meduza | 75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb

General

Target

75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
Size

1.1MB
MD5

e3a08541070dcb1f4fe7d82af869c3bc
SHA1

6b4ad3774d42d4eead3f0a63a8afcfdf559bb557
SHA256

75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb
SHA512

7d0a9b0b7460a6c9e2570a3c7cd352a7a81a4174bafdc78ce089647b5579590fd98221d175c682b114482c26685b0d7aa5d5cc9f2cf9405110195d5ca2089949
SSDEEP

24576:XNPRWzRyOt2F2qXR25d8L0yFlmxYG7Kf/2C9:XNwn2FNR2XkyGX2C

Score

10^/10

meduza discovery spyware stealer

Malware Config

Extracted

Family

meduza

C2

78.153.131.36

Attributes

build_tag
222
extensions
grabber
false
mode
x86
port
22322
screenshot
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 4 IoCs

resource	yara_rule
behavioral2/memory/3068-2-0x00000000023A0000-0x000000000258F000-memory.dmp	family_meduza
behavioral2/memory/3068-3-0x0000000000400000-0x00000000005FC000-memory.dmp	family_meduza
behavioral2/memory/3068-10-0x0000000000400000-0x00000000005FC000-memory.dmp	family_meduza
behavioral2/memory/3068-11-0x00000000023A0000-0x000000000258F000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	api.ipify.org
22	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2416	3068	WerFault.exe	90
2308	3068	WerFault.exe	90
3560	3068	WerFault.exe	90
1444	3068	WerFault.exe	90
2732	3068	WerFault.exe	90
3416	3068	WerFault.exe	90
244	3068	WerFault.exe	90
2296	3068	WerFault.exe	90
3240	3068	WerFault.exe	90
4156	3068	WerFault.exe	90
3184	3068	WerFault.exe	90
2416	3068	WerFault.exe	90
3560	3068	WerFault.exe	90
2752	3068	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
3068	75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe

C:\Users\Admin\AppData\Local\Temp\75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe
"C:\Users\Admin\AppData\Local\Temp\75f3aeb4ec5be62e718a0f3c32463af4d055a09151a3c79b16afb1daa6f537bb.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 812
  2⤵
  - Program crash
  PID:2416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 820
  2⤵
  - Program crash
  PID:2308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 820
  2⤵
  - Program crash
  PID:3560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 856
  2⤵
  - Program crash
  PID:1444
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 964
  2⤵
  - Program crash
  PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 968
  2⤵
  - Program crash
  PID:3416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1488
  2⤵
  - Program crash
  PID:244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1508
  2⤵
  - Program crash
  PID:2296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1776
  2⤵
  - Program crash
  PID:3240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1536
  2⤵
  - Program crash
  PID:4156
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1628
  2⤵
  - Program crash
  PID:3184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1488
  2⤵
  - Program crash
  PID:2416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1608
  2⤵
  - Program crash
  PID:3560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 1596
  2⤵
  - Program crash
  PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3068 -ip 3068
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3068 -ip 3068
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3068 -ip 3068
1⤵
PID:100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3068 -ip 3068
1⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3068 -ip 3068
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3068 -ip 3068
1⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
1⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3068 -ip 3068
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3068 -ip 3068
1⤵
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3068 -ip 3068
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3068 -ip 3068
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3068 -ip 3068
1⤵
PID:3252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3068 -ip 3068
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3068 -ip 3068
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3068 -ip 3068
1⤵
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3068-1-0x0000000000700000-0x00000000007F0000-memory.dmp

Filesize
960KB

Download
memory/3068-2-0x00000000023A0000-0x000000000258F000-memory.dmp

Filesize
1.9MB

Download
memory/3068-3-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3068-10-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/3068-11-0x00000000023A0000-0x000000000258F000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing