meduza | 70f06035e9cc9a891f2959b80e3be9bea2ba07b72bce4fac125249c29c0d9d1c

General

Target

Mega.nz Spreader.exe
Size

8.5MB
MD5

56b45c6edd70b8d85df6399eea6d24d1
SHA1

15a65e88ec6dc89e35fef0c5e786ac255d6d4a6e
SHA256

70f06035e9cc9a891f2959b80e3be9bea2ba07b72bce4fac125249c29c0d9d1c
SHA512

55275a2511cbd72ce38732ae9d677b753bf813949338182fe2ecdaf026e7438e219bf287ee88805100ed8768377f63009c4b1655fd5de14c5db41501c16b96cc
SSDEEP

196608:P0akhW+OUggVe3hwHqxogDycV3B7+JULH9XO8WIu:P06+FZKxoM33YURc1

Score

10^/10

meduza discovery pyinstaller stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\api.exe	family_meduza

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

api.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\International\Geo\Nation api.exe
Executes dropped EXE 9 IoCs

Processes:

leaf.exeapi.exelib.exelib.exeleaf.exesvcupdater.exesvcupdater.exesvcupdater.exesvcupdater.exe

pid process

3068 leaf.exe
2104 api.exe
2948 lib.exe
1848 lib.exe
2416 leaf.exe
1604 svcupdater.exe
2100 svcupdater.exe
1616 svcupdater.exe
1660 svcupdater.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\International\Geo\Nation	api.exe

pid	process
3068	leaf.exe
2104	api.exe
2948	lib.exe
1848	lib.exe
2416	leaf.exe
1604	svcupdater.exe
2100	svcupdater.exe
1616	svcupdater.exe
1660	svcupdater.exe

Loads dropped DLL 9 IoCs

Processes:

Mega.nz Spreader.exelib.exelib.exeleaf.exesvcupdater.exesvcupdater.exe

pid	process
1740	Mega.nz Spreader.exe
1740	Mega.nz Spreader.exe
1740	Mega.nz Spreader.exe
2900
2948	lib.exe
1848	lib.exe
3068	leaf.exe
1604	svcupdater.exe
1616	svcupdater.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

leaf.exesvcupdater.exesvcupdater.exe

description	pid	process	target process
PID 3068 set thread context of 2416	3068	leaf.exe	leaf.exe
PID 1604 set thread context of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1616 set thread context of 1660	1616	svcupdater.exe	svcupdater.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\lib.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

schtasks.exesvcupdater.exesvcupdater.exesvcupdater.exeMega.nz Spreader.exeleaf.exeleaf.execmd.exesvcupdater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcupdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mega.nz Spreader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcupdater.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1064 schtasks.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svcupdater.exe

pid process

1660 svcupdater.exe
1660 svcupdater.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svcupdater.exesvcupdater.exe

description pid process

Token: SeDebugPrivilege 2100 svcupdater.exe
Token: SeDebugPrivilege 1660 svcupdater.exe

pid	process
1064	schtasks.exe

pid	process
1660	svcupdater.exe
1660	svcupdater.exe

description	pid	process
Token: SeDebugPrivilege	2100	svcupdater.exe
Token: SeDebugPrivilege	1660	svcupdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Mega.nz Spreader.exelib.exeleaf.exeleaf.execmd.exetaskeng.exesvcupdater.exesvcupdater.exe

description	pid	process	target process
PID 1740 wrote to memory of 3068	1740	Mega.nz Spreader.exe	leaf.exe
PID 1740 wrote to memory of 3068	1740	Mega.nz Spreader.exe	leaf.exe
PID 1740 wrote to memory of 3068	1740	Mega.nz Spreader.exe	leaf.exe
PID 1740 wrote to memory of 3068	1740	Mega.nz Spreader.exe	leaf.exe
PID 1740 wrote to memory of 2104	1740	Mega.nz Spreader.exe	api.exe
PID 1740 wrote to memory of 2104	1740	Mega.nz Spreader.exe	api.exe
PID 1740 wrote to memory of 2104	1740	Mega.nz Spreader.exe	api.exe
PID 1740 wrote to memory of 2104	1740	Mega.nz Spreader.exe	api.exe
PID 1740 wrote to memory of 2948	1740	Mega.nz Spreader.exe	lib.exe
PID 1740 wrote to memory of 2948	1740	Mega.nz Spreader.exe	lib.exe
PID 1740 wrote to memory of 2948	1740	Mega.nz Spreader.exe	lib.exe
PID 1740 wrote to memory of 2948	1740	Mega.nz Spreader.exe	lib.exe
PID 2948 wrote to memory of 1848	2948	lib.exe	lib.exe
PID 2948 wrote to memory of 1848	2948	lib.exe	lib.exe
PID 2948 wrote to memory of 1848	2948	lib.exe	lib.exe
PID 3068 wrote to memory of 2416	3068	leaf.exe	leaf.exe
PID 3068 wrote to memory of 2416	3068	leaf.exe	leaf.exe
PID 3068 wrote to memory of 2416	3068	leaf.exe	leaf.exe
PID 3068 wrote to memory of 2416	3068	leaf.exe	leaf.exe
PID 3068 wrote to memory of 2416	3068	leaf.exe	leaf.exe
PID 3068 wrote to memory of 2416	3068	leaf.exe	leaf.exe
PID 3068 wrote to memory of 2416	3068	leaf.exe	leaf.exe
PID 3068 wrote to memory of 2416	3068	leaf.exe	leaf.exe
PID 3068 wrote to memory of 2416	3068	leaf.exe	leaf.exe
PID 2416 wrote to memory of 768	2416	leaf.exe	cmd.exe
PID 2416 wrote to memory of 768	2416	leaf.exe	cmd.exe
PID 2416 wrote to memory of 768	2416	leaf.exe	cmd.exe
PID 2416 wrote to memory of 768	2416	leaf.exe	cmd.exe
PID 768 wrote to memory of 1064	768	cmd.exe	schtasks.exe
PID 768 wrote to memory of 1064	768	cmd.exe	schtasks.exe
PID 768 wrote to memory of 1064	768	cmd.exe	schtasks.exe
PID 768 wrote to memory of 1064	768	cmd.exe	schtasks.exe
PID 1556 wrote to memory of 1604	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1604	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1604	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1604	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1604	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1604	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1604	1556	taskeng.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1604 wrote to memory of 2100	1604	svcupdater.exe	svcupdater.exe
PID 1556 wrote to memory of 1616	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1616	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1616	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1616	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1616	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1616	1556	taskeng.exe	svcupdater.exe
PID 1556 wrote to memory of 1616	1556	taskeng.exe	svcupdater.exe
PID 1616 wrote to memory of 1660	1616	svcupdater.exe	svcupdater.exe
PID 1616 wrote to memory of 1660	1616	svcupdater.exe	svcupdater.exe
PID 1616 wrote to memory of 1660	1616	svcupdater.exe	svcupdater.exe
PID 1616 wrote to memory of 1660	1616	svcupdater.exe	svcupdater.exe
PID 1616 wrote to memory of 1660	1616	svcupdater.exe	svcupdater.exe
PID 1616 wrote to memory of 1660	1616	svcupdater.exe	svcupdater.exe

