Overview

overview

10

Static

static

3

phantom.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    167s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 12:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    phantom.exe

  • Size

    5.5MB

  • MD5

    e659b6b749fca9d7e3f180d4ab7ab9e7

  • SHA1

    0b1e82833c266eed2d2674360eb2a99c7abab798

  • SHA256

    a162e0a322aaa6aa33b9f612d1c4821e53c1ecb6f1eacea332c6a00fd5ceec6f

  • SHA512

    ccaff427db8a1c8914840b80da5d08fc3c31be6f88e09666d0245e41e8090ac4ebb46172b0ed1c6fa54ea86251874ca2345370c8ea9e3750ab32890a257ed38f

  • SSDEEP

    98304:8tt1lBiCkK4x/kWVVjMZQf5bhDvnuTtCOPjqDb9teNYWcWQ38UfxE/wzEP7Svg:8tt1lBi/K4x/kuVjMs5bhDctCOru9teb

Score
10/10
meduzazgratcollectionpersistenceratstealer

Malware Config

Extracted

Family

meduza

C2

109.107.181.83

Signatures

  • Detect ZGRat V1 35 IoCs
  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\phantom.exe
    "C:\Users\Admin\AppData\Local\Temp\phantom.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_office_path
        • outlook_win_path
        PID:1080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe' -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
    Filesize

    2.6MB

    MD5

    a325585d782691d4f530403be9ccb56a

    SHA1

    f6c2e81481053b1e868b59d0fe4c1ebfa69b6f66

    SHA256

    ae3dea35b32555d0106dcaf376a10732dc311992ac9f02e215299720a8fa001e

    SHA512

    3efe5e2d32b3b2daccefbad8f2f46def1fb96730726dc4ff6688c5a8a7d039054db83bfb38bb387e50f4d567c1e9b4150772943a43a9e9b6aad1996234dd1a72

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
    Filesize

    2.9MB

    MD5

    e8c8c64d998f7c9f126c17f652c0f923

    SHA1

    83400b545c7d726dedbf3d9d589abde3134e25c0

    SHA256

    753c941c37db0e6f3000f7ed281052342a4fd239087741a292026ecef0567065

    SHA512

    7364a29cd29eef92ded400a7f54914958f03aec521826d59efe95e924b0c1502265418c7082bb0cbd049c617a9c01eb8f5d2f7be4336e5fbd397d7184562c751

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5xblitwi.jgy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1080-4903-0x0000000140000000-0x00000001400DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/1080-5760-0x0000000140000000-0x00000001400DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2736-57-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-15-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-10-0x000002324AA60000-0x000002324ACD4000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2736-11-0x000002324ACD0000-0x000002324AF46000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2736-12-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-13-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-61-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-17-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-19-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-21-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-23-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-25-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-27-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-29-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-31-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-33-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-35-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-37-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-39-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-41-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-43-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-45-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-47-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-49-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-51-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-63-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-59-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-8-0x00007FFB92E60000-0x00007FFB93921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2736-55-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-9-0x000002324AA50000-0x000002324AA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-53-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-65-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-67-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-69-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-71-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-73-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-75-0x000002324ACD0000-0x000002324AF3F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2736-1704-0x00007FFB92E60000-0x00007FFB93921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2736-2133-0x000002324AA50000-0x000002324AA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2736-4894-0x0000023230860000-0x0000023230861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-4895-0x00000232321F0000-0x00000232322A2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2736-4896-0x000002324A980000-0x000002324A9CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2736-4898-0x000002324A9D0000-0x000002324AA24000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2736-4904-0x00007FFB92E60000-0x00007FFB93921000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2736-7-0x0000023230210000-0x00000232304B8000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2960-4934-0x00000000068E0000-0x0000000006972000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2960-4933-0x0000000006DF0000-0x0000000007394000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2960-4931-0x0000000005190000-0x0000000005446000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2960-6013-0x0000000075280000-0x0000000075A30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2960-4908-0x0000000075280000-0x0000000075A30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2960-4919-0x0000000000490000-0x000000000077C000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2960-4923-0x0000000005180000-0x0000000005190000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2960-4932-0x0000000006580000-0x0000000006838000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/5048-4924-0x000001AC5EC90000-0x000001AC5ECA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5048-4922-0x000001AC5EC90000-0x000001AC5ECA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5048-4921-0x000001AC5EC90000-0x000001AC5ECA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5048-5052-0x00007FFB92F00000-0x00007FFB939C1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5048-4918-0x000001AC46710000-0x000001AC46732000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5048-4920-0x00007FFB92F00000-0x00007FFB939C1000-memory.dmp

    Filesize

    10.8MB

    Download