meduza | 53bcea75646e0a3ff08fea4990c0e3458eb5b518bfdd907444485499803ba25d

Analysis

max time kernel
89s
max time network
87s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-04-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clik.exe
Size

14.1MB
MD5

a2db986f46fc915b6b9b65d0d8b2c92f
SHA1

2aca2a24c33ea49c99365438cf4eee6c42fa73ed
SHA256

53bcea75646e0a3ff08fea4990c0e3458eb5b518bfdd907444485499803ba25d
SHA512

3e7346aba18a18c0e2fcb57baf2822cca67da175c8b7dfd675b1b5cd78092051e7443eac156a954297c16623f9c74cad4347ef015682282bec57fb056435652d
SSDEEP

393216:PXIJM3GodH2ThNzd4VQpier42zXfDmITsttRugNId:fUuozdshA4iXf/iuFd

Score

10^/10

meduza zgrat collection persistence rat stealer

Malware Config

Extracted

Family

meduza

109.107.181.83

Signatures

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1456-10-0x000002BDC0480000-0x000002BDC06FE000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-14-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-28-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-44-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-74-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-72-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-70-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-68-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-66-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-64-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-60-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-58-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-56-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-62-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-54-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-52-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-50-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-48-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-46-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-40-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-38-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-36-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-42-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-34-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-32-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-30-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-26-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-24-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-20-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-22-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-18-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-12-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-16-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/1456-11-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/4256-4941-0x0000000009390000-0x0000000009646000-memory.dmp	family_zgrat_v1

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3508-4903-0x0000000140000000-0x00000001400E9000-memory.dmp	family_meduza
behavioral1/memory/3508-7729-0x0000000140000000-0x00000001400E9000-memory.dmp	family_meduza

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 2 IoCs

Processes:

chalengesophisticated.exechallengesophisticated.exe

pid process

1456 chalengesophisticated.exe
4256 challengesophisticated.exe

pid	process
1456	chalengesophisticated.exe
4256	challengesophisticated.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

clik.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	clik.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
3 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

chalengesophisticated.exe

description pid process target process

PID 1456 set thread context of 3508 1456 chalengesophisticated.exe InstallUtil.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeInstallUtil.exe

pid process

2712 powershell.exe
2712 powershell.exe
2712 powershell.exe
3508 InstallUtil.exe
3508 InstallUtil.exe

flow	ioc
4	api.ipify.org
3	api.ipify.org

description	pid	process	target process
PID 1456 set thread context of 3508	1456	chalengesophisticated.exe	InstallUtil.exe

pid	process
2712	powershell.exe
2712	powershell.exe
2712	powershell.exe
3508	InstallUtil.exe
3508	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

chalengesophisticated.exepowershell.exechallengesophisticated.exe

description	pid	process
Token: SeDebugPrivilege	1456	chalengesophisticated.exe
Token: SeDebugPrivilege	1456	chalengesophisticated.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	4256	challengesophisticated.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

clik.exechalengesophisticated.exe

description	pid	process	target process
PID 4192 wrote to memory of 1456	4192	clik.exe	chalengesophisticated.exe
PID 4192 wrote to memory of 1456	4192	clik.exe	chalengesophisticated.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 3508	1456	chalengesophisticated.exe	InstallUtil.exe
PID 1456 wrote to memory of 2712	1456	chalengesophisticated.exe	powershell.exe
PID 1456 wrote to memory of 2712	1456	chalengesophisticated.exe	powershell.exe
PID 4192 wrote to memory of 4256	4192	clik.exe	challengesophisticated.exe
PID 4192 wrote to memory of 4256	4192	clik.exe	challengesophisticated.exe
PID 4192 wrote to memory of 4256	4192	clik.exe	challengesophisticated.exe

outlook_office_path 1 IoCs

Processes:

InstallUtil.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\clik.exe
"C:\Users\Admin\AppData\Local\Temp\clik.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chalengesophisticated.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chalengesophisticated.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chalengesophisticated.exe' -Force
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\challengesophisticated.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\challengesophisticated.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chalengesophisticated.exe
Filesize
14.5MB

