Overview

overview

10

Static

static

1

ExCheats Loader.exe

windows7-x64

10

ExCheats Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 20:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ExCheats Loader.exe

  • Size

    435KB

  • MD5

    9faa97aeb1d886b560871f52c04e59e1

  • SHA1

    a58886013917c1da279bad487d142a8e5b3f9090

  • SHA256

    836cf0a0d86d4a83d9e019d6cbed76ba42d3c41dac9bdc10e7f983ff041343f4

  • SHA512

    41317af2324638328c1fbeda8a8592e65aec52f0b474d45152ab5d8acb9ee69612c3a9cbe465bb40e0e1bc7ca2239bd92cd9ca9310ce13c6876f4973e61a8ddb

  • SSDEEP

    12288:tcY4vVKJcADX6Fze2V4VoPU6Rzl7tQQLOGpP:gkqA+1ebVoll7nL3P

Score
10/10
redlinezgratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ExCheats Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\ExCheats Loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3104
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4332
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 356
      2⤵
      • Program crash
      PID:4392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 356
      2⤵
      • Program crash
      PID:3772
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3104 -ip 3104
    1⤵
      PID:2496
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1444
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3896 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3404
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2064
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=_iyiwy.exe _iyiwy.exe"
          1⤵
            PID:788
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5792 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:1
            1⤵
              PID:656
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5104 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:1
              1⤵
                PID:3988
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4888 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
                1⤵
                  PID:3060
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5268 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:1
                  1⤵
                    PID:4400

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Initial Access

                  Execution

                  Persistence

                  Privilege Escalation

                  Defense Evasion

                  Credential Access

                  Unsecured Credentials

                  2
                  T1552

                  Credentials In Files

                  2
                  T1552.001

                  Discovery

                  Query Registry

                  2
                  T1012

                  Peripheral Device Discovery

                  1
                  T1120

                  System Information Discovery

                  1
                  T1082

                  Lateral Movement

                  Collection

                  Data from Local System

                  2
                  T1005

                  Exfiltration

                  Command and Control

                  Impact

                  Resource Development

                  Reconnaissance

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1444-11-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1444-13-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1444-10-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1444-12-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1444-6-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1444-4-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1444-5-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1444-16-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1444-15-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1444-14-0x0000012A3C510000-0x0000012A3C511000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3104-2-0x0000000000EE0000-0x0000000000F4E000-memory.dmp
                    Filesize

                    440KB

                    Download
                  • memory/3104-0-0x0000000000EE0000-0x0000000000F4E000-memory.dmp
                    Filesize

                    440KB

                    Download
                  • memory/4332-20-0x0000000006990000-0x0000000006A9A000-memory.dmp
                    Filesize

                    1.0MB

                    Download
                  • memory/4332-22-0x0000000006920000-0x000000000695C000-memory.dmp
                    Filesize

                    240KB

                    Download
                  • memory/4332-3-0x0000000005D50000-0x00000000062F4000-memory.dmp
                    Filesize

                    5.6MB

                    Download
                  • memory/4332-18-0x0000000005810000-0x000000000581A000-memory.dmp
                    Filesize

                    40KB

                    Download
                  • memory/4332-19-0x0000000006E20000-0x0000000007438000-memory.dmp
                    Filesize

                    6.1MB

                    Download
                  • memory/4332-17-0x0000000005840000-0x00000000058D2000-memory.dmp
                    Filesize

                    584KB

                    Download
                  • memory/4332-21-0x00000000068C0000-0x00000000068D2000-memory.dmp
                    Filesize

                    72KB

                    Download
                  • memory/4332-1-0x0000000000400000-0x000000000044A000-memory.dmp
                    Filesize

                    296KB

                    Download
                  • memory/4332-23-0x0000000006670000-0x00000000066BC000-memory.dmp
                    Filesize

                    304KB

                    Download
                  • memory/4332-24-0x0000000006BA0000-0x0000000006C06000-memory.dmp
                    Filesize

                    408KB

                    Download
                  • memory/4332-25-0x0000000007540000-0x00000000075B6000-memory.dmp
                    Filesize

                    472KB

                    Download
                  • memory/4332-26-0x0000000006D80000-0x0000000006D9E000-memory.dmp
                    Filesize

                    120KB

                    Download
                  • memory/4332-27-0x0000000008C20000-0x0000000008DE2000-memory.dmp
                    Filesize

                    1.8MB

                    Download
                  • memory/4332-28-0x0000000009320000-0x000000000984C000-memory.dmp
                    Filesize

                    5.2MB

                    Download