meduza | b64a353728226d46f333f6025cc55fcb222191161396e3702c7a536618c80c97

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

26.0MB
MD5

8cce3a045d1a6847c254b603b83fff8d
SHA1

ef23d9e784c5800fd5fc4b8f4211756860883500
SHA256

b64a353728226d46f333f6025cc55fcb222191161396e3702c7a536618c80c97
SHA512

ddc957a8f285898adcf91ca70cab5202651fe07585d2e06d5ca66321c5db9e52f0d1acc21c43957d97d196df595befab838ec38731bc6d23f985a74c9dcad315
SSDEEP

786432:A6oivzkdQhFEk6jGyR6nNwKQfmJ1ki60G2feO8ztS:AD6zkd8v/u6m/GkiRG5tS

Score

10^/10

meduza stealer

Malware Config

Extracted

Family

meduza

109.107.181.162

Attributes

anti_dbg
true
anti_vm
true
build_name
616
extensions
none
grabber_max_size
1.048576e+06
links
none
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016ce8-3.dat	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	ExxxxSet_up.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	ExxxxSet_up.exe

Loads dropped DLL 1 IoCs

pid	Process
1972	7zFM.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1972	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1972	7zFM.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	1972	7zFM.exe
Token: 35	1972	7zFM.exe
Token: SeSecurityPrivilege	1972	7zFM.exe
Token: SeSecurityPrivilege	1972	7zFM.exe
Token: SeDebugPrivilege	2760	ExxxxSet_up.exe
Token: SeImpersonatePrivilege	2760	ExxxxSet_up.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1972	7zFM.exe
1972	7zFM.exe
1972	7zFM.exe
1972	7zFM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2760	1972	7zFM.exe	31
PID 1972 wrote to memory of 2760	1972	7zFM.exe	31
PID 1972 wrote to memory of 2760	1972	7zFM.exe	31

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\7zO4B79EF47\ExxxxSet_up.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO4B79EF47\ExxxxSet_up.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\7zO4B79EF47\ExxxxSet_up.exe

Filesize
1.2MB

MD5
241774cac12418f27eec6bfbb520ee3e

SHA1
4001879bbfabbaf94b0ec9cf98b834e9467da064

SHA256
9709fb01be42762d9c066fde7b848ca34a05f4f5756891a6fbc4c458de7ba734

SHA512
fc0c3f903f6e58787ba1cf4f7d488e1f8d16c2cfb83a9788fc7ebe68c81355f28bf4f9a751ad137df19d68debe64907cb8b015174ba9391e8580df517576ea2d

Download Submit