Overview

overview

10

Static

static

3

pclient.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pclient.exe

  • Size

    14.5MB

  • MD5

    6d704657924328cb2dd07aef0bdb8777

  • SHA1

    b61098798c23791490e459899b3e52948e85b857

  • SHA256

    39409db2a70039e2cc325529debbb9179981287e4e9a259c1ff3b45c1ca9e0f4

  • SHA512

    4eb13f851f99a9105ff8386ea0c74b056a10b111c9393ebe4a93ac92c9fa16a24a641e954951b8cbf54d7bf9af2deee605e845b2d954584019eeba95d2b6d407

  • SSDEEP

    393216:DnZ4GTlYjEYCz35SfXCJdzbSJpnYrkVy/+YrzT43DG9UlpC:d4GyjJaJB/U9MkV8Dn43D0UlpC

Score
10/10
meduzapurelogstealerzgratcollectionpersistenceratstealer

Malware Config

Extracted

Family

meduza

C2

109.107.181.83

Signatures

  • Detect ZGRat V1 35 IoCs
  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 2 IoCs
  • PureLog Stealer

    PureLog Stealer is an infostealer written in C#.

    stealerpurelogstealer
  • PureLog Stealer payload 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 3 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 33 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pclient.exe
    "C:\Users\Admin\AppData\Local\Temp\pclient.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_office_path
        • outlook_win_path
        PID:3184
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
      2⤵
      • Executes dropped EXE
      PID:264
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2204
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:500
    • C:\Users\Admin\AppData\Local\Temp\pclient.exe
      "C:\Users\Admin\AppData\Local\Temp\pclient.exe"
      1⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\responsibilitylead.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\responsibilitylead.exe
        2⤵
        • Executes dropped EXE
        PID:1884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
      Filesize

      6.6MB

      MD5

      e43b76667963ad1cdf1f1603a1a67b79

      SHA1

      a091aad8999eb8c9b833091044b6d7a0a89e4a4e

      SHA256

      cf3102636a070178cf575bc0e870fda7aa32d94dd6000d46de7205d064b0bd40

      SHA512

      d14c1e47759b176bff29bd2b50ff6abec4714cebc94b3408cb0ee4cecafa290212aac9ca3a5849a1bc4efbea50b9a50fe5d59d465b3245ebca34457a57a1abf1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
      Filesize

      7.9MB

      MD5

      767fd4c24f2997c227aa977a453aeb34

      SHA1

      26b581bb0e595d5ef03408f07a2499eb8f500f9e

      SHA256

      c5e5f095446ed812431560727d42dc89fbca1a4bf776fef36f44be0825e577c8

      SHA512

      1a5eb0d4e1fba3454e8a8396f54acd64f416b137cfdcc9ce6057b680157940b1e53d2088a8fda91e2ce310bd31c6b52bf036649583578750222ccbe32618339f

      Download Submit

    • memory/264-4939-0x0000000074F20000-0x00000000756D0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/264-4969-0x0000000008170000-0x0000000008202000-memory.dmp

      Filesize

      584KB

      Download

    • memory/264-4968-0x0000000008680000-0x0000000008C24000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/264-4964-0x0000000007E10000-0x00000000080C8000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/264-4955-0x00000000057D0000-0x0000000005A88000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/264-4949-0x00000000057C0000-0x00000000057D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/264-4941-0x00000000005F0000-0x0000000000DE0000-memory.dmp

      Filesize

      7.9MB

      Download

    • memory/1884-4918-0x00007FF95FAA0000-0x00007FF960561000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1884-4920-0x00000256BF640000-0x00000256BF650000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-47-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-59-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-17-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-19-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-21-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-23-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-25-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-27-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-29-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-31-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-33-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-35-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-37-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-39-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-41-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-43-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-45-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-13-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-49-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-51-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-53-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-55-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-57-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-15-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-61-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-63-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-65-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-67-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-69-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-71-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-73-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-75-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-1944-0x00007FF95FAA0000-0x00007FF960561000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2492-2153-0x000001D2286B0000-0x000001D2286C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-4894-0x000001D2286A0000-0x000001D2286A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2492-4895-0x000001D242D60000-0x000001D242E12000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2492-4896-0x000001D228890000-0x000001D2288DC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2492-12-0x000001D2429F0000-0x000001D242C60000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/2492-11-0x000001D2429F0000-0x000001D242C66000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2492-10-0x000001D242700000-0x000001D242974000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2492-9-0x000001D2286B0000-0x000001D2286C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2492-8-0x00007FF95FAA0000-0x00007FF960561000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2492-7-0x000001D227C50000-0x000001D2282E6000-memory.dmp

      Filesize

      6.6MB

      Download

    • memory/2492-4919-0x000001D243010000-0x000001D243064000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2492-4926-0x00007FF95FAA0000-0x00007FF960561000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3184-4925-0x0000000140000000-0x00000001400DA000-memory.dmp

      Filesize

      872KB

      Download

    • memory/3184-5436-0x0000000140000000-0x00000001400DA000-memory.dmp

      Filesize

      872KB

      Download