Analysis Overview
SHA256
025ce57b2a4f3f3bb3c0a4606200b748ecec5da12f76d43d358e24fb9e1331b3
Threat Level: Known bad
The file MM2 Dupe Menu.rar was found to be: Known bad.
Malicious Activity Summary
Meduza Stealer payload
Meduza family
Meduza
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks installed software on the system
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Browser Information Discovery
Modifies registry class
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Opens file in notepad (likely ransom note)
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
outlook_win_path
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 00:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 00:37
Reported
2024-11-07 00:39
Platform
win11-20241007-en
Max time kernel
108s
Max time network
117s
Command Line
Signatures
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meduza family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2564 set thread context of 1900 | N/A | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe |
Browser Information Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\root\Office16\Winword.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Downloads\MM2 Dupe Menu.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MM2 Dupe Menu.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Microsoft Office\root\Office16\Winword.exe
"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Bin\.github\config.yml"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\cache.txt
C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
"C:\Users\Admin\Downloads\MM2 Dupe Menu.exe"
C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
"C:\Users\Admin\Downloads\MM2 Dupe Menu.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\MM2 Dupe Menu.exe"
C:\Windows\system32\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| DE | 109.107.181.162:15666 | tcp | |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
Files
C:\Users\Admin\Downloads\Bin\CefSharp.WinForms.Example\InputBox.resx
| MD5 | 96ba0a444d087ae06f32319ca4f0a3e4 |
| SHA1 | e3e08973b3d47c1ad51ccb133315b6242e275f0f |
| SHA256 | 4d3ee9059f5b98ab1806f6916ebea2a8c56023f8c63ddfd80b7378d27d1aa0f6 |
| SHA512 | 571d4083c76428d8c3914b2bc1281cc79ed4603b5fe0e3e82ee58dad488fcfe7f797a45b0ea7f14841a2a100656f059c186b7338ce33beb910cdddbf9ee70cbb |
C:\Users\Admin\Downloads\Bin\CefSharp.WinForms.Example\Minimal\SimpleBrowserForm.resx
| MD5 | acf1b05492690986de975cc951713f41 |
| SHA1 | 4a1e6613293b6612f4d337dd287d2635e4f4bc24 |
| SHA256 | 3a1ddccce264591f183029e77e134cedb7fdd0e0e71bb86977948c4b27b364fa |
| SHA512 | 1ef8b7b3cac0c57a7c02781031250205ecd60b5427296c9334d2638d3dba963eb6adaa0034b487c3e1de9da91b82ca59014159a7e12c8b4003ea93a8d9e20bb1 |
C:\Users\Admin\Downloads\Bin\CefSharp.Wpf.Example\crash_reporter.cfg
| MD5 | 1526412e88f6bc33fbd9047273a22da4 |
| SHA1 | f97303c189babc8b02998afeb6996c33355a81d4 |
| SHA256 | fee8c2493438f968b69dd470d71e6250b5068c5ebf8e3c0eeed90eba586a9fb3 |
| SHA512 | 5baf61ec1d1bccfb0e91dca95c5d8075c6c498356bf207ae3a8087e86794f463ad51496725efab1bf26e126107301b0a0ee745a72d041e8dd5322437ce4abacc |
C:\Users\Admin\Downloads\Bin\.github\config.yml
| MD5 | a19e08ca20bf7759f84007cb46051d6b |
| SHA1 | e736f37d53c74f54a84e8a217b2c09231aaabe68 |
| SHA256 | dd8c19750853958c15fb93f18af25690f9b5dff02eed7c51b9fa54ad43d0ca6b |
| SHA512 | 00202b3957e9192e9580ec1a787f2df0bc8945299a4f452435e62b3bf3c783a4163ca4098f4bd3eba5f1b42b5ab6d4697c1814eca01bf3f0f839f2db8bb0884f |
memory/3504-1837-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp
memory/3504-1841-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp
memory/3504-1840-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp
memory/3504-1839-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp
memory/3504-1838-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp
memory/3504-1842-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp
memory/3504-1843-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | f8f08ce29faf23a959b7cfcb0b3267b1 |
| SHA1 | 93e6b2b0e2c70e92aec11b3e522c4b11c15dc85b |
| SHA256 | 94de44d1b5a8da78159bb473958b77fd28f082edd58ce33d5245cac337b2650b |
| SHA512 | 30e3d1e8b67cb77b80e3602532e9b6318dadde57212d82da4129ca9665016f92e5fde7bd182080843eee67921d66faadd869c035bf6ebf3f0f531692034fc93c |
memory/3504-1883-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp
memory/3504-1882-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp
memory/3504-1881-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp
memory/3504-1880-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp
C:\Users\Admin\Downloads\cache.txt
| MD5 | 9378fe1ea6214f46fa82f9a189713001 |
| SHA1 | 84fb19d5c4ecb064a487795fa996f2fa9987f814 |
| SHA256 | 7f59c5a1053b612864c744e60d2f6e627775776007ac54652b6d30b1f502466b |
| SHA512 | b9e0e5ce426d4fc10bde0d42c1e7416ed70a2ce667dd0b5f782513ed3158b882de374fcca18afa918f311ba7b5c57acd7d5f1526e7c0f90d8eddd8b6578086a2 |
C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
| MD5 | e1d057461037edf37f4ae3b9ba9c9ec8 |
| SHA1 | 861a8ba42a51589f81f721551199d727b2427f69 |
| SHA256 | 4357da9769eb4e22f21258ee7443012b4e53e853521ea2bafe6de4b1051bdc44 |
| SHA512 | 9f7951b8313a717197be65f3594ba0e321327a2b5d84af90758c7637c8a16c70ff08202ebe0be3fb5b8d3c726bf04836ce0fd7c5969a7c3de5a2dcf54812e7b6 |
memory/1900-1887-0x0000000140000000-0x000000014013E000-memory.dmp
memory/1900-1889-0x0000000140000000-0x000000014013E000-memory.dmp