Analysis Overview
SHA256
aea3469657d7988e965713c2dd43a5c747ca7c108bc776182ae45c5931d67915
Threat Level: Known bad
The file cheat.zip was found to be: Known bad.
Malicious Activity Summary
ZGRat
RedLine payload
Detect ZGRat V1
RedLine
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of SendNotifyMessage
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-10 18:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-10 18:52
Reported
2024-04-10 18:52
Platform
win7-20240221-en
Max time kernel
26s
Max time network
27s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2928 set thread context of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\cheat.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\cheat.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.47.32:2329 | tcp | |
| RU | 147.45.47.32:2329 | tcp |
Files
memory/2928-1-0x00000000742C0000-0x00000000749AE000-memory.dmp
memory/2928-0-0x0000000000F00000-0x0000000000F94000-memory.dmp
memory/2172-4-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2172-5-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2928-6-0x00000000023A0000-0x00000000043A0000-memory.dmp
memory/2172-7-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2172-8-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2172-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2172-10-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2172-15-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2172-13-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2928-16-0x00000000742C0000-0x00000000749AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp1778.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2448-30-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2448-31-0x0000000140000000-0x00000001405E8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-10 18:52
Reported
2024-04-10 18:54
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 840 set thread context of 3984 | N/A | C:\Users\Admin\AppData\Local\Temp\cheat.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings | C:\Windows\system32\taskmgr.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cheat.exe
"C:\Users\Admin\AppData\Local\Temp\cheat.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\2rnllz.exe
"C:\Windows\System32\2rnllz.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| RU | 147.45.47.32:2329 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| RU | 147.45.47.32:2329 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 147.45.47.32:2329 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| RU | 147.45.47.32:2329 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 147.45.47.32:2329 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| RU | 147.45.47.32:2329 | tcp | |
| RU | 147.45.47.32:2329 | tcp |
Files
memory/840-1-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/840-0-0x0000000000420000-0x00000000004B4000-memory.dmp
memory/3984-4-0x0000000000400000-0x0000000000490000-memory.dmp
memory/840-7-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/840-8-0x00000000028A0000-0x00000000048A0000-memory.dmp
memory/3984-9-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/3984-10-0x0000000005D40000-0x00000000062E4000-memory.dmp
memory/3984-11-0x0000000005790000-0x0000000005822000-memory.dmp
memory/3984-12-0x0000000005A20000-0x0000000005A30000-memory.dmp
memory/3984-13-0x0000000005920000-0x000000000592A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp4AC4.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/3984-30-0x00000000084D0000-0x0000000008546000-memory.dmp
memory/3984-31-0x0000000008C90000-0x0000000008CAE000-memory.dmp
memory/3984-34-0x0000000009620000-0x0000000009C38000-memory.dmp
memory/3984-35-0x0000000009230000-0x000000000933A000-memory.dmp
memory/3984-36-0x0000000009160000-0x0000000009172000-memory.dmp
memory/3984-37-0x00000000091C0000-0x00000000091FC000-memory.dmp
memory/3984-38-0x0000000009340000-0x000000000938C000-memory.dmp
memory/840-39-0x00000000028A0000-0x00000000048A0000-memory.dmp
memory/3984-40-0x0000000074F80000-0x0000000075730000-memory.dmp
memory/3984-41-0x0000000005A20000-0x0000000005A30000-memory.dmp
memory/3988-65-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
memory/3988-66-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
memory/3988-67-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
memory/3988-71-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
memory/3988-72-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
memory/3988-73-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
memory/3988-74-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
memory/3988-75-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
memory/3988-76-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
memory/3988-77-0x0000020DBADD0000-0x0000020DBADD1000-memory.dmp
C:\Users\Public\Desktop\Microsoft Edge.lnk
| MD5 | f33a1e232cd3c3964a6e58fd81596890 |
| SHA1 | 6137286851f786d608404671691ec53a90998aa2 |
| SHA256 | e42f417d791116784806634a5fd9dbe0b6e79eba14f49e6e102520b69cc426a2 |
| SHA512 | 5268075741346742a732d2b888393d9aed70bcd51bb1004b8f852eab9615b5adc45d0c7227ce5f9c26fa8fbdcef39b0a9477dc8994d3836435f95d2b0133fa1f |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | d47577c76235caa0d2334752ff9cf5a5 |
| SHA1 | 2d33470ef846bb21c0770e48fc500c42fdcf32f5 |
| SHA256 | 9893f40fa36f889a9cd24a04f9f71e062c9d85d75d280ecd5a9e2ceed836b614 |
| SHA512 | 35b3ef74b03795e6bcd06f13baab0cc9e88ade6186291dde43ab392dabf165c338969ec5aa8ceb3bc1f884a9520b6c4cf606dea665fdc7bf01d8a59e254838d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-275798769-4264537674-1142822080-1000\c6a5c8f2ee63bfd52af69814c94ad277_8a5f3b39-6e68-4fc5-bbb1-a0dd77d899e9
| MD5 | 0158fe9cead91d1b027b795984737614 |
| SHA1 | b41a11f909a7bdf1115088790a5680ac4e23031b |
| SHA256 | 513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a |
| SHA512 | c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676 |