Analysis

  • max time kernel
    14s
  • max time network
    17s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/05/2024, 20:42

General

  • Target

    Software.exe

  • Size

    688.5MB

  • MD5

    b746279f1978db41a412a40e5eb2686b

  • SHA1

    aa59ee5962b1770879aaf18fe4145ac47febde2b

  • SHA256

    70f24b6921c8fc5903d4384fcb582ecc86a57051f99788beacc66f1828dad560

  • SHA512

    8f6db136f43e53b13b75d8969150b7180d7da66463e65343d9b0696aa062d8d2eaad79f827d4d614b4fc77642986b51d068134af1575ee1e282451fc57520dc8

  • SSDEEP

    12288:eZpE67tlUna3Zu+Gqp30ZB5DaltU/yL981:WW67Ua3zxpEZB5OlmKZ+

Malware Config

Signatures

  • Detect ZGRat V1 1 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Software.exe
    "C:\Users\Admin\AppData\Local\Temp\Software.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 304
      2⤵
      • Program crash
      PID:3632

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2812-8-0x0000000006050000-0x0000000006062000-memory.dmp

    Filesize

    72KB

  • memory/2812-9-0x00000000060B0000-0x00000000060EE000-memory.dmp

    Filesize

    248KB

  • memory/2812-2-0x000000007372E000-0x000000007372F000-memory.dmp

    Filesize

    4KB

  • memory/2812-3-0x0000000005580000-0x0000000005A7E000-memory.dmp

    Filesize

    5.0MB

  • memory/2812-4-0x0000000005080000-0x0000000005112000-memory.dmp

    Filesize

    584KB

  • memory/2812-5-0x0000000005200000-0x000000000520A000-memory.dmp

    Filesize

    40KB

  • memory/2812-1-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

  • memory/2812-6-0x00000000065D0000-0x0000000006BD6000-memory.dmp

    Filesize

    6.0MB

  • memory/2812-15-0x00000000089D0000-0x0000000008EFC000-memory.dmp

    Filesize

    5.2MB

  • memory/2812-7-0x0000000006120000-0x000000000622A000-memory.dmp

    Filesize

    1.0MB

  • memory/2812-10-0x0000000006230000-0x000000000627B000-memory.dmp

    Filesize

    300KB

  • memory/2812-11-0x00000000063C0000-0x0000000006426000-memory.dmp

    Filesize

    408KB

  • memory/2812-12-0x0000000006D60000-0x0000000006DD6000-memory.dmp

    Filesize

    472KB

  • memory/2812-13-0x00000000065A0000-0x00000000065BE000-memory.dmp

    Filesize

    120KB

  • memory/2812-14-0x0000000007EA0000-0x0000000008062000-memory.dmp

    Filesize

    1.8MB

  • memory/4776-0-0x0000000001120000-0x0000000001121000-memory.dmp

    Filesize

    4KB