meduza | hxxps://github[.]com/akram209/akram209/releases/download/Release/Setup_installer32-64x[.]rar

Analysis

max time kernel
55s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
submitted
15/09/2024, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/akram209/akram209/releases/download/Release/Setup_installer32-64x.rar

Score

10^/10

meduza discovery spyware stealer

Malware Config

Extracted

Family

meduza

62.133.60.92

Attributes

build_tag
x
extensions
grabber
false
mode
x86
port
22322
screenshot
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000002349d-100.dat	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Installer-setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Installer-setup.exe

Executes dropped EXE 2 IoCs

pid	Process
4448	Installer-setup.exe
2916	Installer-setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	api.ipify.org
42	api.ipify.org
62	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer-setup.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3672	msedge.exe
3672	msedge.exe
4724	msedge.exe
4724	msedge.exe
2504	identity_helper.exe
2504	identity_helper.exe
3124	msedge.exe
3124	msedge.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2268	7zG.exe
Token: 35	2268	7zG.exe
Token: SeSecurityPrivilege	2268	7zG.exe
Token: SeSecurityPrivilege	2268	7zG.exe
Token: SeDebugPrivilege	1952	taskmgr.exe
Token: SeSystemProfilePrivilege	1952	taskmgr.exe
Token: SeCreateGlobalPrivilege	1952	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
2268	7zG.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
4724	msedge.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe
1952	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2856	4724	msedge.exe	82
PID 4724 wrote to memory of 2856	4724	msedge.exe	82
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 1152	4724	msedge.exe	83
PID 4724 wrote to memory of 3672	4724	msedge.exe	84
PID 4724 wrote to memory of 3672	4724	msedge.exe	84
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85
PID 4724 wrote to memory of 464	4724	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/akram209/akram209/releases/download/Release/Setup_installer32-64x.rar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffcb34c46f8,0x7ffcb34c4708,0x7ffcb34c4718
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,3231815205961001419,7152596541396306088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:2472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3380

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup_installer32-64x\" -spe -an -ai#7zMap30898:104:7zEvent20632
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2268

C:\Users\Admin\Downloads\Setup_installer32-64x\Installer-setup.exe
"C:\Users\Admin\Downloads\Setup_installer32-64x\Installer-setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4448

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1952

C:\Users\Admin\Downloads\Setup_installer32-64x\Installer-setup.exe
"C:\Users\Admin\Downloads\Setup_installer32-64x\Installer-setup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
6aa4c02da068adfc2e0dafa8681bfd4d

SHA1
a56e798d0b3e86dea5e9cee35c0791917cb94d99

SHA256
d424fc88550223cc48059f5c630222beedd5d288c0e8c4ef5054230ccd5a9dd2

SHA512
68c536257c316fd9bb0eec9db63c3bc676f042a28a7acbecfeb58852aeafcf5a872f857a4314fa9bc55d56c7b2f2e246bb9d410f7f59c7eaafde28aa3938c43e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
3fca4ad840ca3054de1395eac63daf54

SHA1
95345eaeadbcebdcd70bcb60aa26845731a63551

SHA256
1a1f9b2a761c48f8e4c4f96a5d3cf674c88da58a54866c61b76ec4e3d10bb3d1

SHA512
6eb065fe7b89355cf8fbbfc135583b6917a4256e9b4fc81fb715f55590086b05f6216f598fe70c9593309dda06c3868f8b4e53328b4bf92d397b5b46e92e8763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
555b911116cdd687acad7b6961e213df

SHA1
c8831419f916feaa7de810917056dce7b3ce9ae9

SHA256
d90c8e06a5c0a81478be81a2c5433b13fd11023f77995734b47f2a179c150d34

SHA512
d548ca3ab08eaaee3e4a1bb1cacff6e2e6ee3e409b1fb6aec6318458aef7ce836d95647d12a769cb8dc466b3d6e060ee3311bc80d9e06311816ce096fb0eecf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
fb5ea34e3f66218bec8d8ac029ae37a4

