Analysis
-
max time kernel
33s -
max time network
35s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
08-10-2024 14:48
General
-
Target
https://github.com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7.0.zip
Malware Config
Extracted
meduza
109.107.181.162
-
anti_dbg
true
-
anti_vm
true
-
build_name
153
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Signatures
-
Meduza
Meduza is a crypto wallet and info stealer written in C++.
-
Meduza Stealer payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/fdh54h54h54hg/57547547g/releases/download/Download/Setup7.0.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbea2c3cb8,0x7ffbea2c3cc8,0x7ffbea2c3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,6874846109303939599,8247085418641019237,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,6874846109303939599,8247085418641019237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,6874846109303939599,8247085418641019237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6874846109303939599,8247085418641019237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6874846109303939599,8247085418641019237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6874846109303939599,8247085418641019237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,6874846109303939599,8247085418641019237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,6874846109303939599,8247085418641019237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,6874846109303939599,8247085418641019237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
-
C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\Setup7.0\setup7.0.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5826c7cac03e3ae47bfe2a7e50281605e
SHA1100fbea3e078edec43db48c3312fbbf83f11fca0
SHA256239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab
SHA512a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e
-
Filesize
152B
MD502a4b762e84a74f9ee8a7d8ddd34fedb
SHA14a870e3bd7fd56235062789d780610f95e3b8785
SHA256366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da
SHA51219028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f
-
Filesize
116KB
MD527f8b22ae5d65b7a0a963633030cfbce
SHA169ac50fb760788a0db3e5cbdc0f23c99001e0486
SHA2568fbdfe7bf03c4ceb8b905d980dfba2a1aa5876c21545c61ec17335d444c1ce67
SHA512db30e39dbd156eefbf19b6f66c2909ba65490324beba96870cdbdcd88da7410c9ebb45e933438222f1da5da1c19ed6e5f9d33f68a74b49ffd1e4eb2d33eac054
-
Filesize
334B
MD5abcaea02e73806cb7786b41f0801943c
SHA14bcda9216be57c746e0242aa2f50a3d67b0febaa
SHA256d391829d7df0b44ea3d605fb0927c10d71302607c1bdd33923b34e04db83ee9a
SHA512643677d15b6e4c28bb2e39ac5b901d22acee99c0141d7f4898d6848ac8665bb6b680718cdeda68feb14f250eefd1813fdd333b99ef731005eb04013fb24f34c9
-
Filesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
Filesize
5KB
MD5a7ba087cb8fad7ec0745e23a7c81797b
SHA129a91e09f033291dbda6fe62cd16fc94c20d6f19
SHA25601c4d6fb8abf2954976eb2373120100aaad6c160846b2534459d84c9d154c4ff
SHA512436e25f13e86bf8d7757d693d76151729a6dda8c4b547893cd375c0adc371df91583bdfe6ec2eb3182b565c24715515be6baba9aa5347c76828bb8fab7d29785
-
Filesize
5KB
MD5b264dece628b51f3ce5953396a565999
SHA170219dd465381982aa24c4f96bf52c98d44b740e
SHA25643952ca5dd408facecb40a897988d0f4b6b043055f74b67e922ca37a079e3848
SHA5122ea374350565577323e3ec17fcf67191f62cdf1ce187bd2bc4a8ff810b50f6f3765b92f72ecd0085b575265469738e103c344e2c9741cb41e8f50596ac5e3877
-
Filesize
5KB
MD5ab4576c853a09ab487904d3fdc2a4c56
SHA18536e1dba2f1df0ce48b92b541dfdc174783b933
SHA25641045d7d49b82f68aebf73f05c3aec42635b30af841682adbe8650d1602160c0
SHA51262c92f0df03fbe110f152a1361d0da18dfb7ba110bfcb00b3578a9b11caf69c981c7f75a2109a98ad1b486e48848205c7d48ad1361f7b3c09b31bb315f28e06d
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD5348227869b98e806ab52fce93049b16e
SHA15a392bf480d89452998019f15a460d46b1b42529
SHA2568bb5e361059af520c95b4867df6012646a7064941abf9de07fcd6c1b04c67887
SHA5120a2c9fe70276443c21163c784ea63e37664157462b11c2f58b3aaebfb4c1ac96f792c4b5583e81a8ddfb99173aa4be102369516cef240dac61354e14c1817762
-
Filesize
10KB
MD5cac0395f300d8db0b50470ab677c0689
SHA191b5c5fe22e9d2d1bcdf0ce573e2aff30730764e
SHA256748a0d94f61bbe415d4ceeb1ea098c85a22b2e358f939d632804cc65a61f2e07
SHA512840194dbf9b69c8da09feaf2538baf6699161b21c7547c1ba8e53b7f1919b404f6c7568b9d4f68ee0e8e75a7dddb5375db716ce6e1961eaf3e526cf7b74cc8b5
-
Filesize
10KB
MD571a6b59e08e25451e52675c842fae23c
SHA1565a97673954a9209c7a05fba20b89d10b88025f
SHA2565b96212d3d1347b76c8c1c64b2f7ef981242bedd3b84b766b543d56dbbf8dbd6
SHA5125cc98eb2aa02e2e69165170451d89dd880893e6b07440bb84fbab6cf92cb558bd58c2235d8d64ff43d380c5e9869827800d310ee67950bb21b498d89fbb5aab3
-
Filesize
1.3MB
MD5caf07843d0eec5fd5d9b131256361752
SHA11ce0acf5f2b521752440ce6d1c108a365a1dca50
SHA256abdc12b4bb4b9a7309bc067be6b097a4e11b0dccbf19494edb971b510303c923
SHA512b72e81797f4d3264b12675e2d35c56d76ec9110c3814776068d23a51c5de20ed3bd0dd414fb3f0564633b408dc040eaf8407c5e319df7014c9249e5fbaea2839
-
Filesize
545B
MD5bd351cfb4347c0a828ea61183ba0e059
SHA1281a000ef4e73c44216e4af87dc87166fd7b0c9e
SHA25652b00e5fca47e413b41e6183e538d409f9de52eb4a26c36d0cfac2bb89ce7ba3
SHA51210579a9473c067874c95f0dc43989539016c1e42973149bfa77c6bb6277f95af4418bad1e7578d1b9b5a40943d4e51733529406174cf9d8c9e1ebc73ecdf3e4e
-
Filesize
1.7MB
MD52c685fc5572fee6107d76c17fa873a45
SHA105436164ce59ab80e0bcae7aa779b2426866446e
SHA256f585f729ebcdaf7a70e16690398cca0036d1dd4c398b4044004e7ab0ccc6bf56
SHA5126bd9fbf04c75c0a6a07846233e5cb31f7f8373f3bd2fc62f70f27c34d37d640d80647ca980530ba99d77586a954c73899a257e1dc2e422279a0c46f69e2107e3
-
Filesize
1.4MB
MD5d9a74092beacfbf63708895c03774dce
SHA144b28f038e8aabd1718b904ebc58a91b7f8be103
SHA2566abbad8087891836e562bdf0420ce019471b649574caf68a938e300e9c546793
SHA5124dec51a48b700ec4585bef9edd6d329dca1b562eae7e0609dd05462b4810f457e94fbefcd25e2853f27f36c4b8707676f34075cfe1ce2f00830d23a4a3a32f2e
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.4MB
-
Filesize
1.7MB