Analysis
-
max time kernel
14s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04/05/2024, 20:42
Static task
static1
General
-
Target
Software.exe
-
Size
688.5MB
-
MD5
b746279f1978db41a412a40e5eb2686b
-
SHA1
aa59ee5962b1770879aaf18fe4145ac47febde2b
-
SHA256
70f24b6921c8fc5903d4384fcb582ecc86a57051f99788beacc66f1828dad560
-
SHA512
8f6db136f43e53b13b75d8969150b7180d7da66463e65343d9b0696aa062d8d2eaad79f827d4d614b4fc77642986b51d068134af1575ee1e282451fc57520dc8
-
SSDEEP
12288:eZpE67tlUna3Zu+Gqp30ZB5DaltU/yL981:WW67Ua3zxpEZB5OlmKZ+
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/2812-1-0x0000000000400000-0x000000000044A000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/2812-1-0x0000000000400000-0x000000000044A000-memory.dmp family_redline -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4776 set thread context of 2812 4776 Software.exe 74 -
Program crash 1 IoCs
pid pid_target Process procid_target 3632 4776 WerFault.exe 73 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2812 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2812 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4776 wrote to memory of 2812 4776 Software.exe 74 PID 4776 wrote to memory of 2812 4776 Software.exe 74 PID 4776 wrote to memory of 2812 4776 Software.exe 74 PID 4776 wrote to memory of 2812 4776 Software.exe 74 PID 4776 wrote to memory of 2812 4776 Software.exe 74 PID 4776 wrote to memory of 2812 4776 Software.exe 74 PID 4776 wrote to memory of 2812 4776 Software.exe 74 PID 4776 wrote to memory of 2812 4776 Software.exe 74
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software.exe"C:\Users\Admin\AppData\Local\Temp\Software.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 3042⤵
- Program crash
PID:3632
-