Overview

overview

10

Static

static

3

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    5.5MB

  • MD5

    e659b6b749fca9d7e3f180d4ab7ab9e7

  • SHA1

    0b1e82833c266eed2d2674360eb2a99c7abab798

  • SHA256

    a162e0a322aaa6aa33b9f612d1c4821e53c1ecb6f1eacea332c6a00fd5ceec6f

  • SHA512

    ccaff427db8a1c8914840b80da5d08fc3c31be6f88e09666d0245e41e8090ac4ebb46172b0ed1c6fa54ea86251874ca2345370c8ea9e3750ab32890a257ed38f

  • SSDEEP

    98304:8tt1lBiCkK4x/kWVVjMZQf5bhDvnuTtCOPjqDb9teNYWcWQ38UfxE/wzEP7Svg:8tt1lBi/K4x/kuVjMs5bhDctCOru9teb

Score
10/10
meduzazgratpersistenceratstealer

Malware Config

Extracted

Family

meduza

C2

109.107.181.83

Signatures

  • Detect ZGRat V1 35 IoCs
  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4428
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:2520
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe' -Force
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4960
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
        2⤵
        • Executes dropped EXE
        PID:2024
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3120

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
        Filesize

        2.6MB

        MD5

        a325585d782691d4f530403be9ccb56a

        SHA1

        f6c2e81481053b1e868b59d0fe4c1ebfa69b6f66

        SHA256

        ae3dea35b32555d0106dcaf376a10732dc311992ac9f02e215299720a8fa001e

        SHA512

        3efe5e2d32b3b2daccefbad8f2f46def1fb96730726dc4ff6688c5a8a7d039054db83bfb38bb387e50f4d567c1e9b4150772943a43a9e9b6aad1996234dd1a72

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
        Filesize

        2.9MB

        MD5

        e8c8c64d998f7c9f126c17f652c0f923

        SHA1

        83400b545c7d726dedbf3d9d589abde3134e25c0

        SHA256

        753c941c37db0e6f3000f7ed281052342a4fd239087741a292026ecef0567065

        SHA512

        7364a29cd29eef92ded400a7f54914958f03aec521826d59efe95e924b0c1502265418c7082bb0cbd049c617a9c01eb8f5d2f7be4336e5fbd397d7184562c751

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2a2ablk.txs.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/2024-4924-0x0000000075120000-0x00000000758D0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2024-4925-0x0000000000F70000-0x000000000125C000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/2024-4928-0x0000000007120000-0x00000000073D8000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/2024-4927-0x0000000005D30000-0x0000000005FE6000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/2024-4926-0x0000000005C20000-0x0000000005C30000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2520-4903-0x0000000140000000-0x00000001400DA000-memory.dmp

        Filesize

        872KB

        Download

      • memory/4428-45-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-57-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-12-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-13-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-15-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-17-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-19-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-21-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-23-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-25-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-27-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-29-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-31-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-33-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-35-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-37-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-39-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-41-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-43-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-10-0x000001D5F9830000-0x000001D5F9AA4000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/4428-47-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-49-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-51-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-53-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-55-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-11-0x000001D5F9AA0000-0x000001D5F9D16000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/4428-59-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-61-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-63-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-65-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-67-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-69-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-71-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-73-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-75-0x000001D5F9AA0000-0x000001D5F9D0F000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/4428-1229-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4428-1628-0x000001D5F9820000-0x000001D5F9830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4428-4894-0x000001D5DF630000-0x000001D5DF631000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4428-4895-0x000001D5F9D10000-0x000001D5F9DC2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/4428-4896-0x000001D5E0F30000-0x000001D5E0F7C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4428-4898-0x000001D5F9790000-0x000001D5F97E4000-memory.dmp

        Filesize

        336KB

        Download

      • memory/4428-4904-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4428-7-0x000001D5DEF70000-0x000001D5DF218000-memory.dmp

        Filesize

        2.7MB

        Download

      • memory/4428-8-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4428-9-0x000001D5F9820000-0x000001D5F9830000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4960-4917-0x00000234D1030000-0x00000234D1052000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4960-4906-0x00000234E95F0000-0x00000234E9600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4960-4905-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4960-4912-0x00000234E95F0000-0x00000234E9600000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4960-4923-0x00007FFC3DC90000-0x00007FFC3E751000-memory.dmp

        Filesize

        10.8MB

        Download