Overview

overview

10

Static

static

3

02a69fcddc...4b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02a69fcddc0e6a0b5febbcc68901d62d7f82e4fcf0a3bcb5355fc802c041954b.exe

  • Size

    1.1MB

  • MD5

    18365955fc5cf54859360be58dfb13cb

  • SHA1

    743003a6bc293b9da446d6f8d69e1e61d54b751d

  • SHA256

    02a69fcddc0e6a0b5febbcc68901d62d7f82e4fcf0a3bcb5355fc802c041954b

  • SHA512

    f1473fc3131a4239b7632bee17df41c5f7b8d3254a0095f318bdf7487701c3daa4452b8b2f3eb594efe312e3bb7e0538ce196d4094a24c89f817d7f430b35c40

  • SSDEEP

    24576:+yxNAnwVU/LYfbpXf4+6fxgxDNXjbYtb0YUU+XSfY:NrAAGLYjpw+UxgLXjbS0YzIS

Score
10/10
healerredlinezgratdropperevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • Detect ZGRat V1 16 IoCs
  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 16 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
  • Detects executables packed with ConfuserEx Mod 16 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02a69fcddc0e6a0b5febbcc68901d62d7f82e4fcf0a3bcb5355fc802c041954b.exe
    "C:\Users\Admin\AppData\Local\Temp\02a69fcddc0e6a0b5febbcc68901d62d7f82e4fcf0a3bcb5355fc802c041954b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un261859.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un261859.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un904329.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un904329.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4972
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr252586.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr252586.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2728
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 1092
            5⤵
            • Program crash
            PID:5156
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu859873.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu859873.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:6032
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2728 -ip 2728
      1⤵
        PID:4004

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un261859.exe
        Filesize

        763KB

        MD5

        9e76a180da41377ab75e93350967e049

        SHA1

        89e6c5efffcea5bab047883f3deb36fc94ab2429

        SHA256

        1bcad8177412715d4fdf7dad1c68633486443dd530e237a304727286b519ad9d

        SHA512

        6c3649d9fc832568a1593a026e72c681de1bd32f596a81702726a443737acb615097d57c79834cbcee6dc0d316fb31630c05f5336215e9b5d5b26d04ac4326b7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un904329.exe
        Filesize

        609KB

        MD5

        5ee329d93dabba4aae89648096149013

        SHA1

        ced4d20f147a1fab72b13b70f82b7130054a80d6

        SHA256

        feeb693f6434349f72d197ae47b66d6ec69dfd354e71aec283c0ed336a8ca2c7

        SHA512

        347b72589ca956cbadfc8eaaf2360ad3cdf41089d9355928a584dcc0e70e6bfc0174b55ce7f7eb1cca15b88287a03927b886f72463880e169a8c9da6eeac7966

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr252586.exe
        Filesize

        403KB

        MD5

        0d90b48be53630af10f2216c2e3d693d

        SHA1

        b4fb895a9cbe96da29a79e9a75f0ca7e06be83c4

        SHA256

        cf61600f64b1944567d683c172a9e858f5cfb4365d71e81f94a961f092f439e2

        SHA512

        3e9915837d6799b6201cc95fbc7773980a7c7cb25655ecfa438d47905a3a1402de8e1b91ad2d07262501399d84f76d78bf874e0ab3590cdfc710ec950218b191

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu859873.exe
        Filesize

        486KB

        MD5

        ac91da3bced0c29f9f27dcfab86535cf

        SHA1

        60e1c9dd592c401dbe62cb9e881c9c63a371cc20

        SHA256

        3780198898eb1320d9c01f97e54d664a0e5a1558270b7e43e92be4729f44e8be

        SHA512

        4572aa47418d30df5e0ffc794ada4134a39499e724a068290a57539462fbfdafc6b0c79d359ffb642d77f493d4d6f3b40feb3455d1707691230a192a0e6d7fd7

        Download Submit

      • memory/2728-22-0x0000000000950000-0x0000000000A50000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2728-23-0x0000000002330000-0x000000000235D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2728-24-0x0000000000400000-0x000000000080A000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2728-25-0x0000000000400000-0x000000000080A000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2728-26-0x00000000743D0000-0x0000000074B80000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2728-27-0x0000000000950000-0x0000000000A50000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2728-29-0x0000000002330000-0x000000000235D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2728-30-0x0000000004F10000-0x0000000004F20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2728-31-0x0000000002810000-0x000000000282A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2728-32-0x0000000004F10000-0x0000000004F20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2728-34-0x0000000004F20000-0x00000000054C4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2728-35-0x0000000004EE0000-0x0000000004EF8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2728-36-0x00000000743D0000-0x0000000074B80000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2728-38-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-39-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-41-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-43-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-45-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-47-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-49-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-51-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-53-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-55-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-57-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-59-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-61-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-63-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-65-0x0000000004EE0000-0x0000000004EF2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2728-66-0x0000000004F10000-0x0000000004F20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2728-68-0x0000000004F10000-0x0000000004F20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2728-70-0x0000000000400000-0x000000000080A000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2728-74-0x00000000743D0000-0x0000000074B80000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/6032-79-0x00000000009C0000-0x0000000000AC0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/6032-80-0x00000000024A0000-0x00000000024E6000-memory.dmp

        Filesize

        280KB

        Download

      • memory/6032-81-0x0000000000400000-0x000000000081E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/6032-82-0x0000000002600000-0x000000000263C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/6032-83-0x00000000743D0000-0x0000000074B80000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/6032-86-0x00000000053C0000-0x00000000053FA000-memory.dmp

        Filesize

        232KB

        Download

      • memory/6032-84-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/6032-85-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/6032-87-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/6032-88-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-89-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-93-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-91-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-95-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-97-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-101-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-99-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-105-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-103-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-107-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-109-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-111-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-113-0x00000000053C0000-0x00000000053F5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/6032-880-0x00000000078E0000-0x0000000007EF8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/6032-881-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/6032-882-0x0000000007FC0000-0x00000000080CA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/6032-884-0x00000000009C0000-0x0000000000AC0000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/6032-885-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/6032-886-0x0000000000400000-0x000000000081E000-memory.dmp

        Filesize

        4.1MB

        Download

      • memory/6032-887-0x00000000743D0000-0x0000000074B80000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/6032-889-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/6032-890-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/6032-891-0x00000000080E0000-0x000000000811C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/6032-892-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/6032-894-0x00000000054E0000-0x000000000552C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/6032-896-0x00000000028D0000-0x00000000028E0000-memory.dmp

        Filesize

        64KB

        Download