Overview

overview

10

Static

static

3

MM2 Dupe Menu.rar

windows11-21h2-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    117s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-11-2024 00:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MM2 Dupe Menu.rar

  • Size

    3.6MB

  • MD5

    0b53ae63bae9ed6c547679015ef109df

  • SHA1

    d6641738490a849a3058f5ccd414ccdc8229dfd9

  • SHA256

    025ce57b2a4f3f3bb3c0a4606200b748ecec5da12f76d43d358e24fb9e1331b3

  • SHA512

    6139fc6bf405d5c85c04be277f6629a8c89a39f2efb66a8b675e644f4a4e330668c533be42f300d252fec221731058027826e6f224bf83c36ebbf94107218c44

  • SSDEEP

    98304:oA67iqmWqP4AqTuULmTdjkGr4gj/cXI3DK/:+iqK4Rgdwk8Xb/

Score
10/10
meduzacollectiondiscoveryspywarestealer

Malware Config

Extracted

Family

meduza

C2

109.107.181.162

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    686

  • extensions

    none

  • grabber_max_size

    1.048576e+06

  • links

    none

  • port

    15666

  • self_destruct

    true

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 2 IoCs
  • Meduza family
    meduza
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MM2 Dupe Menu.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3924
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2840
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3588
      • C:\Program Files\Microsoft Office\root\Office16\Winword.exe
        "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Bin\.github\config.yml"
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3504
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\cache.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:5080
    • C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
      "C:\Users\Admin\Downloads\MM2 Dupe Menu.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
        "C:\Users\Admin\Downloads\MM2 Dupe Menu.exe"
        2⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:1900
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\MM2 Dupe Menu.exe"
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\system32\PING.EXE
            ping 1.1.1.1 -n 1 -w 3000
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1528

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      346B

      MD5

      f8f08ce29faf23a959b7cfcb0b3267b1

      SHA1

      93e6b2b0e2c70e92aec11b3e522c4b11c15dc85b

      SHA256

      94de44d1b5a8da78159bb473958b77fd28f082edd58ce33d5245cac337b2650b

      SHA512

      30e3d1e8b67cb77b80e3602532e9b6318dadde57212d82da4129ca9665016f92e5fde7bd182080843eee67921d66faadd869c035bf6ebf3f0f531692034fc93c

      Download Submit

    • C:\Users\Admin\Downloads\Bin\.github\config.yml
      Filesize

      1KB

      MD5

      a19e08ca20bf7759f84007cb46051d6b

      SHA1

      e736f37d53c74f54a84e8a217b2c09231aaabe68

      SHA256

      dd8c19750853958c15fb93f18af25690f9b5dff02eed7c51b9fa54ad43d0ca6b

      SHA512

      00202b3957e9192e9580ec1a787f2df0bc8945299a4f452435e62b3bf3c783a4163ca4098f4bd3eba5f1b42b5ab6d4697c1814eca01bf3f0f839f2db8bb0884f

      Download Submit

    • C:\Users\Admin\Downloads\Bin\CefSharp.WinForms.Example\InputBox.resx
      Filesize

      5KB

      MD5

      96ba0a444d087ae06f32319ca4f0a3e4

      SHA1

      e3e08973b3d47c1ad51ccb133315b6242e275f0f

      SHA256

      4d3ee9059f5b98ab1806f6916ebea2a8c56023f8c63ddfd80b7378d27d1aa0f6

      SHA512

      571d4083c76428d8c3914b2bc1281cc79ed4603b5fe0e3e82ee58dad488fcfe7f797a45b0ea7f14841a2a100656f059c186b7338ce33beb910cdddbf9ee70cbb

      Download Submit

    • C:\Users\Admin\Downloads\Bin\CefSharp.WinForms.Example\Minimal\SimpleBrowserForm.resx
      Filesize

      42KB

      MD5

      acf1b05492690986de975cc951713f41

      SHA1

      4a1e6613293b6612f4d337dd287d2635e4f4bc24

      SHA256

      3a1ddccce264591f183029e77e134cedb7fdd0e0e71bb86977948c4b27b364fa

      SHA512

      1ef8b7b3cac0c57a7c02781031250205ecd60b5427296c9334d2638d3dba963eb6adaa0034b487c3e1de9da91b82ca59014159a7e12c8b4003ea93a8d9e20bb1

      Download Submit

    • C:\Users\Admin\Downloads\Bin\CefSharp.Wpf.Example\crash_reporter.cfg
      Filesize

      1KB

      MD5

      1526412e88f6bc33fbd9047273a22da4

      SHA1

      f97303c189babc8b02998afeb6996c33355a81d4

      SHA256

      fee8c2493438f968b69dd470d71e6250b5068c5ebf8e3c0eeed90eba586a9fb3

      SHA512

      5baf61ec1d1bccfb0e91dca95c5d8075c6c498356bf207ae3a8087e86794f463ad51496725efab1bf26e126107301b0a0ee745a72d041e8dd5322437ce4abacc

      Download Submit

    • C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
      Filesize

      3.6MB

      MD5

      e1d057461037edf37f4ae3b9ba9c9ec8

      SHA1

      861a8ba42a51589f81f721551199d727b2427f69

      SHA256

      4357da9769eb4e22f21258ee7443012b4e53e853521ea2bafe6de4b1051bdc44

      SHA512

      9f7951b8313a717197be65f3594ba0e321327a2b5d84af90758c7637c8a16c70ff08202ebe0be3fb5b8d3c726bf04836ce0fd7c5969a7c3de5a2dcf54812e7b6

      Download Submit

    • C:\Users\Admin\Downloads\cache.txt
      Filesize

      2KB

      MD5

      9378fe1ea6214f46fa82f9a189713001

      SHA1

      84fb19d5c4ecb064a487795fa996f2fa9987f814

      SHA256

      7f59c5a1053b612864c744e60d2f6e627775776007ac54652b6d30b1f502466b

      SHA512

      b9e0e5ce426d4fc10bde0d42c1e7416ed70a2ce667dd0b5f782513ed3158b882de374fcca18afa918f311ba7b5c57acd7d5f1526e7c0f90d8eddd8b6578086a2

      Download Submit

    • memory/1900-1889-0x0000000140000000-0x000000014013E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1900-1887-0x0000000140000000-0x000000014013E000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3504-1843-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1842-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1838-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1883-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1882-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1881-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1880-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1839-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1840-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1841-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3504-1837-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

      Filesize

      64KB

      Download