Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    26-08-2024 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4b16b9168f582448d16e99701ac2350175a369004fe52367bb0fdd4fbf423efb.exe

  • Size

    1.1MB

  • MD5

    edcf54af80b2e95213811c8ddf962fdb

  • SHA1

    bc4c5cc5abf7b1eeca77c22063f84a155b77c6e7

  • SHA256

    4b16b9168f582448d16e99701ac2350175a369004fe52367bb0fdd4fbf423efb

  • SHA512

    4672ee1f72d71b3e2b4498b3e888671c1e8293e2f6e214195e0188b66b9bb50619e7f37669191e53aa54b646e5ed424c6c3aa792d76cfc65735e7ddb08779cef

  • SSDEEP

    24576:N+SV2awrjvJecHcMozsYfB84DZcmdAjM736leiUa1SIj9:cu2zrTfctewcwCEhDa1Sc

Score
10/10
meduzacredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 4 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Program crash 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery

Processes

  • C:\Users\Admin\AppData\Local\Temp\4b16b9168f582448d16e99701ac2350175a369004fe52367bb0fdd4fbf423efb.exe
    "C:\Users\Admin\AppData\Local\Temp\4b16b9168f582448d16e99701ac2350175a369004fe52367bb0fdd4fbf423efb.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4656
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 860
      2⤵
      • Program crash
      PID:4320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 892
      2⤵
      • Program crash
      PID:3724
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 920
      2⤵
      • Program crash
      PID:1104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 904
      2⤵
      • Program crash
      PID:112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 876
      2⤵
      • Program crash
      PID:928
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1068
      2⤵
      • Program crash
      PID:2292
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1608
      2⤵
      • Program crash
      PID:4668
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1692
      2⤵
      • Program crash
      PID:4776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1908
      2⤵
      • Program crash
      PID:3208
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1708
      2⤵
      • Program crash
      PID:2752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1772
      2⤵
      • Program crash
      PID:5068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1792
      2⤵
      • Program crash
      PID:2692
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1876
      2⤵
      • Program crash
      PID:3660
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 4656
    1⤵
      PID:4284
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 4656
      1⤵
        PID:1460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4656 -ip 4656
        1⤵
          PID:3576
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4656 -ip 4656
          1⤵
            PID:4436
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4656 -ip 4656
            1⤵
              PID:464
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4656 -ip 4656
              1⤵
                PID:3292
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4656 -ip 4656
                1⤵
                  PID:960
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4656 -ip 4656
                  1⤵
                    PID:2600
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4656 -ip 4656
                    1⤵
                      PID:1944
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4656 -ip 4656
                      1⤵
                        PID:1592
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4656 -ip 4656
                        1⤵
                          PID:1728
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4656 -ip 4656
                          1⤵
                            PID:3824
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4656 -ip 4656
                            1⤵
                              PID:2092

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/4656-1-0x00000000008B0000-0x0000000000998000-memory.dmp

                              Filesize

                              928KB

                              Download

                            • memory/4656-2-0x00000000025B0000-0x000000000279F000-memory.dmp

                              Filesize

                              1.9MB

                              Download

                            • memory/4656-3-0x0000000000400000-0x00000000005FC000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/4656-10-0x0000000000400000-0x00000000005FC000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/4656-11-0x00000000025B0000-0x000000000279F000-memory.dmp

                              Filesize

                              1.9MB

                              Download