Overview

overview

10

Static

static

3

70f06035e9...1c.exe

windows7-x64

10

70f06035e9...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240730-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2024 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    70f06035e9cc9a891f2959b80e3be9bea2ba07b72bce4fac125249c29c0d9d1c.exe

  • Size

    8.5MB

  • MD5

    56b45c6edd70b8d85df6399eea6d24d1

  • SHA1

    15a65e88ec6dc89e35fef0c5e786ac255d6d4a6e

  • SHA256

    70f06035e9cc9a891f2959b80e3be9bea2ba07b72bce4fac125249c29c0d9d1c

  • SHA512

    55275a2511cbd72ce38732ae9d677b753bf813949338182fe2ecdaf026e7438e219bf287ee88805100ed8768377f63009c4b1655fd5de14c5db41501c16b96cc

  • SSDEEP

    196608:P0akhW+OUggVe3hwHqxogDycV3B7+JULH9XO8WIu:P06+FZKxoM33YURc1

Score
10/10
meduzadiscoverypyinstallerstealer

Malware Config

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 6 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70f06035e9cc9a891f2959b80e3be9bea2ba07b72bce4fac125249c29c0d9d1c.exe
    "C:\Users\Admin\AppData\Local\Temp\70f06035e9cc9a891f2959b80e3be9bea2ba07b72bce4fac125249c29c0d9d1c.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\AppData\Local\Temp\leaf.exe
      "C:\Users\Admin\AppData\Local\Temp\leaf.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Users\Admin\AppData\Local\Temp\leaf.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        PID:1720
      • C:\Users\Admin\AppData\Local\Temp\leaf.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        PID:860
      • C:\Users\Admin\AppData\Local\Temp\leaf.exe
        "{path}"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2592
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4804
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn \eOzNUSwmQA /tr "C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4068
    • C:\Users\Admin\AppData\Local\Temp\api.exe
      "C:\Users\Admin\AppData\Local\Temp\api.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2092
    • C:\Users\Admin\AppData\Local\Temp\lib.exe
      "C:\Users\Admin\AppData\Local\Temp\lib.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Users\Admin\AppData\Local\Temp\lib.exe
        "C:\Users\Admin\AppData\Local\Temp\lib.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1536
  • C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
    C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
      "{path}"
      2⤵
      • Executes dropped EXE
      PID:572
    • C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
      "{path}"
      2⤵
      • Executes dropped EXE
      PID:4024
    • C:\Users\Admin\AppData\Roaming\eOzNUSwmQA\svcupdater.exe
      "{path}"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leaf.exe.log
    Filesize

    1KB

    MD5

    17573558c4e714f606f997e5157afaac

    SHA1

    13e16e9415ceef429aaf124139671ebeca09ed23

    SHA256

    c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

    SHA512

    f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI8122\VCRUNTIME140.dll
    Filesize

    106KB

    MD5

    4585a96cc4eef6aafd5e27ea09147dc6

    SHA1

    489cfff1b19abbec98fda26ac8958005e88dd0cb

    SHA256

    a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

    SHA512

    d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI8122\_ctypes.pyd
    Filesize

    120KB

    MD5

    9b344f8d7ce5b57e397a475847cc5f66

    SHA1

    aff1ccc2608da022ecc8d0aba65d304fe74cdf71

    SHA256

    b1214d7b7efd9d4b0f465ec3463512a1cbc5f59686267030f072e6ce4b2a95cf

    SHA512

    2b0d9e1b550bf108fa842324ab26555f2a224aefff517fdb16df85693e05adaf0d77ebe49382848f1ec68dc9b5ae75027a62c33721e42a1566274d1a2b1baa41

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI8122\_socket.pyd
    Filesize

    77KB

    MD5

    26dd19a1f5285712068b9e41808e8fa0

    SHA1

    90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5

    SHA256

    eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220

    SHA512

    173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI8122\base_library.zip
    Filesize

