meduza | 59385f6feee48f96244e854d7427a9704f72e1e165b3ecf0ff294bf808a562fe

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

907706946fe86a55bf29fefb4e5d2d0f0f490bd1b565cb39bdf8daad60acabfc.exe
Size

1.2MB
MD5

8e42154340d1bbc53124f99ba0c32f4c
SHA1

040ab2d5c10313dbc2a90bea01e7be35be26e533
SHA256

907706946fe86a55bf29fefb4e5d2d0f0f490bd1b565cb39bdf8daad60acabfc
SHA512

bd32fb25575d90a0bc7f9e79c6dec2fcf0874f9be630cb71d438b267e03d28b37d085e0a24b19b325ae0801a8f4f50626c428b464c703aebefad976c23be7ff2
SSDEEP

24576:vfLGjUJ+7ewtyRYd41pdz8Z7tmvZZCEP9cEeGcMo0cHTCPTEFhEOsDObVCAih:nUsCegqgZBmZZCEVKGcM0zCLyhJsAKh

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral2/memory/3184-34-0x0000018F267A0000-0x0000018F26873000-memory.dmp	family_meduza
behavioral2/memory/3184-36-0x0000018F267A0000-0x0000018F26873000-memory.dmp	family_meduza

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 440 created 3376	440	Downloading.pif	56

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	907706946fe86a55bf29fefb4e5d2d0f0f490bd1b565cb39bdf8daad60acabfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Downloading.pif

Executes dropped EXE 2 IoCs

pid	Process
440	Downloading.pif
3184	Downloading.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Downloading.pif
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Downloading.pif
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Downloading.pif
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Downloading.pif
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Downloading.pif

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	api.ipify.org
39	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 440 set thread context of 3184	440	Downloading.pif	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3520	tasklist.exe
4680	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1060	PING.EXE
3800	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
440	Downloading.pif
440	Downloading.pif
440	Downloading.pif
440	Downloading.pif
440	Downloading.pif
440	Downloading.pif
440	Downloading.pif
440	Downloading.pif
3184	Downloading.pif
3184	Downloading.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3520	tasklist.exe
Token: SeDebugPrivilege	4680	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
440	Downloading.pif
440	Downloading.pif
440	Downloading.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
440	Downloading.pif
440	Downloading.pif
440	Downloading.pif

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2672	1804	907706946fe86a55bf29fefb4e5d2d0f0f490bd1b565cb39bdf8daad60acabfc.exe	88
PID 1804 wrote to memory of 2672	1804	907706946fe86a55bf29fefb4e5d2d0f0f490bd1b565cb39bdf8daad60acabfc.exe	88
PID 1804 wrote to memory of 2672	1804	907706946fe86a55bf29fefb4e5d2d0f0f490bd1b565cb39bdf8daad60acabfc.exe	88
PID 2672 wrote to memory of 3520	2672	cmd.exe	92
PID 2672 wrote to memory of 3520	2672	cmd.exe	92
PID 2672 wrote to memory of 3520	2672	cmd.exe	92
PID 2672 wrote to memory of 944	2672	cmd.exe	93
PID 2672 wrote to memory of 944	2672	cmd.exe	93
PID 2672 wrote to memory of 944	2672	cmd.exe	93
PID 2672 wrote to memory of 4680	2672	cmd.exe	95
PID 2672 wrote to memory of 4680	2672	cmd.exe	95
PID 2672 wrote to memory of 4680	2672	cmd.exe	95
PID 2672 wrote to memory of 3760	2672	cmd.exe	96
PID 2672 wrote to memory of 3760	2672	cmd.exe	96
PID 2672 wrote to memory of 3760	2672	cmd.exe	96
PID 2672 wrote to memory of 2372	2672	cmd.exe	98
PID 2672 wrote to memory of 2372	2672	cmd.exe	98
PID 2672 wrote to memory of 2372	2672	cmd.exe	98
PID 2672 wrote to memory of 2808	2672	cmd.exe	99
PID 2672 wrote to memory of 2808	2672	cmd.exe	99
PID 2672 wrote to memory of 2808	2672	cmd.exe	99
PID 2672 wrote to memory of 4756	2672	cmd.exe	100
PID 2672 wrote to memory of 4756	2672	cmd.exe	100
PID 2672 wrote to memory of 4756	2672	cmd.exe	100
PID 2672 wrote to memory of 2224	2672	cmd.exe	101
PID 2672 wrote to memory of 2224	2672	cmd.exe	101
PID 2672 wrote to memory of 2224	2672	cmd.exe	101
PID 2672 wrote to memory of 440	2672	cmd.exe	102
PID 2672 wrote to memory of 440	2672	cmd.exe	102
PID 2672 wrote to memory of 1060	2672	cmd.exe	103
PID 2672 wrote to memory of 1060	2672	cmd.exe	103
PID 2672 wrote to memory of 1060	2672	cmd.exe	103
PID 440 wrote to memory of 3184	440	Downloading.pif	108
PID 440 wrote to memory of 3184	440	Downloading.pif	108
PID 440 wrote to memory of 3184	440	Downloading.pif	108
PID 440 wrote to memory of 3184	440	Downloading.pif	108
PID 3184 wrote to memory of 4392	3184	Downloading.pif	109
PID 3184 wrote to memory of 4392	3184	Downloading.pif	109
PID 4392 wrote to memory of 3800	4392	cmd.exe	111
PID 4392 wrote to memory of 3800	4392	cmd.exe	111

