 840 wrote to memory of 3984 840 cheat.exe 85 PID 840 wrote to memory of 3984 840 cheat.exe 85 PID 840 wrote to memory of 3984 840 cheat.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\cheat.exe"C:\Users\Admin\AppData\Local\Temp\cheat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3988
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1276
-
C:\Windows\System32\2rnllz.exe"C:\Windows\System32\2rnllz.exe"1⤵PID:716
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-275798769-4264537674-1142822080-1000\c6a5c8f2ee63bfd52af69814c94ad277_8a5f3b39-6e68-4fc5-bbb1-a0dd77d899e9
Filesize2KB
MD50158fe9cead91d1b027b795984737614
SHA1b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676
-
Filesize
2KB
MD5d47577c76235caa0d2334752ff9cf5a5
SHA12d33470ef846bb21c0770e48fc500c42fdcf32f5
SHA2569893f40fa36f889a9cd24a04f9f71e062c9d85d75d280ecd5a9e2ceed836b614
SHA51235b3ef74b03795e6bcd06f13baab0cc9e88ade6186291dde43ab392dabf165c338969ec5aa8ceb3bc1f884a9520b6c4cf606dea665fdc7bf01d8a59e254838d5
-
Filesize
2KB
MD5f33a1e232cd3c3964a6e58fd81596890
SHA16137286851f786d608404671691ec53a90998aa2
SHA256e42f417d791116784806634a5fd9dbe0b6e79eba14f49e6e102520b69cc426a2
SHA5125268075741346742a732d2b888393d9aed70bcd51bb1004b8f852eab9615b5adc45d0c7227ce5f9c26fa8fbdcef39b0a9477dc8994d3836435f95d2b0133fa1f