Analysis
-
max time kernel
65s -
max time network
74s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2024, 00:06
Static task
static1
Behavioral task
behavioral1
Sample
OwnCheat/OwnCheat.exe
Resource
win7-20240221-en
General
-
Target
OwnCheat/OwnCheat.exe
-
Size
433KB
-
MD5
7e46d11cc986f86dc1210adfc6f51248
-
SHA1
89823c4faf48f75c9578c2e31367bd2d0fd7225a
-
SHA256
af8c537868eae76c5616f69dde5d25fa0ac00d9ac60d3afc0eff574830f5c123
-
SHA512
61f4e103115ae908a68ac001d7e73d600ea727646c6daeff0474a6f18102ee70de67e145875827a70a0f7a47138eb55724c266252aa792ef514994328a8aed4d
-
SSDEEP
12288:vAmzq9FyLqvk/5c1bTmsygfKKP8EQi8vrm:vAm+6q+sK/gSbiY
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral2/memory/4784-1-0x0000000000400000-0x000000000044A000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/4784-1-0x0000000000400000-0x000000000044A000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4440 set thread context of 4784 4440 OwnCheat.exe 88 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 4784 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4784 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4440 wrote to memory of 4784 4440 OwnCheat.exe 88 PID 4440 wrote to memory of 4784 4440 OwnCheat.exe 88 PID 4440 wrote to memory of 4784 4440 OwnCheat.exe 88 PID 4440 wrote to memory of 4784 4440 OwnCheat.exe 88 PID 4440 wrote to memory of 4784 4440 OwnCheat.exe 88 PID 4440 wrote to memory of 4784 4440 OwnCheat.exe 88 PID 4440 wrote to memory of 4784 4440 OwnCheat.exe 88 PID 4440 wrote to memory of 4784 4440 OwnCheat.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\OwnCheat\OwnCheat.exe"C:\Users\Admin\AppData\Local\Temp\OwnCheat\OwnCheat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1004