Analysis Overview
SHA256
4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f
Threat Level: Known bad
The file 4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f was found to be: Known bad.
Malicious Activity Summary
Healer
RedLine
Detects Healer an antivirus disabler dropper
Modifies Windows Defender Real-time Protection settings
RedLine payload
Detect ZGRat V1
ZGRat
Detects executables packed with ConfuserEx Mod
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-22 21:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-22 21:53
Reported
2024-04-22 21:56
Platform
win10v2004-20240412-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with ConfuserEx Mod
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe
"C:\Users\Admin\AppData\Local\Temp\4fea0eda18fcd26278c500ad0a5a8b4220a5b39206612d2af69586cbdba3e43f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 996 -ip 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 1084
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.250.30.184.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| RU | 185.161.248.152:38452 | tcp | |
| RU | 185.161.248.152:38452 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un430773.exe
| MD5 | 95c2f07de62707ccea6b7e533d555b9c |
| SHA1 | b9f74ebcb4ea24da447d749cd1f2359893e94295 |
| SHA256 | b0da38ff55e368cb06c4046310521c0a885b2f6041d09e0c30ac412684893c8f |
| SHA512 | d82ba4713aa86c4061ed627e09a6a495f7afdec2509ef28b702967b80b97c0c41f480ed4a0b3379d78544740e1548a39aca0e705dbf97a9ff84a791bee3a5f22 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr419417.exe
| MD5 | 3b36bd6ba6590e82b14ede8a286837e0 |
| SHA1 | 28879a6fb664df3f803f00e4cedaec347eec44d9 |
| SHA256 | 6f0ea29d4d1a1b731f855b97fcc96075e02e92eef6d9c510be0015ad02e0cf44 |
| SHA512 | a53978fa3076fc377d265a3c337c4a21ee5da82a56ae2d2d161d55abd7a43cd55f6ed00dcd9c6e2d8c6110cdaeb1115dab0f68f6b9c9b1e74bfcfa06543e4316 |
memory/996-15-0x0000000000B20000-0x0000000000C20000-memory.dmp
memory/996-16-0x0000000000960000-0x000000000098D000-memory.dmp
memory/996-17-0x0000000000400000-0x000000000080A000-memory.dmp
memory/996-19-0x0000000073E70000-0x0000000074620000-memory.dmp
memory/996-18-0x0000000002700000-0x000000000271A000-memory.dmp
memory/996-20-0x0000000004E90000-0x0000000004EA0000-memory.dmp
memory/996-21-0x0000000004E90000-0x0000000004EA0000-memory.dmp
memory/996-22-0x0000000004EA0000-0x0000000005444000-memory.dmp
memory/996-23-0x0000000005490000-0x00000000054A8000-memory.dmp
memory/996-24-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-25-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-27-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-29-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-31-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-33-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-35-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-37-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-39-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-41-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-43-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-45-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-47-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-49-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-51-0x0000000005490000-0x00000000054A2000-memory.dmp
memory/996-54-0x0000000000400000-0x000000000080A000-memory.dmp
memory/996-55-0x0000000073E70000-0x0000000074620000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu615041.exe
| MD5 | c16593624a62a1894cc4f1953e4feb63 |
| SHA1 | 1662e87cc81480117f9f2e04ee00b0270a3016f0 |
| SHA256 | cd9daef60b56c767b32dbd8ff48c8b45e6a93dfc7d312b0d7439a4bda404b0c0 |
| SHA512 | 47789c60e380eaac5f0386d362b1ec28bcfda8da8f5147cd85f3319c47a064e6b7266b149f3332c0f7e5bbdb8498ac44f327c8a9376effc33802e60cb4ea6a93 |
memory/3608-60-0x0000000000A00000-0x0000000000B00000-memory.dmp
memory/3608-61-0x00000000027D0000-0x000000000280C000-memory.dmp
memory/3608-63-0x00000000028A0000-0x00000000028DA000-memory.dmp
memory/3608-62-0x00000000024A0000-0x00000000024E6000-memory.dmp
memory/3608-65-0x0000000073E70000-0x0000000074620000-memory.dmp
memory/3608-64-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-67-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/3608-68-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/3608-66-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-71-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-73-0x0000000000400000-0x000000000081E000-memory.dmp
memory/3608-74-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-70-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/3608-76-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-78-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-80-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-82-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-84-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-86-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-88-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-90-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-92-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-94-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-96-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-98-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-100-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-102-0x00000000028A0000-0x00000000028D5000-memory.dmp
memory/3608-861-0x00000000079A0000-0x0000000007FB8000-memory.dmp
memory/3608-862-0x0000000004F30000-0x0000000004F42000-memory.dmp
memory/3608-863-0x0000000007FC0000-0x00000000080CA000-memory.dmp
memory/3608-864-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/3608-865-0x00000000080D0000-0x000000000810C000-memory.dmp
memory/3608-866-0x00000000026D0000-0x000000000271C000-memory.dmp
memory/3608-868-0x0000000000A00000-0x0000000000B00000-memory.dmp
memory/3608-870-0x0000000073E70000-0x0000000074620000-memory.dmp
memory/3608-871-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/3608-872-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/3608-873-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/3608-874-0x0000000004F60000-0x0000000004F70000-memory.dmp