SHA1
d7bc2dd8502cfcf2f2029bda46f4798e3c050865

SHA256
a77fcdab226a16a19612fcf31abfadfd255c6c426a872e59f207461420fc9020

SHA512
2f2d35107dae19189e50d7bbf73ddffb2a9b602e20f43a40a000940f397a3a2017b0c40705152f54f983d51bab84bd9acf27f5bc44bfa76178c4bcbd721574d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
105f1323f2bf29fd2d9f25b83e1a5161

SHA1
97f84393e1d83d253d36eb7cc41a7b850721bd79

SHA256
f34b58bf55209a654777b27268106b58adf6300110b0873cbaf2bb075bca2890

SHA512
a927196664278ca6548652ec69b845f62e770bf7ccaee43aef5f54f2b33c5e2d94f1f90217d2869deb8619de4bc025bf18f42f65c8c400a4355a20a5f17c4b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3bb2bfff1e8a3fe7809aafc1ee387472

SHA1
ddbfc00c757d32a66944011c8897551e50577514

SHA256
1d4201a87126c9c77f403645cb9f522765b83376c42131eb03e1ab19c987ada5

SHA512
9ec9304f56771a0abf2af0f2f4f58fb143e2d11028d15a38bde688aef17479be3840a85267a119373d0baa21a1881a9a5a09450f6c858b5a4ba151bea23f3fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2a7bf8097f4d791ee69356fd233497de

SHA1
dfbf4f0ecf54df18b3b9f4e96494ac0e7adc8e23

SHA256
ab131469b676c1a27eaf1b133b7191e60f88c69ce2dd9ab253d48985014f24ec

SHA512
2c2d7bdf8cf30d11d0f67c1a574ca82837792d1673fa87be103bac5b4a6b9de0007964b0284b9b2d6a0b6fb52789661d7a291b79b2085fa29987acf3393b2c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab59b87f552dc274dcf11e0e64720281

SHA1
b8dd5f9c86bd14e1ec7d804bf9ba651f23119358

SHA256
dfaeeb04dc2afb61c5b5e08d009c5955968f5c8c8255a4bca85603f7c4813a94

SHA512
d823574e0ff55d3fb45c32fb41b8b4b918e7cd15bcde7e1aff502669a8c68ed271f6c9d597d678f31179688b3e2bc75d8f9c8da01c9d870f68faf572e6e23e82

Download Submit
C:\Users\Admin\Downloads\Setup_installer32-64x.rar

Filesize
1.0MB

MD5
94a134e0fdfaa1c77436f8752ef5594e

SHA1
5b0825a01b562b92c09be09d4d52340db5c01c5d

SHA256
9e467334a765e82e56f4ec6e1b6eb15b41356a642065dd305e358a469f98ecf5

SHA512
fdccd0464fe61b634145ba2abe10d06f24aa3db3a3b1cbf9fd4ba9997623fa43449cb1b4422ba6296a57cd17f13b2c8b9ec266655b2688abe75b38a1c565703b

Download Submit
C:\Users\Admin\Downloads\Setup_installer32-64x\Installer-setup.exe

Filesize
1.9MB

MD5
0c15f77a6e5cc3e5d5a9c9d47aecb775

SHA1
6692cee396dc14cd96bc9cd9794cdca4a922584a

SHA256
8c46514dc33bda123da03e13e8af12fdc5a500e2a3193e4fdd4a8179e57c9cbb

SHA512
d6e9b71828665ccb3d4ab20c23aea095a2d39d25d47ef3d045c4ac6da9514ae8b05a3fd32c841edbb7ccb40bd1a4f004ec8536a11839252ae4b4ac97a7ac28b4

Download Submit
memory/1952-111-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download
memory/1952-121-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download
memory/1952-120-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download
memory/1952-119-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download
memory/1952-118-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download
memory/1952-117-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download
memory/1952-122-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download
memory/1952-123-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download
memory/1952-112-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download
memory/1952-113-0x000002171A290000-0x000002171A291000-memory.dmp

Filesize
4KB

Download