    1.7MB

    MD5

    ebb4f1a115f0692698b5640869f30853

    SHA1

    9ba77340a6a32af08899e7f3c97841724dd78c3f

    SHA256

    4ab0deb6a298d14a0f50d55dc6ce5673b6c5320817ec255acf282191642a4576

    SHA512

    3f6ba7d86c9f292344f4ad196f4ae863bf936578dd7cfac7dc4aaf05c2c78e68d5f813c4ed36048b6678451f1717deeb77493d8557ee6778c6a70beb5294d21a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI8122\libffi-8.dll
    Filesize

    38KB

    MD5

    0f8e4992ca92baaf54cc0b43aaccce21

    SHA1

    c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

    SHA256

    eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

    SHA512

    6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI8122\python311.dll
    Filesize

    5.5MB

    MD5

    e2bd5ae53427f193b42d64b8e9bf1943

    SHA1

    7c317aad8e2b24c08d3b8b3fba16dd537411727f

    SHA256

    c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

    SHA512

    ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_MEI8122\select.pyd
    Filesize

    29KB

    MD5

    756c95d4d9b7820b00a3099faf3f4f51

    SHA1

    893954a45c75fb45fe8048a804990ca33f7c072d

    SHA256

    13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a

    SHA512

    0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\api.exe
    Filesize

    677KB

    MD5

    9022192413dda223b6e8afd73a22cfaa

    SHA1

    dbfc6d6667fcc47daa13a317c8791a93f5e495b0

    SHA256

    f575eb5246b5c6b9044ea04610528c040c982904a5fb3dc1909ce2f0ec15c9ef

    SHA512

    d5311ba2138f184b44b73e63067e5446a77640bfe9f75c87e81935e120ee3ca1918ad3d36ebcf24ebadff0d9afec10ab1d3276d4b20d9821466ba8183c80b7ab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\leaf.exe
    Filesize

    630KB

    MD5

    8c8c3bcf475b5c95673a810b10a2fc52

    SHA1

    268cb3a6a4194efb14c1bdc82cfab3485c64fa73

    SHA256

    7f02583173f6e150677af6fe09226fa6b4fc9efa2523f393a89b31155a1122c0

    SHA512

    f1948ce32f46a34e425d2f59f5c4e6de56cbc1e29ecfd706c95f4b00ec2831ccc21a44b81cd18d8d03fe6681463276cd4c8d31b19bff712574b1ff765bb4e846

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lib.exe
    Filesize

    7.3MB

    MD5

    d1540618704ecaca1a503b496ed7b801

    SHA1

    047c0e7c3b0d03470177dfe17053fdb34ea378a4

    SHA256

    1c864d2dec413df7d389bf89cc5b0f38c879a93c043a22c98570c1eea12099aa

    SHA512

    8c91198512c946d1d0aa5583b8eaf96f111091e75ea26a853597b2791d44965e8005fc8e19267ce4cb7180b715968832d15af987dae7b6aaa1eef6b459f043b9

    Download Submit

  • memory/2592-85-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3048-28-0x0000000005260000-0x0000000005804000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3048-79-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-32-0x0000000004FA0000-0x0000000004FF6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3048-31-0x0000000004D10000-0x0000000004D1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3048-30-0x0000000004D50000-0x0000000004DE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3048-24-0x0000000004C10000-0x0000000004CAC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3048-78-0x0000000004670000-0x0000000004684000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3048-44-0x0000000073FB0000-0x0000000074760000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3048-80-0x0000000073FB0000-0x0000000074760000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3048-81-0x0000000006580000-0x00000000065E0000-memory.dmp

    Filesize

    384KB

    Download

  • memory/3048-82-0x0000000005250000-0x0000000005258000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3048-21-0x00000000001D0000-0x0000000000274000-memory.dmp

    Filesize

    656KB

    Download

  • memory/3048-19-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3048-90-0x0000000073FB0000-0x0000000074760000-memory.dmp

    Filesize

    7.7MB

    Download