Malware Analysis Report

2024-11-13 16:32

Sample ID 241107-ayf3qstmgk
Target MM2 Dupe Menu.rar
SHA256 025ce57b2a4f3f3bb3c0a4606200b748ecec5da12f76d43d358e24fb9e1331b3
Tags
meduza collection discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

025ce57b2a4f3f3bb3c0a4606200b748ecec5da12f76d43d358e24fb9e1331b3

Threat Level: Known bad

The file MM2 Dupe Menu.rar was found to be: Known bad.

Malicious Activity Summary

meduza collection discovery spyware stealer

Meduza Stealer payload

Meduza family

Meduza

Executes dropped EXE

Reads user/profile data of web browsers

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Browser Information Discovery

Modifies registry class

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

outlook_win_path

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 00:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 00:37

Reported

2024-11-07 00:39

Platform

win11-20241007-en

Max time kernel

108s

Max time network

117s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MM2 Dupe Menu.rar"

Signatures

Meduza

stealer meduza

Meduza Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Meduza family

meduza

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A
N/A N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2564 set thread context of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\root\Office16\Winword.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\root\Office16\Winword.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\root\Office16\Winword.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\root\Office16\Winword.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\root\Office16\Winword.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\root\Office16\Winword.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\root\Office16\Winword.exe N/A
N/A N/A C:\Program Files\Microsoft Office\root\Office16\Winword.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A
N/A N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3588 wrote to memory of 3504 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Microsoft Office\root\Office16\Winword.exe
PID 3588 wrote to memory of 3504 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Microsoft Office\root\Office16\Winword.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 2564 wrote to memory of 1900 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Users\Admin\Downloads\MM2 Dupe Menu.exe
PID 1900 wrote to memory of 1660 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Windows\System32\cmd.exe
PID 1900 wrote to memory of 1660 N/A C:\Users\Admin\Downloads\MM2 Dupe Menu.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 1528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1660 wrote to memory of 1528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\MM2 Dupe Menu.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MM2 Dupe Menu.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\root\Office16\Winword.exe

"C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\Bin\.github\config.yml"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\cache.txt

C:\Users\Admin\Downloads\MM2 Dupe Menu.exe

"C:\Users\Admin\Downloads\MM2 Dupe Menu.exe"

C:\Users\Admin\Downloads\MM2 Dupe Menu.exe

"C:\Users\Admin\Downloads\MM2 Dupe Menu.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Downloads\MM2 Dupe Menu.exe"

C:\Windows\system32\PING.EXE

ping 1.1.1.1 -n 1 -w 3000

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
DE 109.107.181.162:15666 tcp
US 104.26.12.205:443 api.ipify.org tcp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp

Files

C:\Users\Admin\Downloads\Bin\CefSharp.WinForms.Example\InputBox.resx

MD5 96ba0a444d087ae06f32319ca4f0a3e4
SHA1 e3e08973b3d47c1ad51ccb133315b6242e275f0f
SHA256 4d3ee9059f5b98ab1806f6916ebea2a8c56023f8c63ddfd80b7378d27d1aa0f6
SHA512 571d4083c76428d8c3914b2bc1281cc79ed4603b5fe0e3e82ee58dad488fcfe7f797a45b0ea7f14841a2a100656f059c186b7338ce33beb910cdddbf9ee70cbb

C:\Users\Admin\Downloads\Bin\CefSharp.WinForms.Example\Minimal\SimpleBrowserForm.resx

MD5 acf1b05492690986de975cc951713f41
SHA1 4a1e6613293b6612f4d337dd287d2635e4f4bc24
SHA256 3a1ddccce264591f183029e77e134cedb7fdd0e0e71bb86977948c4b27b364fa
SHA512 1ef8b7b3cac0c57a7c02781031250205ecd60b5427296c9334d2638d3dba963eb6adaa0034b487c3e1de9da91b82ca59014159a7e12c8b4003ea93a8d9e20bb1

C:\Users\Admin\Downloads\Bin\CefSharp.Wpf.Example\crash_reporter.cfg

MD5 1526412e88f6bc33fbd9047273a22da4
SHA1 f97303c189babc8b02998afeb6996c33355a81d4
SHA256 fee8c2493438f968b69dd470d71e6250b5068c5ebf8e3c0eeed90eba586a9fb3
SHA512 5baf61ec1d1bccfb0e91dca95c5d8075c6c498356bf207ae3a8087e86794f463ad51496725efab1bf26e126107301b0a0ee745a72d041e8dd5322437ce4abacc

C:\Users\Admin\Downloads\Bin\.github\config.yml

MD5 a19e08ca20bf7759f84007cb46051d6b
SHA1 e736f37d53c74f54a84e8a217b2c09231aaabe68
SHA256 dd8c19750853958c15fb93f18af25690f9b5dff02eed7c51b9fa54ad43d0ca6b
SHA512 00202b3957e9192e9580ec1a787f2df0bc8945299a4f452435e62b3bf3c783a4163ca4098f4bd3eba5f1b42b5ab6d4697c1814eca01bf3f0f839f2db8bb0884f

memory/3504-1837-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

memory/3504-1841-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

memory/3504-1840-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

memory/3504-1839-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

memory/3504-1838-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

memory/3504-1842-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp

memory/3504-1843-0x00007FFADD8A0000-0x00007FFADD8B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 f8f08ce29faf23a959b7cfcb0b3267b1
SHA1 93e6b2b0e2c70e92aec11b3e522c4b11c15dc85b
SHA256 94de44d1b5a8da78159bb473958b77fd28f082edd58ce33d5245cac337b2650b
SHA512 30e3d1e8b67cb77b80e3602532e9b6318dadde57212d82da4129ca9665016f92e5fde7bd182080843eee67921d66faadd869c035bf6ebf3f0f531692034fc93c

memory/3504-1883-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

memory/3504-1882-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

memory/3504-1881-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

memory/3504-1880-0x00007FFAE0170000-0x00007FFAE0180000-memory.dmp

C:\Users\Admin\Downloads\cache.txt

MD5 9378fe1ea6214f46fa82f9a189713001
SHA1 84fb19d5c4ecb064a487795fa996f2fa9987f814
SHA256 7f59c5a1053b612864c744e60d2f6e627775776007ac54652b6d30b1f502466b
SHA512 b9e0e5ce426d4fc10bde0d42c1e7416ed70a2ce667dd0b5f782513ed3158b882de374fcca18afa918f311ba7b5c57acd7d5f1526e7c0f90d8eddd8b6578086a2

C:\Users\Admin\Downloads\MM2 Dupe Menu.exe

MD5 e1d057461037edf37f4ae3b9ba9c9ec8
SHA1 861a8ba42a51589f81f721551199d727b2427f69
SHA256 4357da9769eb4e22f21258ee7443012b4e53e853521ea2bafe6de4b1051bdc44
SHA512 9f7951b8313a717197be65f3594ba0e321327a2b5d84af90758c7637c8a16c70ff08202ebe0be3fb5b8d3c726bf04836ce0fd7c5969a7c3de5a2dcf54812e7b6

memory/1900-1887-0x0000000140000000-0x000000014013E000-memory.dmp

memory/1900-1889-0x0000000140000000-0x000000014013E000-memory.dmp