C:\Users\Admin\AppData\Local\Temp\Mega.nz Spreader.exe
"C:\Users\Admin\AppData\Local\Temp\Mega.nz Spreader.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\leaf.exe
  "C:\Users\Admin\AppData\Local\Temp\leaf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\leaf.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1064
- C:\Users\Admin\AppData\Local\Temp\api.exe
  "C:\Users\Admin\AppData\Local\Temp\api.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\lib.exe
  "C:\Users\Admin\AppData\Local\Temp\lib.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\lib.exe
    "C:\Users\Admin\AppData\Local\Temp\lib.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1848

C:\Windows\system32\taskeng.exe
taskeng.exe {E95934C6-8DF0-4B16-8E8A-69F604C13904} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
  C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
  C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29482\python311.dll

Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\api.exe

Filesize
677KB

MD5
9022192413dda223b6e8afd73a22cfaa

SHA1
dbfc6d6667fcc47daa13a317c8791a93f5e495b0

SHA256
f575eb5246b5c6b9044ea04610528c040c982904a5fb3dc1909ce2f0ec15c9ef

SHA512
d5311ba2138f184b44b73e63067e5446a77640bfe9f75c87e81935e120ee3ca1918ad3d36ebcf24ebadff0d9afec10ab1d3276d4b20d9821466ba8183c80b7ab

Download Submit
C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe

Filesize
697.6MB

MD5
252fdc43fa1d60273972504af7d860e8

SHA1
011639111cc8fd9c75310b65478f11e6b369e194

SHA256
a56be4bbce89167a03185aba10d83fc08696f68cedc1f16f1b03e97de6e43345

SHA512
ecbd49ce1cc16ab470d63cf976cf9fab49a16bbf46b5726e53397463948cb72263abdfcdac64dadfcdffe4024e4ce77c8bf369f01fd2892423f0d0746e96e458

Download Submit
C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.pid

Filesize
4B

MD5
2cad8fa47bbef282badbb8de5374b894

SHA1
89b98f7be8afc23ebefc3e02f86ebb89cbe74176

SHA256
4f5131ea0c5a3e7f4c5f86029ae1be2a60e67f023073bbb074a3a929089e5bc1

SHA512
149d27069d40bcb60ea6a635b8e34e8b31fad19d388c36b3fc8d6df21f84d4a8dbc8bd05b127102960c9060771c76a8cc836f14b23d1eea2b0d6cfa5c2b0bcbb

Download Submit
\Users\Admin\AppData\Local\Temp\leaf.exe

Filesize
630KB

MD5
8c8c3bcf475b5c95673a810b10a2fc52

SHA1
268cb3a6a4194efb14c1bdc82cfab3485c64fa73

SHA256
7f02583173f6e150677af6fe09226fa6b4fc9efa2523f393a89b31155a1122c0

SHA512
f1948ce32f46a34e425d2f59f5c4e6de56cbc1e29ecfd706c95f4b00ec2831ccc21a44b81cd18d8d03fe6681463276cd4c8d31b19bff712574b1ff765bb4e846

Download Submit
\Users\Admin\AppData\Local\Temp\lib.exe

Filesize
7.3MB

MD5
d1540618704ecaca1a503b496ed7b801

SHA1
047c0e7c3b0d03470177dfe17053fdb34ea378a4

SHA256
1c864d2dec413df7d389bf89cc5b0f38c879a93c043a22c98570c1eea12099aa

SHA512
8c91198512c946d1d0aa5583b8eaf96f111091e75ea26a853597b2791d44965e8005fc8e19267ce4cb7180b715968832d15af987dae7b6aaa1eef6b459f043b9

Download Submit
memory/1604-82-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/1604-81-0x0000000000E30000-0x0000000000ED4000-memory.dmp

Filesize
656KB

Download
memory/1660-108-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2100-95-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2100-96-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2100-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2416-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2416-76-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2416-75-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2416-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2416-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2416-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2416-73-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3068-62-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/3068-61-0x0000000004290000-0x00000000042F0000-memory.dmp

Filesize
384KB

Download
memory/3068-60-0x00000000004E0000-0x00000000004F4000-memory.dmp

Filesize
80KB

Download
memory/3068-31-0x0000000000940000-0x00000000009E4000-memory.dmp

Filesize
656KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads