Malware Analysis Report

2024-10-16 03:50

Sample ID 240424-wfj8bsec6v
Target 7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354
SHA256 7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354
Tags
healer redline zgrat dropper evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354

Threat Level: Known bad

The file 7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354 was found to be: Known bad.

Malicious Activity Summary

healer redline zgrat dropper evasion infostealer persistence rat trojan

Detects Healer an antivirus disabler dropper

ZGRat

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Detect ZGRat V1

Healer

Detects executables packed with ConfuserEx Mod

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-24 17:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-24 17:51

Reported

2024-04-24 17:54

Platform

win10v2004-20240412-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe
PID 3156 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe
PID 3156 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe
PID 3604 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe
PID 3604 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe
PID 3604 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe
PID 3604 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe
PID 3604 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe
PID 3604 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe

"C:\Users\Admin\AppData\Local\Temp\7c960045ac7897a81ce01f974abb7aa83300a65aaefc94493b8d1f3b6f7a2354.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1068 -ip 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 206.221.208.4.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp
RU 185.161.248.142:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un639802.exe

MD5 00878ae94239027c6ac0ce0456c9a361
SHA1 54f29558ab5f63bf62a4a83e66f69d863eafe4fb
SHA256 01b702685250315679d5eb07cde349e2410e2acd7c2c2678b53f9eb99a50ff2e
SHA512 ba477fef4c1996c60b6d7fdc958bba53e9c3da9d82f5030dec2cde287ae4841a94eb5bfb98d5b7b00813ce5b2449b45bc11e16a73fb4a3454571d1a0c20d6af8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr399239.exe

MD5 51760ce0e328ced19f6df0b15917e990
SHA1 51de00adfc945ff585e8748a19c73f51a3ce1851
SHA256 41ea0044cbcb091b71e51cac039e51bd1f64b071240062f32c0f7dbd910f8cf1
SHA512 0141440edd082d8f662a63dfcd54796b08145d578adcd7c9de37b12141ae342ae4999654ec466e7da3688e1938c1b0e440e769068968a91b019ca70622a50108

memory/1068-15-0x0000000002C90000-0x0000000002D90000-memory.dmp

memory/1068-16-0x0000000004540000-0x000000000456D000-memory.dmp

memory/1068-17-0x0000000004BC0000-0x0000000004BDA000-memory.dmp

memory/1068-18-0x0000000007220000-0x00000000077C4000-memory.dmp

memory/1068-20-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/1068-19-0x0000000004C50000-0x0000000004C68000-memory.dmp

memory/1068-21-0x0000000007210000-0x0000000007220000-memory.dmp

memory/1068-22-0x0000000007210000-0x0000000007220000-memory.dmp

memory/1068-24-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-23-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-26-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-29-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-28-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/1068-31-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-33-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-35-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-37-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-39-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-41-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-43-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-45-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-47-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-49-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-51-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1068-54-0x0000000000400000-0x0000000002BAD000-memory.dmp

memory/1068-55-0x0000000074810000-0x0000000074FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu051503.exe

MD5 f91e92e49af44f1855c1d733f7407c09
SHA1 e0893c65b0af985549de8d17e76712407527aa60
SHA256 a4b94c14067a61e830a27d71ef0a2630a64b64f5dd59576ad5ed13cf0b4eefc5
SHA512 68bef83cdc2a87260fb79bfa350777fab4935c3ef6fe68deeeab99729b692f5589ee53bec031383b6180f55cfe323bd89753e616d5979f51ddad9071ba3a4929

memory/2352-61-0x0000000004940000-0x000000000497C000-memory.dmp

memory/2352-60-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

memory/2352-63-0x0000000004B20000-0x0000000004B5A000-memory.dmp

memory/2352-64-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-62-0x0000000002BD0000-0x0000000002C16000-memory.dmp

memory/2352-65-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-67-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-68-0x0000000000400000-0x0000000002BC2000-memory.dmp

memory/2352-70-0x00000000073B0000-0x00000000073C0000-memory.dmp

memory/2352-72-0x00000000073B0000-0x00000000073C0000-memory.dmp

memory/2352-75-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/2352-74-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-71-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-77-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-79-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-83-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-81-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-85-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-87-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-89-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-91-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-93-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-95-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-97-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-99-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-101-0x0000000004B20000-0x0000000004B55000-memory.dmp

memory/2352-860-0x0000000009DF0000-0x000000000A408000-memory.dmp

memory/2352-861-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

memory/2352-862-0x000000000A410000-0x000000000A51A000-memory.dmp

memory/2352-863-0x00000000073B0000-0x00000000073C0000-memory.dmp

memory/2352-864-0x0000000007340000-0x000000000737C000-memory.dmp

memory/2352-865-0x0000000004760000-0x00000000047AC000-memory.dmp

memory/2352-868-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

memory/2352-869-0x00000000073B0000-0x00000000073C0000-memory.dmp

memory/2352-870-0x00000000073B0000-0x00000000073C0000-memory.dmp

memory/2352-871-0x0000000074810000-0x0000000074FC0000-memory.dmp

memory/2352-872-0x00000000073B0000-0x00000000073C0000-memory.dmp

memory/2352-873-0x00000000073B0000-0x00000000073C0000-memory.dmp