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Downloading.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Downloading.pif

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\907706946fe86a55bf29fefb4e5d2d0f0f490bd1b565cb39bdf8daad60acabfc.exe
  "C:\Users\Admin\AppData\Local\Temp\907706946fe86a55bf29fefb4e5d2d0f0f490bd1b565cb39bdf8daad60acabfc.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c move Sword Sword.bat && Sword.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3520
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4680
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:3760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 448324
      4⤵
      PID:2372
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "ExplainedApSegaWants" Buck
      4⤵
      PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 448324\Downloading.pif + Kirk + Resume + Environmental + Adjust + Optimal 448324\Downloading.pif
      4⤵
      PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Move + W + Skype + Besides + Winds 448324\L
      4⤵
      PID:2224
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\448324\Downloading.pif
      448324\Downloading.pif 448324\L
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:440
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1060
- C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\448324\Downloading.pif
  C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\448324\Downloading.pif
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:3184
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\448324\Downloading.pif"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\448324\Downloading.pif

Filesize
28B

MD5
8aa97c77b47172bf01434da95ae35957

SHA1
d5003133030a8b3162a37107a374bdc400d21957

SHA256
a797eb9f33292fd5cca5c741701b2aab9ac05662f9ae3b482352e326f73da04e

SHA512
cbe77641809b8ba3257d41b00d9e603a5a284488c20314a8d309d358e8a5793cacc8f3080842b98ec11a95d681882f93e2449b3594d7057c7d4625ceada4ac8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\448324\Downloading.pif

Filesize
990KB

MD5
7e778aecb67efac6252d3664087209e3

SHA1
e710316dae046e32f9011cabd2b68342a0d02626

SHA256
e528c2a6706b5ad536c7d5b745fbb037ae5ed197df4d687321eeb119c60007b3

SHA512
b459f0dd30d70eadadf79e52dfa97e186fb9a679d37c5c03cde23671fe28b987a8505e519b7586893c6b8728365f295c2aaf98794013301c2cc907feb349d65e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\448324\L

Filesize
1.2MB

MD5
4a0b073d4a765c476a112964df5ff1c8

SHA1
032907067a8df3e5cd18606ae4076084e7095ce8

SHA256
32c835301815d1e0660efc9c09375caaeb75f90d2b1f77c6ceae295c156f80b4

SHA512
826487d9a5b137697c213b169a56754e52d2c2f7d2c43623726caa98e1520c3543c73ca4254968b5d7f6ba40abedcc24efcc2c1707a70544679baa7a5e021cad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Adjust

Filesize
136KB

MD5
5f998222206b54a015de203d50013919

SHA1
0f0c03ee1d535c5ab9a11f7b0cb0fd0cd17f3250

SHA256
096c03a100040e3aa18471b45cb8676cffa084e14048ff25e2baa3b9ee6be286

SHA512
56d2b681e4f6bf116907b9e56b30851f56580018fb07ea5c1646eb8c78a01d367c0f9a048321abc8e57f53a76b164f6ee10259a70bc3396efe110bbe53a713cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Besides

Filesize
245KB

MD5
e6f59e2d5eb54747cf837c35e9df9fe3

SHA1
d9ad2413360d2acc0b3a23b959a927a3530f3462

SHA256
c5562d70a3486e40af0d77231324f6415383b676cd37d2be60a52f3066d159c4

SHA512
79939286d29c420460dc16a0c92947fa7f02d7cf74b342e7545224c61b9c630815320a1d7a75d075cb0f96fbcfcb6e242e60ea7fbd66c9a86a42a09f60f4b497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Buck

Filesize
50B

MD5
6268ac4040c9c50d6cc138f00d1ff031

SHA1
b0474a799086ad83f26ac4c94990b18f791e58ab

SHA256
4f8b24e2a41f06385a217d2cf3ba9118e3c9ff2e1af4898f8818ab6b4b47d608

SHA512
fca29346189cbe532c740ac2af77f270a76e7e0239c81f1af13421846c5396ea69b2f19e31e5554e3803b2a15a9f0d84a28a160d0d62150570fce29fc180407f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Environmental

Filesize
298KB

MD5
bfd5e0f0435f2984613b57209faefb96

SHA1
57d35bf49135e2e552453a983a0bd3bab1c2b93f

SHA256
6bb78419c4697b5287cf6f9b31d66357ee7a907c8b432a097bebb5f6bad403dc

SHA512
7ebefa19f63074445066c30722090eb553f095bdbbf7b31b1334a8fb539de7f4818167987115ba1485d1f3e834490ea45866d42549b25882548cf03cdd9ef108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kirk

