meduza | 0aeaf8afee14d5be2425ed7826c7895b1c318397ab7f3bb1523a9b62061c1ef8

Resubmissions

11/10/2024, 07:00

241011-hsnvds1aqa 10

07/08/2024, 08:37

240807-kja82syfka 10

07/08/2024, 08:30

240807-kd6g1ayemg 10

Analysis

max time kernel
144s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
07/08/2024, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
Size

2.1MB
MD5

0468a32ad1ed1169e98b897d87f51164
SHA1

0d9dc54a5f91e6ed7d324c2a65b152a168d57b08
SHA256

643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2
SHA512

7deb90629608f3a227e96d948bbb4c78ad21e1eb659bfdab903d4f25bdb1e6c8af7edec9604274aa745dd90f8253e48fbccf661f2bc2b6609e5b8807645750ca
SSDEEP

24576:GQZEhAybJ37KtuUZ786qGbAJYhIRKPS0dJDhrI4ufnLVVx90e+7ym:WAC3a78sIRSGVV8V5

Score

10^/10

meduza stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 13 IoCs

resource	yara_rule
behavioral1/memory/2368-0-0x000001B210630000-0x000001B210719000-memory.dmp	family_meduza
behavioral1/memory/3280-3-0x0000025116BD0000-0x0000025116CB9000-memory.dmp	family_meduza
behavioral1/memory/4632-4-0x000001C03ABA0000-0x000001C03AC89000-memory.dmp	family_meduza
behavioral1/memory/832-5-0x0000022439F30000-0x000002243A019000-memory.dmp	family_meduza
behavioral1/memory/692-6-0x00000256AC2C0000-0x00000256AC3A9000-memory.dmp	family_meduza
behavioral1/memory/2936-7-0x000002B265650000-0x000002B265739000-memory.dmp	family_meduza
behavioral1/memory/5076-8-0x0000018FB5400000-0x0000018FB54E9000-memory.dmp	family_meduza
behavioral1/memory/3644-9-0x000001950F240000-0x000001950F329000-memory.dmp	family_meduza
behavioral1/memory/4400-10-0x0000014237620000-0x0000014237709000-memory.dmp	family_meduza
behavioral1/memory/2224-11-0x000002203A290000-0x000002203A379000-memory.dmp	family_meduza
behavioral1/memory/2112-12-0x00000205AB300000-0x00000205AB3E9000-memory.dmp	family_meduza
behavioral1/memory/2188-13-0x0000022548030000-0x0000022548119000-memory.dmp	family_meduza
behavioral1/memory/3436-14-0x0000017E99460000-0x0000017E99549000-memory.dmp	family_meduza

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2768	rundll32.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
- Checks computer location settings
PID:2368

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCAT C:\Windows\WinSxS\Catalogs\643dde6e4f08aa63961f46cbf5f26ee73c4db5e241e0a5fbf6c790282a018f77.cat
1⤵
- Blocklisted process makes network request
- Suspicious behavior: GetForegroundWindowSpam
PID:2768

C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
- Checks computer location settings
PID:3280

C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\AppData\Local\Temp\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
PID:2936

C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
- Checks computer location settings
PID:5076

C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
PID:3644

C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
PID:4400

C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
- Checks computer location settings
PID:2224

C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
- Checks computer location settings
PID:2112

C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
PID:2188

C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe
"C:\Users\Admin\Desktop\643dde3f461907a94f145b3cd8fe37dbad63aec85a4e5ed759fe843b9214a8d2.exe"
1⤵
PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-6-0x00000256AC2C0000-0x00000256AC3A9000-memory.dmp

Filesize
932KB

Download
memory/832-5-0x0000022439F30000-0x000002243A019000-memory.dmp

Filesize
932KB

Download
memory/2112-12-0x00000205AB300000-0x00000205AB3E9000-memory.dmp

Filesize
932KB

Download
memory/2188-13-0x0000022548030000-0x0000022548119000-memory.dmp

Filesize
932KB

Download
memory/2224-11-0x000002203A290000-0x000002203A379000-memory.dmp

Filesize
932KB

Download
memory/2368-0-0x000001B210630000-0x000001B210719000-memory.dmp

Filesize
932KB

Download
memory/2936-7-0x000002B265650000-0x000002B265739000-memory.dmp

Filesize
932KB

Download
memory/3280-3-0x0000025116BD0000-0x0000025116CB9000-memory.dmp

Filesize
932KB

Download
memory/3436-14-0x0000017E99460000-0x0000017E99549000-memory.dmp

Filesize
932KB

Download
memory/3644-9-0x000001950F240000-0x000001950F329000-memory.dmp

Filesize
932KB

Download
memory/4400-10-0x0000014237620000-0x0000014237709000-memory.dmp

Filesize
932KB

Download
memory/4632-4-0x000001C03ABA0000-0x000001C03AC89000-memory.dmp

Filesize
932KB

Download
memory/5076-8-0x0000018FB5400000-0x0000018FB54E9000-memory.dmp

Filesize
932KB

Download