Analysis Overview
SHA256
f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c
Threat Level: Known bad
The file f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
ZGRat
Detects Healer an antivirus disabler dropper
Detect ZGRat V1
RedLine payload
RedLine
Healer
Detects executables packed with ConfuserEx Mod
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Executes dropped EXE
Windows security modification
Adds Run key to start application
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-02 05:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-02 05:45
Reported
2024-05-02 05:48
Platform
win10v2004-20240419-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with ConfuserEx Mod
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe
"C:\Users\Admin\AppData\Local\Temp\f90a36f4d63973328f1e9574dd259c401f253e2c98a57bbb2f05d728dcb42b3c.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3636 -ip 3636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 1100
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| RU | 185.161.248.143:38452 | tcp | |
| RU | 185.161.248.143:38452 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\04447002.exe
| MD5 | 70fad5d9c3ad01581c79278f9c66d972 |
| SHA1 | fb09bd9838bb98426271705ddd7a0f0c9e2584f3 |
| SHA256 | 2ebcf392616d2eb2128f1cce9f537dfc98783d1595806ac0be0959fea856211c |
| SHA512 | 49c6550cde46e643754ea13bf8bfce59724e42cca08753956297f25b604d5ca89866718c66f1cc750158805fc7c74eb2f635bbb95d7d0049cbf0048813da60d8 |
memory/3636-10-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3636-9-0x0000000001F80000-0x0000000001FAD000-memory.dmp
memory/3636-8-0x00000000006E0000-0x00000000007E0000-memory.dmp
memory/3636-11-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3636-12-0x00000000023A0000-0x00000000023BA000-memory.dmp
memory/3636-13-0x0000000004C60000-0x0000000005204000-memory.dmp
memory/3636-14-0x0000000004B40000-0x0000000004B58000-memory.dmp
memory/3636-15-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-24-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-42-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-40-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-38-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-37-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-34-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-32-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-30-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-28-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-26-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-22-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-20-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-18-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-16-0x0000000004B40000-0x0000000004B53000-memory.dmp
memory/3636-45-0x0000000000400000-0x0000000000455000-memory.dmp
memory/3636-46-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rk664141.exe
| MD5 | 3ea494f11fa64d263fa40ef7b07c6c52 |
| SHA1 | f44d0431f2a36645701e4b04509eaeb946e8e7e7 |
| SHA256 | 29779782e75937b7bb2e85096c1ee4b3a7db913b0b2991c583bb2e8918c8541c |
| SHA512 | 4c1ba94a57ed4ec18be4ab91805eb574016e64953105d06c4ebf754f56411b03f7b475901a98e5f7e16885035618bedc01f79bf035adc33d9215359802530ff5 |
memory/1108-52-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1108-53-0x00000000049E0000-0x0000000004A1C000-memory.dmp
memory/1108-54-0x0000000005010000-0x000000000504A000-memory.dmp
memory/1108-55-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1108-51-0x0000000000400000-0x000000000046A000-memory.dmp
memory/1108-63-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-90-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-87-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-85-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-83-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-82-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-79-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-77-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-75-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-73-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-72-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-69-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-67-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-65-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-61-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-59-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-57-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-56-0x0000000005010000-0x0000000005045000-memory.dmp
memory/1108-848-0x0000000007530000-0x0000000007B48000-memory.dmp
memory/1108-849-0x0000000007BF0000-0x0000000007C02000-memory.dmp
memory/1108-850-0x0000000007C10000-0x0000000007D1A000-memory.dmp
memory/1108-851-0x0000000007D30000-0x0000000007D6C000-memory.dmp
memory/1108-852-0x00000000024C0000-0x000000000250C000-memory.dmp