Filesize
226KB

MD5
80e5c12559f7db2eff61d9c75d8916ed

SHA1
f6010cb54f65f2fd781bbcac052581ba5eac3bc5

SHA256
78cb40e0df6752c4454168d11f4af632825d95aeaf2901b475549b8fa6e860e7

SHA512
ab34f30f4d157398d172e1fc6cd68625150f6781ee7bd9cb803d3e09248aea52339be30161ff1ad38a33624391087307a1b06fa270a719dd8b3e5785e7248fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Move

Filesize
290KB

MD5
e315eec0df8fa4518bcea1a2d74e75c8

SHA1
81e7cf34cb69e2196dd60ca0eb8ad9d7b1c8a2c6

SHA256
a2f1a59c5715117971c921258f1ee3f0d065dd695810c4924e150a518b02a437

SHA512
745187fb15036640fa6e9b1bcc163a985ee774e84580fdd2c76e89a7546c9ccbbf8d18e8706dd215cf20d3be77c78ae22af06a204e75c1fe937ae21901729560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optimal

Filesize
131KB

MD5
f72ea29a6ba0b7ba31239d5555f8d4c0

SHA1
1859148e0396f7d1c97212f825fd412ae311e589

SHA256
2cac89fb2c6f1153b8a9e824e7e934fbb969c01f626fbaf65d3411d9e8b4c962

SHA512
53131d9137dd357ab0c0d09db1ac19698bd604b3f70f08b37bca9d9599f77f2abe205104ab2ed00f163736f104e6233ac54aba7c9d57ad944fb2b9412a0a9765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Resume

Filesize
199KB

MD5
d36c9e3b7c98f094f3a3a2026c7f5d40

SHA1
bcbc3b22b164146ae8a108c256211114cd557524

SHA256
08d11b731018d74681d829202e8926ed547023aaeea764bb3d6f426f2e531883

SHA512
abf4a4d02455ceb0f7df0f9654c72f5539cf60e7f5fae0efca309927576a1f229713c5918fd2c2ccb8c2c3757d22463bdedda3742ecd4b093ad1e2a7309d31b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Skype

Filesize
266KB

MD5
74c926a03678fbdb41d0b347e9968f54

SHA1
3e20927c48eaa226aff887fd199a109cc268d846

SHA256
12c7a7d489c0c2032fd37edaf8c0616e4ff44e0d2f6ed0b9ebdae834d262d764

SHA512
4cbf5c2f64e9c2826ebf5cbdb97e03d55dde7470a95e7aac2f80e3e98bd4606f9b97b368c3229c4a4a1014a55c905480aaf32a748f48c1c24b0632de584f0d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sword

Filesize
19KB

MD5
79dabe9b028f94d9af71be6224b0a58f

SHA1
ae6c5eebe69bc60d4a55ca30e08a5a8ddb4feb5e

SHA256
f6238ef450cbf68796a99593c18eb1e64d359263c77baf4aec1acb942fe808ee

SHA512
3d5680d18e86a66f4e430b5de76c6d73114328ea2ef59b98f0d1c69fc746bf1c4ad45850db14172fa9936e51566cd13c413a63bf830f884ef919cdef2cdd5743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\W

Filesize
252KB

MD5
38c9e1bcc01e87e599cac5a8772bf25e

SHA1
35abdd6e42088e131d0151a3027c634932322b50

SHA256
80810fa392f77775e1415507bde2a6c7a3a18cc442494db47e089c64886694d8

SHA512
f154380b9ca0059342d705b35b97e246d87e82ae63491fdfea32a399f3b6c89d56fd46bbabb9e00ccf32e1d0afbdacc84cec9581ba2e4acd69ce62991c33bb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Winds

Filesize
223KB

MD5
3ea30d6c00dee320fab47266261cc4d4

SHA1
c4b062d349ea502580c2b846e2a3dcce0ad19985

SHA256
ddef45c206e72ac0ab26c1793cfd8bb8f2c34ca6acc7f3bdc196b0fc2ddcf04a

SHA512
d5ec23930a5519e4f92c28a89bd15caca219f12c1d10ff1377a2e519fa5121598bd5bb23e0f3121e2684a68d325329715c686979c7e323e919afa502dcedaf2a

Download Submit
memory/440-31-0x0000026221AA0000-0x0000026221AA1000-memory.dmp

Filesize
4KB

Download
memory/3184-33-0x0000018F267A0000-0x0000018F26873000-memory.dmp

Filesize
844KB

Download
memory/3184-34-0x0000018F267A0000-0x0000018F26873000-memory.dmp

Filesize
844KB

Download
memory/3184-36-0x0000018F267A0000-0x0000018F26873000-memory.dmp

Filesize
844KB

Download