Malware Analysis Report

2024-10-16 03:50

Sample ID 240421-2g23esce2x
Target 660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec
SHA256 660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec
Tags
healer redline zgrat dropper evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec

Threat Level: Known bad

The file 660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec was found to be: Known bad.

Malicious Activity Summary

healer redline zgrat dropper evasion infostealer persistence rat trojan

RedLine

Healer

RedLine payload

ZGRat

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Detect ZGRat V1

Detects executables packed with ConfuserEx Mod

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-21 22:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-21 22:34

Reported

2024-04-21 22:36

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1516 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe
PID 1516 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe
PID 1516 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe
PID 4444 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe
PID 4444 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe
PID 4444 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe
PID 4444 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe
PID 4444 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe
PID 4444 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe

Processes

C:\Users\Admin\AppData\Local\Temp\660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe

"C:\Users\Admin\AppData\Local\Temp\660cd93864059f23653b20035ddf65ca8ab2a6b7955845956e3ac0bdbbcd28ec.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 880 -ip 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 49.15.97.104.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un606167.exe

MD5 b29d673ce1bb3eb24787709a2074e8fd
SHA1 92307ca2dc5f538162368381583f64f403fea29d
SHA256 2aa314b524e754edb0bd84fb3907353f6b18c1286e8d605c83b37e9080052d4f
SHA512 3a2ea68b827daf1972c9955c0205f4214168849f84202752e4acc74bdaf51b7eaad4f3fc73f68bbab700db06b6ea76fae25c6ad382aff9e244f418291421ff32

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr481470.exe

MD5 079b082230b86057c1003d6802d5d375
SHA1 f59fb36c9bdc3d6a3b1ca10554c414f58d12d05d
SHA256 5cfb45177f2571c9467a416fa58e4d56ba18c300c693cbe8a6c248be738298c0
SHA512 9e4a7d847e9e4bf142140f2e763d84463f762c399d2578261ede93e8562b251303167c9a2894e934698e8b71fd64bd3a4e1617d6302dd8f6084885f3b9281606

memory/880-15-0x0000000000980000-0x0000000000A80000-memory.dmp

memory/880-16-0x0000000000A80000-0x0000000000AAD000-memory.dmp

memory/880-17-0x0000000000400000-0x000000000080A000-memory.dmp

memory/880-19-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/880-18-0x0000000002730000-0x000000000274A000-memory.dmp

memory/880-20-0x0000000002810000-0x0000000002820000-memory.dmp

memory/880-21-0x0000000002810000-0x0000000002820000-memory.dmp

memory/880-22-0x0000000004E30000-0x00000000053D4000-memory.dmp

memory/880-23-0x00000000027B0000-0x00000000027C8000-memory.dmp

memory/880-25-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-24-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-27-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-29-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-31-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-35-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-37-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-33-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-49-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-47-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-45-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-43-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-41-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-51-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-39-0x00000000027B0000-0x00000000027C2000-memory.dmp

memory/880-54-0x0000000000400000-0x000000000080A000-memory.dmp

memory/880-55-0x0000000074820000-0x0000000074FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu272517.exe

MD5 253b2ec97923381ce443a170f4df792d
SHA1 4290ccbc39a14c9615e1167cd84e20676652ef25
SHA256 c11fcc608ebd3e568c203b0a5610075a3056273908f812de1a776c282e8c35be
SHA512 9364ec8bd1819d8016374d41ea5d272bd255eee5316c3c9c7a0c300101dfb42a236ece1aef38c18601b3ebf9b7f916499b53233e23903324829cbb3ccb7cf9b0

memory/1496-61-0x0000000002860000-0x000000000289C000-memory.dmp

memory/1496-60-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1496-62-0x0000000000B90000-0x0000000000BD6000-memory.dmp

memory/1496-63-0x0000000000400000-0x000000000081E000-memory.dmp

memory/1496-65-0x00000000028C0000-0x00000000028D0000-memory.dmp

memory/1496-66-0x00000000028C0000-0x00000000028D0000-memory.dmp

memory/1496-68-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-71-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-67-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-64-0x0000000005410000-0x000000000544A000-memory.dmp

memory/1496-70-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1496-73-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-75-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-77-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-79-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-81-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-83-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-85-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-87-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-89-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-91-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-93-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-95-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-97-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-99-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-101-0x0000000005410000-0x0000000005445000-memory.dmp

memory/1496-860-0x0000000007910000-0x0000000007F28000-memory.dmp

memory/1496-861-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/1496-862-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/1496-863-0x00000000028C0000-0x00000000028D0000-memory.dmp

memory/1496-864-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/1496-865-0x0000000004910000-0x000000000495C000-memory.dmp

memory/1496-867-0x0000000000820000-0x0000000000920000-memory.dmp

memory/1496-869-0x00000000028C0000-0x00000000028D0000-memory.dmp

memory/1496-870-0x00000000028C0000-0x00000000028D0000-memory.dmp

memory/1496-871-0x0000000074820000-0x0000000074FD0000-memory.dmp

memory/1496-872-0x00000000028C0000-0x00000000028D0000-memory.dmp

memory/1496-873-0x00000000028C0000-0x00000000028D0000-memory.dmp