Overview

overview

10

Static

static

1

Client/Client.exe

windows7-x64

8

Client/Client.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-11-2024 04:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client/Client.exe

  • Size

    59.8MB

  • MD5

    07185b28ac6e7b8a49d452ededb9a6f8

  • SHA1

    2390ff463d4cb37799f46081f381fc7a8551a959

  • SHA256

    d30a1b9d067bac02d43e660d0c3924e44fb64becef529a86b9eb0799312d97be

  • SHA512

    7f8852e4b8db80c22370ee62d49c1e5871551dd7e4a0ab56d5f7e1479ba9dffc1a11e0a92318c139322663f1c9c287ac8e0aecd9e0d758bd4ca8ccb46cb6d937

  • SSDEEP

    786432:L9T/j0+mSyv3+gc5ibDB28+oFwjvYKM289vy3TOZ34wWIN34:L9T/j1mSyvf28+u289l4u

Score
10/10
meduzadiscoveryexecutionstealer

Malware Config

Extracted

Family

meduza

C2

176.124.204.206

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    mounew

  • extensions

    .txt

  • grabber_max_size

    1.048576e+06

  • port

    15666

  • self_destruct

    false

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 1 IoCs
  • Meduza family
    meduza
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client\Client.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1756
    • C:\Windows\Temp\jmw2mmep.hhg.exe
      "C:\\Windows\\Temp\jmw2mmep.hhg.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvqfboqs.txt.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\Temp\jmw2mmep.hhg.exe
    Filesize

    1.8MB

    MD5

    8e2766a1d5ffabdae6603d9dffc5d4bf

    SHA1

    45f1bedf90db66c5af35e80f93d8d0a6181485a5

    SHA256

    127a36b98ea43a374146a0dd7bef8a0323db12a6a74eff3290d3974a1f077714

    SHA512

    adc31e9fe214424f80604383be44b8d9ec9dfd8a5c968dd5b037f0df757e99bb071ceb0019bf98c6b169f7fe328db7fe84a7f1586504fc0e4281830279eb1ecd

    Download Submit

  • memory/1756-35-0x0000000074550000-0x0000000074D00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1756-17-0x00000000059B0000-0x0000000005D04000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1756-4-0x0000000074550000-0x0000000074D00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1756-5-0x0000000005020000-0x0000000005042000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1756-0-0x000000007455E000-0x000000007455F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1756-3-0x0000000005190000-0x00000000057B8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1756-7-0x00000000058A0000-0x0000000005906000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1756-37-0x0000000006740000-0x000000000675A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1756-18-0x0000000006080000-0x000000000609E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1756-36-0x0000000007A40000-0x00000000080BA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1756-20-0x0000000006630000-0x0000000006662000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1756-21-0x0000000070370000-0x00000000703BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1756-31-0x0000000074550000-0x0000000074D00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1756-32-0x0000000006670000-0x000000000668E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1756-33-0x0000000074550000-0x0000000074D00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1756-34-0x0000000007310000-0x00000000073B3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1756-6-0x0000000005830000-0x0000000005896000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1756-2-0x0000000074550000-0x0000000074D00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1756-19-0x00000000060B0000-0x00000000060FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1756-38-0x0000000007410000-0x000000000741A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1756-39-0x0000000007620000-0x00000000076B6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1756-40-0x00000000075A0000-0x00000000075B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1756-41-0x00000000075D0000-0x00000000075DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1756-42-0x00000000075E0000-0x00000000075F4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1756-43-0x00000000076E0000-0x00000000076FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1756-44-0x00000000076C0000-0x00000000076C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1756-47-0x0000000074550000-0x0000000074D00000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1756-1-0x0000000002730000-0x0000000002766000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3756-52-0x00007FFF292F0000-0x00007FFF292F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-58-0x00007FF709454000-0x00007FF709455000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3756-63-0x00007FF709430000-0x00007FF709609000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3756-62-0x000002272DE30000-0x000002272DF73000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3756-61-0x00007FF709430000-0x00007FF709609000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3756-64-0x00007FF709454000-0x00007FF709455000-memory.dmp

    Filesize

    4KB

    Download