Analysis

  • max time kernel
    149s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2024, 14:16

General

  • Target

    OwnCheat.rar

  • Size

    170.3MB

  • MD5

    3ec0351d0e376c32313da6d78df0c69b

  • SHA1

    e9ba4328f5db2af7335b309fd610237481604451

  • SHA256

    ddfbd3bdb5abf02dc0f519de669b56b27dd866b2e93193e4958a8b0825bf019c

  • SHA512

    9215826453c6643308f141e0a49e4c5c742510cf0d96b6da51f95016fccbab353e19fefa634c73f95944b801eecbde684acf9c8d9422944d9982f64c22dde12e

  • SSDEEP

    3145728:0YqAq7qufqcWFu3dprtg46lsl/K3Ov7akh8xpQhOfEKN3gaq1ggTEM8aGp:0YlSquNWFuN3ysNK8GkVhObN3p6BA

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\OwnCheat.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:688
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:764
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4400
      • C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe
        "C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4660
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          2⤵
            PID:1844
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            2⤵
              PID:2032
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3424
          • C:\Windows\system32\taskmgr.exe
            "C:\Windows\system32\taskmgr.exe" /4
            1⤵
            • Checks SCSI registry key(s)
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:1160
          • C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe
            "C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe"
            1⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2612
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              2⤵
                PID:1288
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2648
            • C:\Windows\System32\_iyiwy.exe
              "C:\Windows\System32\_iyiwy.exe"
              1⤵
                PID:3152
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:4472
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  2⤵
                  • Checks processor information in registry
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2936
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.0.1523896926\1384476286" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a9ebfde-4f10-4066-9e3d-06eb9148ca1f} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 1964 1d7781d9e58 gpu
                    3⤵
                      PID:2064
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.1.1673832774\1652749943" -parentBuildID 20221007134813 -prefsHandle 2352 -prefMapHandle 2320 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2d39ae0-af40-4fcb-b06e-049c5d9c3189} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 2364 1d777b32958 socket
                      3⤵
                        PID:5104
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.2.9210831\650279896" -childID 1 -isForBrowser -prefsHandle 3308 -prefMapHandle 3304 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41cbec7b-5441-4673-b20f-5def090e8d5d} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3320 1d77c118258 tab
                        3⤵
                          PID:4728
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.3.1792019170\44276428" -childID 2 -isForBrowser -prefsHandle 3896 -prefMapHandle 3892 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {694cc34b-2ade-4120-8ab3-314595e3de66} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3868 1d77c67d158 tab
                          3⤵
                            PID:4696
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2936.4.1512588561\135234127" -childID 3 -isForBrowser -prefsHandle 2964 -prefMapHandle 4076 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8eb01344-ace3-4174-ab5b-178116150bd6} 2936 "\\.\pipe\gecko-crash-server-pipe.2936" 3892 1d77aaa8b58 tab
                            3⤵
                              PID:416

                        Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                Filesize

                                2KB

                                MD5

                                60ad21e008a8447fc1130a9c9c155148

                                SHA1

                                5dfa21d14dc33de3cc93a463688fe1d640b01730

                                SHA256

                                bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9

                                SHA512

                                42a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6

                              • C:\Users\Admin\AppData\Local\Temp\7zE0B27E258\OwnCheat\Addons\lib\ext\cross.ext

                                Filesize

                                21.5MB

                                MD5

                                dada5d3d71d97009275fe266381bd52b

                                SHA1

                                be421b5c86767be813811869acf569a1ad1dbf3d

                                SHA256

                                63c3d033bfd95795a555e1ad0b9233c1547cfd7682cca803b31c2a985615d91b

                                SHA512

                                99d5fb30378029dac8980a902848bbbd0f638b0a5bf058537aa27a21a64dafa9c39674273af4a0d15793065c543d358f1a75559ab9c354d9f7754ca03fde4c51

                              • C:\Users\Admin\AppData\Local\Temp\7zE0B27E258\OwnCheat\Addons\lib\images\cursors\win32_LinkNoDrop32x32.gif

