Overview

overview

10

Static

static

3

02630c6807...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-05-2024 18:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02630c6807b1768945982cea05183cf7bad463086ac8c49952e07341ab222438.exe

  • Size

    697KB

  • MD5

    48ecd4c2c9849d8701040a3a9e2d0a67

  • SHA1

    fef7aaa0f13be6aae3fbf4ded8b2df279483ce41

  • SHA256

    02630c6807b1768945982cea05183cf7bad463086ac8c49952e07341ab222438

  • SHA512

    7df9da60e1770c095e1d13439901bb5090646b3ec9f29184c45fbc94689cc8a6d6fcf37c7379b49c5bbd752428aa5f66ec31125f5647436f98c8090320dc7246

  • SSDEEP

    12288:Sy90GG9JuAv0lM7YlCh9U755YtWQr5qh5m5RuYjEcYDRASiefezoHv:SyfGX1clerWQrsh5kuYIeSFv

Score
10/10
healerredlinezgratdropperevasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • Detect ZGRat V1 20 IoCs
  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 17 IoCs
  • Detects executables packed with ConfuserEx Mod 20 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02630c6807b1768945982cea05183cf7bad463086ac8c49952e07341ab222438.exe
    "C:\Users\Admin\AppData\Local\Temp\02630c6807b1768945982cea05183cf7bad463086ac8c49952e07341ab222438.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631381.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631381.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr728972.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr728972.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:696
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 1092
          4⤵
          • Program crash
          PID:4436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu140821.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu140821.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2580
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 696 -ip 696
    1⤵
      PID:2576

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un631381.exe
      Filesize

      543KB

      MD5

      0eaf8fcd29936de80a711b9a5cc80c15

      SHA1

      ef8a7036f61b746c89c6e3baea41079d871c5151

      SHA256

      aa839d20a319ec45a36129ea3e11362e27ce1bb9dce242f61297d83b8a701639

      SHA512

      15548892dc165aa443cc117ae9c9144d538067805cc2fc7c32822cff93abc81ac007a5e4c2cab261f7e70cccc0ca6992c9ffef7b10c27b26d30c3ddf61cc2213

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr728972.exe
      Filesize

      269KB

      MD5

      758a6e9a842f4296a8e1602263dfb1e9

      SHA1

      e40ffa8883646a539b0307f32356c383c1bbd79c

      SHA256

      d0ea83dc0d1506031e8bfc290448644476fadbc15601ce9e45a3662a3e292994

      SHA512

      565a80209c2d3442f5d81e63d2b9a04794471d68841b24105c35dd298e9cc08ad2f88b8b0c1ebf5de5e11d092369f7a07581b1fc71b569cd8e3021fa433ab268

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu140821.exe
      Filesize

      351KB

      MD5

      d7b62580569d3585ae9c3abc09ab3e19

      SHA1

      a85b792e0953f4311b5c01a7b24a12a405122ec9

      SHA256

      6b7c0c90c05df7d72de9f38261aad290631421952438de4b5d3582a109377448

      SHA512

      140fa84711383749ad6b0945dc7580fc102a5b8e18fa1de4cae60e9f5bd0fafc52d94080c9e22fd2bd84531693be36fbd0354818168f6583f2c3524ae786a805

      Download Submit

    • memory/696-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/696-16-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/696-15-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/696-18-0x0000000004860000-0x000000000487A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/696-19-0x00000000072E0000-0x0000000007884000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/696-20-0x0000000004910000-0x0000000004928000-memory.dmp

      Filesize

      96KB

      Download

    • memory/696-21-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-47-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-44-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-48-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-43-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-40-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-39-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-36-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-34-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-32-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-30-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-28-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-26-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-24-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-22-0x0000000004910000-0x0000000004922000-memory.dmp

      Filesize

      72KB

      Download

    • memory/696-49-0x0000000000400000-0x0000000002BAD000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/696-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/696-51-0x0000000000400000-0x0000000002BAD000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/2580-58-0x0000000007760000-0x000000000779A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2580-78-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-92-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-90-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-89-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-86-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-84-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-82-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-80-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-76-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-852-0x000000000A350000-0x000000000A362000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2580-853-0x000000000A370000-0x000000000A47A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2580-854-0x000000000A490000-0x000000000A4CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2580-851-0x0000000009C90000-0x000000000A2A8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2580-855-0x0000000006CA0000-0x0000000006CEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2580-74-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-72-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-70-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-68-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-66-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-64-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-62-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-60-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-59-0x0000000007760000-0x0000000007795000-memory.dmp

      Filesize

      212KB

      Download

    • memory/2580-57-0x0000000004B00000-0x0000000004B3C000-memory.dmp

      Filesize

      240KB

      Download