Overview

overview

10

Static

static

3

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-04-2024 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    157KB

  • MD5

    5790d1417f8f00bd7ec6fb7011c79d9c

  • SHA1

    36076ed9457c45d94e664ea291eb01e5c70d084b

  • SHA256

    ad07503bc046f5b3d65eb61646fa826bc39560916c6e1ef2c3437b6465b30a82

  • SHA512

    b19195510624ad16a4730282c97b68d05e4890a33d91f86f24eaf921e23e7786649e4e31aaaec2d9d6c7bb3695c615851d7aed3e53b13083e03acbc8d0543ef0

  • SSDEEP

    3072:XahKyd2n31D5GWp1icKAArDZz4N9GhbkrNEk1eT:XahOfp0yN90QEB

Score
10/10
meduzazgratcollectionpersistenceratstealer

Malware Config

Extracted

Family

meduza

C2

109.107.181.83

Signatures

  • Detect ZGRat V1 35 IoCs
  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3224
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • outlook_office_path
        • outlook_win_path
        PID:2036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe' -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:408
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
    Filesize

    6KB

    MD5

    f7930c4859ccd34bd2b80a9995f49926

    SHA1

    8b5b95fb51619e20246f90d60f2137da7654fc5e

    SHA256

    163969ebee8180e125eb00c02307adda1eb31174ba6f7e011b7b4b3441d8950a

    SHA512

    8f5a440541b227083f3d2a3a251758bf699a290db3c066ae3209d4c2df5e1e933b9c24cd4c0da0a7f3cb6ca0ce025acf22f65cc06ee1e306ecb9b1318a223a43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsiibilitylead.exe
    Filesize

    6KB

    MD5

    a0c8b99e0780c3e8f8319f5ec3abf9f4

    SHA1

    561a59a4d6af134797b2e2907590efee9e519ca3

    SHA256

    4588ad64c432d7a20ba41949327be873c25f7eaa0cbba71b3435463739510035

    SHA512

    30bd51b731ab989188ae3597f37ba74d56d78287afcb2c2243f657a131618ba6e83d34b82253b6d42efab7a01da0397fb496478628393b4cffca4c907d39f961

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_evjp1g4s.gsh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/408-5113-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/408-4919-0x0000023DDD410000-0x0000023DDD432000-memory.dmp

    Filesize

    136KB

    Download

  • memory/408-4909-0x0000023DDD260000-0x0000023DDD270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/408-4908-0x0000023DDD260000-0x0000023DDD270000-memory.dmp

    Filesize

    64KB

    Download

  • memory/408-4907-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2036-7550-0x0000000140000000-0x00000001400DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2036-6313-0x0000000140000000-0x00000001400DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/2036-4903-0x0000000140000000-0x00000001400DA000-memory.dmp

    Filesize

    872KB

    Download

  • memory/3224-32-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-2154-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3224-26-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-28-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-30-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-22-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-34-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-36-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-38-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-40-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-42-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-44-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-46-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-48-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-52-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-50-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-58-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-56-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-54-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-60-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-62-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-64-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-68-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-70-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-66-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-72-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-74-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-24-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-2803-0x00000264FC050000-0x00000264FC060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3224-4893-0x00000264F9F40000-0x00000264F9F41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3224-4894-0x00000264FBF80000-0x00000264FC032000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3224-4895-0x00000264FD5D0000-0x00000264FD61C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3224-4897-0x00000264FD820000-0x00000264FD874000-memory.dmp

    Filesize

    336KB

    Download

  • memory/3224-4902-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3224-20-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-18-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-16-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-14-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-12-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-11-0x00000264FC2A0000-0x00000264FC511000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3224-10-0x00000264FC2A0000-0x00000264FC516000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/3224-7-0x00000264F9B50000-0x00000264F9B56000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3224-8-0x00007FFD014C0000-0x00007FFD01F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3224-9-0x00000264FC050000-0x00000264FC060000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3836-4929-0x0000000007160000-0x0000000007416000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/3836-4930-0x00000000079D0000-0x0000000007F74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3836-4931-0x0000000007600000-0x0000000007692000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3836-4925-0x00000000057E0000-0x00000000057F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3836-4921-0x00000000747F0000-0x0000000074FA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3836-7175-0x00000000747F0000-0x0000000074FA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3836-7476-0x00000000057E0000-0x00000000057F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3836-4920-0x0000000000E50000-0x0000000000E58000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3836-9819-0x0000000006060000-0x0000000006061000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3836-9820-0x0000000006240000-0x0000000006334000-memory.dmp

    Filesize

    976KB

    Download

  • memory/3836-9821-0x00000000065E0000-0x0000000006646000-memory.dmp

    Filesize

    408KB

    Download