                                Filesize

                                153B

                                MD5

                                1e9d8f133a442da6b0c74d49bc84a341

                                SHA1

                                259edc45b4569427e8319895a444f4295d54348f

                                SHA256

                                1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

                                SHA512

                                63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

                                Filesize

                                2KB

                                MD5

                                ecdc05e0e4a7f574f5bb4a56b195838e

                                SHA1

                                4cfa1a0689a1f58d3506a535c15a5b939a946955

                                SHA256

                                890a2b8adfbde47da41f5194eccd7b5baf19bc852b5bbcc0c9cfc6a32bffcc52

                                SHA512

                                6c8343a71d6ee908f59f0e49f37318725cc1af68ffb1533a1464e0587f7a2d71d2d0437b0bd0cc2857e05b98449da431d675bcbbedec9314bc61c31a0d39639c

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\9229c7c0-1d97-4521-86e8-d9d208676cb6

                                Filesize

                                746B

                                MD5

                                0812c1f37fe590c53ab998755d6948fb

                                SHA1

                                079dcffa7f674f6bdaeafb9448d95b3a6d1de9f6

                                SHA256

                                593c5ff01e7f604cda2fb7d6f54d93b47f6912a332d780fa1907911c5622392a

                                SHA512

                                3845a5d813bd2c3ef51ae452100b22ea05f5c294cb5b937539585401023ac8a43ac520af877ed6e8718fcba82abd539f307e12aa74421b21cfe55082e21ff616

                              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\d7618f18-8d39-4eea-9d84-786f28dfe9ed

                                Filesize

                                11KB

                                MD5

                                5b0e0bf6ada858462704a75f51a2653e

                                SHA1

                                c89145488f52a34f255c5bb302a53d4d9e81982c

                                SHA256

                                2ea7541c6dd6427d463787ca229a5eef0f8341f06bcb7a69135b18589a4e559d

                                SHA512

                                e19ece02ab7bb2209f7293bcc40ac81d420687219545cdb660e4eeb09199a28e0d5951ee8721526ee514de853c916bf674ef281370657b14a5e44f1fe284f548

                              • C:\Users\Admin\Desktop\OwnCheat\OwnCheat.exe

                                Filesize

                                433KB

                                MD5

                                7e46d11cc986f86dc1210adfc6f51248

                                SHA1

                                89823c4faf48f75c9578c2e31367bd2d0fd7225a

                                SHA256

                                af8c537868eae76c5616f69dde5d25fa0ac00d9ac60d3afc0eff574830f5c123

                                SHA512

                                61f4e103115ae908a68ac001d7e73d600ea727646c6daeff0474a6f18102ee70de67e145875827a70a0f7a47138eb55724c266252aa792ef514994328a8aed4d

                              • memory/1160-434-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/1160-429-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/1160-435-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/1160-436-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/1160-437-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/1160-438-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/1160-439-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/1160-433-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/1160-427-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/1160-428-0x000001675D020000-0x000001675D021000-memory.dmp

                                Filesize

                                4KB

                              • memory/3424-417-0x0000000006640000-0x0000000006C58000-memory.dmp

                                Filesize

                                6.1MB

                              • memory/3424-426-0x00000000088C0000-0x0000000008DEC000-memory.dmp

                                Filesize

                                5.2MB

                              • memory/3424-425-0x0000000007AB0000-0x0000000007C72000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/3424-424-0x0000000006C60000-0x0000000006C7E000-memory.dmp

                                Filesize

                                120KB

                              • memory/3424-423-0x0000000006CE0000-0x0000000006D56000-memory.dmp

                                Filesize

                                472KB

                              • memory/3424-422-0x0000000006350000-0x00000000063B6000-memory.dmp

                                Filesize

                                408KB

                              • memory/3424-421-0x0000000006120000-0x000000000616C000-memory.dmp

                                Filesize

                                304KB

                              • memory/3424-420-0x00000000060E0000-0x000000000611C000-memory.dmp

                                Filesize

                                240KB

                              • memory/3424-419-0x0000000006080000-0x0000000006092000-memory.dmp

                                Filesize

                                72KB

                              • memory/3424-418-0x0000000006170000-0x000000000627A000-memory.dmp

                                Filesize

                                1.0MB

                              • memory/3424-416-0x0000000005060000-0x000000000506A000-memory.dmp

                                Filesize

                                40KB

                              • memory/3424-415-0x0000000004FC0000-0x0000000005052000-memory.dmp

                                Filesize

                                584KB

                              • memory/3424-414-0x0000000005570000-0x0000000005B14000-memory.dmp

                                Filesize

                                5.6MB

                              • memory/3424-412-0x0000000000400000-0x000000000044A000-memory.dmp

                                Filesize

                                296KB