Malware Analysis Report

2024-10-16 03:50

Sample ID 240501-165n6shc3t
Target 5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5
SHA256 5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5
Tags
healer redline zgrat dropper evasion infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5

Threat Level: Known bad

The file 5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5 was found to be: Known bad.

Malicious Activity Summary

healer redline zgrat dropper evasion infostealer persistence rat trojan

Detect ZGRat V1

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

RedLine

ZGRat

Detects Healer an antivirus disabler dropper

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Detects executables packed with ConfuserEx Mod

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-01 22:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 22:16

Reported

2024-05-01 22:19

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4808 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe
PID 4808 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe
PID 4808 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe
PID 4564 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe
PID 4564 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe
PID 4564 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe
PID 4564 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe
PID 4564 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe
PID 4564 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe

"C:\Users\Admin\AppData\Local\Temp\5ed90a1f4d5e30a6a6d8a3d8aa3f84d875c0527d59ac4ef2cf549e829fb4a0b5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3520 -ip 3520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 199.178.17.96.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un084450.exe

MD5 dae959df45789f5b236e3a40afc1e883
SHA1 4402007f23f98aef46561ae692ee621f385f9515
SHA256 35a069bcc4a210210de2b15c982322ef0d0811245a9672686c4e03c413f38b90
SHA512 2aaa3bca7dfccb6d4deecb85d3d8f34bac9ffd4b66cba9f5b8282079aa67a0b6b443a7eb1a5cdc2210df67be9e1f68d01ae1dd5068944053cd4f4d328284c4d3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\12869306.exe

MD5 ecae5f726f6cce6e2cd107f5cd4dfa1f
SHA1 1c7e13eb906e6228f9c4e20de78e25377a397b9c
SHA256 37a9dab840d162807b33e936f86438dbeab8e05cf443db80b01d2ebb39f22569
SHA512 e891aa12a70f05105fb2139196a6ca0614c851ed4b8c4b20ae32cbb98b2167eb0058c53f28ec1f44be587b2a5d3007f3e327f91aea22459e253e4c9f542611e5

memory/3520-16-0x0000000000500000-0x000000000052D000-memory.dmp

memory/3520-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3520-15-0x0000000000580000-0x0000000000680000-memory.dmp

memory/3520-18-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3520-19-0x0000000002360000-0x000000000237A000-memory.dmp

memory/3520-20-0x0000000004B70000-0x0000000005114000-memory.dmp

memory/3520-21-0x0000000004A00000-0x0000000004A18000-memory.dmp

memory/3520-49-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-47-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-45-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-43-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-41-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-39-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-37-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-35-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-33-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-32-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-29-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-27-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-26-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-22-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-23-0x0000000004A00000-0x0000000004A13000-memory.dmp

memory/3520-52-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3520-53-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk622902.exe

MD5 adf4151b56d6dd60291ebeabf8ba48c2
SHA1 478fc6ea02c926dbe947840c6d15e176ee314a63
SHA256 21e115253f2f66729e3e31c0484d8a9d2dc9ed08701d84fe382fac0ebab07d76
SHA512 3a1b5e5c39de91267b80a4d3d2dab007f8f83d169e5fd765c38861a5eb4d249ba1aa245a7cb8093b54f5e997d8b39d7ddcda302496dc50e6b9b138c2bcb898d1

memory/2032-58-0x00000000023C0000-0x00000000023FC000-memory.dmp

memory/2032-59-0x0000000004A50000-0x0000000004A8A000-memory.dmp

memory/2032-67-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-73-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-93-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-91-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-89-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-87-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-85-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-83-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-81-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-79-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-77-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-71-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-69-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-75-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-65-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-63-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-61-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-60-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/2032-852-0x0000000007540000-0x0000000007B58000-memory.dmp

memory/2032-853-0x0000000007BF0000-0x0000000007C02000-memory.dmp

memory/2032-854-0x0000000007C10000-0x0000000007D1A000-memory.dmp

memory/2032-855-0x0000000007D30000-0x0000000007D6C000-memory.dmp

memory/2032-856-0x0000000004580000-0x00000000045CC000-memory.dmp