MD5
66d0f556615ce40c851f1b7347773570

SHA1
5bf87f9716e522cf4f77a03fd7caa3ed94ad7882

SHA256
725e9172a1aafa7d2e4bdf37257df0d67f6c307035f7ad893a0bc5dad58dd199

SHA512
4a67a0173a3073b4b177a2e5d42dc62c8b3a5c159d82c73fa177f439880df14c6e7b7b2d8dec855b3fc0ceb7cb395d85cec40e5d5e31ebe8fa089e0e8282137f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\challengesophisticated.exe
Filesize
16.4MB

MD5
aee8e83de9876ffaf39c78af9e288505

SHA1
5099fa9c38a612ed01b452bbfe36cd7c529deccc

SHA256
94e7120a4b7e58905de44f90abdce85f3ce97669249563ca50680dcecdd5bc7c

SHA512
1019222635fcf1b8477d19177e77dedbdbcac4eecf3bb096dc60204448eca653771fc33fb124bfb79e9bcf5d5de68a4fd61cf18d7dc8cbfc2e538aa4713e5ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sa13sz3d.dks.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1456-7-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/1456-8-0x000002BDA4610000-0x000002BDA5494000-memory.dmp

Filesize
14.5MB

Download
memory/1456-9-0x000002BDA70F0000-0x000002BDA7100000-memory.dmp

Filesize
64KB

Download
memory/1456-10-0x000002BDC0480000-0x000002BDC06FE000-memory.dmp

Filesize
2.5MB

Download
memory/1456-14-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-28-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-44-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-74-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-72-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-70-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-68-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-66-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-64-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-60-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-58-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-56-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-62-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-54-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-52-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-50-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-48-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-46-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-40-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-38-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-36-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-42-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-34-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-32-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-30-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-26-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-24-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-20-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-22-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-18-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-12-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-16-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-11-0x000002BDC0480000-0x000002BDC06F8000-memory.dmp

Filesize
2.5MB

Download
memory/1456-4891-0x000002BDA70A0000-0x000002BDA70A1000-memory.dmp

Filesize
4KB

Download
memory/1456-4892-0x000002BDBFAA0000-0x000002BDBFB5A000-memory.dmp

Filesize
744KB

Download
memory/1456-4893-0x000002BDA7100000-0x000002BDA714C000-memory.dmp

Filesize
304KB

Download
memory/1456-4894-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/1456-4895-0x000002BDA70F0000-0x000002BDA7100000-memory.dmp

Filesize
64KB

Download
memory/1456-4897-0x00007FFB79180000-0x00007FFB7935B000-memory.dmp

Filesize
1.9MB

Download
memory/1456-4898-0x000002BDBFA30000-0x000002BDBFA84000-memory.dmp

Filesize
336KB

Download
memory/1456-4904-0x00007FFB5D420000-0x00007FFB5DE0C000-memory.dmp

Filesize
9.9MB

Download
memory/1456-4905-0x00007FFB79180000-0x00007FFB7935B000-memory.dmp

Filesize
1.9MB

Download
memory/2712-4913-0x000001C529010000-0x000001C529032000-memory.dmp

Filesize
136KB

Download
memory/2712-4916-0x000001C5417B0000-0x000001C541826000-memory.dmp

Filesize
472KB

Download
memory/3508-4903-0x0000000140000000-0x00000001400E9000-memory.dmp

Filesize
932KB

Download
memory/3508-7729-0x0000000140000000-0x00000001400E9000-memory.dmp

Filesize
932KB

Download
memory/4256-4917-0x0000000000840000-0x00000000018AC000-memory.dmp

Filesize
16.4MB

Download
memory/4256-4934-0x0000000006170000-0x0000000006202000-memory.dmp

Filesize
584KB

Download
memory/4256-4941-0x0000000009390000-0x0000000009646000-memory.dmp

Filesize
2.7MB

Download
memory/4256-4942-0x0000000009B50000-0x000000000A04E000-memory.dmp

Filesize
5.0MB

Download