Malware Analysis Report

2024-10-16 03:50

Sample ID 240422-1rx1sagh39
Target 4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f
SHA256 4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f
Tags
healer redline zgrat dropper evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f

Threat Level: Known bad

The file 4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f was found to be: Known bad.

Malicious Activity Summary

healer redline zgrat dropper evasion infostealer persistence rat trojan

Healer

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detect ZGRat V1

ZGRat

Detects executables packed with ConfuserEx Mod

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-22 21:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-22 21:53

Reported

2024-04-22 21:56

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe
PID 1628 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe
PID 1628 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe
PID 4824 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe
PID 4824 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe
PID 4824 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe
PID 4824 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe
PID 4824 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe
PID 4824 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe

"C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 996 -ip 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 132.250.30.184.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe

MD5 95c2f07de62707ccea6b7e533d555b9c
SHA1 b9f74ebcb4ea24da447d749cd1f2359893e94295
SHA256 b0da38ff55e368cb06c4046310521c0a885b2f6041d09e0c30ac412684893c8f
SHA512 d82ba4713aa86c4061ed627e09a6a495f7afdec2509ef28b702967b80b97c0c41f480ed4a0b3379d78544740e1548a39aca0e705dbf97a9ff84a791bee3a5f22

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe

MD5 3b36bd6ba6590e82b14ede8a286837e0
SHA1 28879a6fb664df3f803f00e4cedaec347eec44d9
SHA256 6f0ea29d4d1a1b731f855b97fcc96075e02e92eef6d9c510be0015ad02e0cf44
SHA512 a53978fa3076fc377d265a3c337c4a21ee5da82a56ae2d2d161d55abd7a43cd55f6ed00dcd9c6e2d8c6110cdaeb1115dab0f68f6b9c9b1e74bfcfa06543e4316

memory/996-15-0x0000000000B20000-0x0000000000C20000-memory.dmp

memory/996-16-0x0000000000960000-0x000000000098D000-memory.dmp

memory/996-17-0x0000000000400000-0x000000000080A000-memory.dmp

memory/996-19-0x0000000073E70000-0x0000000074620000-memory.dmp

memory/996-18-0x0000000002700000-0x000000000271A000-memory.dmp

memory/996-20-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/996-21-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/996-22-0x0000000004EA0000-0x0000000005444000-memory.dmp

memory/996-23-0x0000000005490000-0x00000000054A8000-memory.dmp

memory/996-24-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-25-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-27-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-29-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-31-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-33-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-35-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-37-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-39-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-41-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-43-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-45-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-47-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-49-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-51-0x0000000005490000-0x00000000054A2000-memory.dmp

memory/996-54-0x0000000000400000-0x000000000080A000-memory.dmp

memory/996-55-0x0000000073E70000-0x0000000074620000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe

MD5 c16593624a62a1894cc4f1953e4feb63
SHA1 1662e87cc81480117f9f2e04ee00b0270a3016f0
SHA256 cd9daef60b56c767b32dbd8ff48c8b45e6a93dfc7d312b0d7439a4bda404b0c0
SHA512 47789c60e380eaac5f0386d362b1ec28bcfda8da8f5147cd85f3319c47a064e6b7266b149f3332c0f7e5bbdb8498ac44f327c8a9376effc33802e60cb4ea6a93

memory/3608-60-0x0000000000A00000-0x0000000000B00000-memory.dmp

memory/3608-61-0x00000000027D0000-0x000000000280C000-memory.dmp

memory/3608-63-0x00000000028A0000-0x00000000028DA000-memory.dmp

memory/3608-62-0x00000000024A0000-0x00000000024E6000-memory.dmp

memory/3608-65-0x0000000073E70000-0x0000000074620000-memory.dmp

memory/3608-64-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-67-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/3608-68-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/3608-66-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-71-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-73-0x0000000000400000-0x000000000081E000-memory.dmp

memory/3608-74-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-70-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/3608-76-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-78-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-80-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-82-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-84-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-86-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-88-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-90-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-92-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-94-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-96-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-98-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-100-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-102-0x00000000028A0000-0x00000000028D5000-memory.dmp

memory/3608-861-0x00000000079A0000-0x0000000007FB8000-memory.dmp

memory/3608-862-0x0000000004F30000-0x0000000004F42000-memory.dmp

memory/3608-863-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/3608-864-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/3608-865-0x00000000080D0000-0x000000000810C000-memory.dmp

memory/3608-866-0x00000000026D0000-0x000000000271C000-memory.dmp

memory/3608-868-0x0000000000A00000-0x0000000000B00000-memory.dmp

memory/3608-870-0x0000000073E70000-0x0000000074620000-memory.dmp

memory/3608-871-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/3608-872-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/3608-873-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/3608-874-0x0000000004F60000-0x0000000004F70000-memory.dmp