meduza | fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30

General

Target

fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe
Size

4.1MB
MD5

08c1c75fa8aa4394b1718d8909c8d8d7
SHA1

8c1beb916c0610c398ae7d1eaf45954d6b40083a
SHA256

fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30
SHA512

1911e9fa332e0cce6995c64c1fe3b864d76da59b1fe007192d392abf42c94bfebdc6ea4fbe1ed45df6cd9d53beeac14e0c5ffe15189275b456796dadcaed016f
SSDEEP

49152:xXmM3+IVJiicn3HpKoQyvf7+OngFhpRelaJMuiGXMUjVqrn6BPVc:KdVjnaK8yZG+6Tc

Score

10^/10

meduza collection stealer

Malware Config

Extracted

Family

meduza

C2

5.182.86.229

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 5 IoCs

resource	yara_rule
behavioral2/memory/2880-0-0x0000000140000000-0x00000001400D3000-memory.dmp	family_meduza
behavioral2/memory/2880-1-0x0000000140000000-0x00000001400D3000-memory.dmp	family_meduza
behavioral2/memory/2880-2-0x0000000140000000-0x00000001400D3000-memory.dmp	family_meduza
behavioral2/memory/2880-3-0x0000000140000000-0x00000001400D3000-memory.dmp	family_meduza
behavioral2/memory/2880-12-0x0000000140000000-0x00000001400D3000-memory.dmp	family_meduza

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wmplayer.exe
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wmplayer.exe
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wmplayer.exe
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wmplayer.exe
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wmplayer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3940 set thread context of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
656	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2880	wmplayer.exe
2880	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 3940 wrote to memory of 2880	3940	fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe	81
PID 2880 wrote to memory of 2896	2880	wmplayer.exe	82
PID 2880 wrote to memory of 2896	2880	wmplayer.exe	82
PID 2896 wrote to memory of 656	2896	cmd.exe	84
PID 2896 wrote to memory of 656	2896	cmd.exe	84

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wmplayer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wmplayer.exe

C:\Users\Admin\AppData\Local\Temp\fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe
"C:\Users\Admin\AppData\Local\Temp\fb1454d4d93e03243d5b4529e65f0580a07e30fb2446fa59efe652eb253adb30.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3940
- C:\Program Files\Windows Media Player\wmplayer.exe
  "C:\Program Files\Windows Media Player\wmplayer.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2880
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Program Files\Windows Media Player\wmplayer.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2880-0-0x0000000140000000-0x00000001400D3000-memory.dmp

Filesize
844KB

Download
memory/2880-1-0x0000000140000000-0x00000001400D3000-memory.dmp

Filesize
844KB

Download
memory/2880-2-0x0000000140000000-0x00000001400D3000-memory.dmp

Filesize
844KB

Download
memory/2880-3-0x0000000140000000-0x00000001400D3000-memory.dmp

Filesize
844KB

Download
memory/2880-12-0x0000000140000000-0x00000001400D3000-memory.dmp

Filesize
844KB

Download

Analysis

Sharing