430854314514a8b8fde7be91dc96f8634da20cf3bde9ccb906639349f9a6117a

General

Target

meduza_1.exe
Size

1.2MB
MD5

9aedcb72e8e6d27e281aa0391466e4eb
SHA1

0cdd45297f891ac6781f40107e3f2136a053a43e
SHA256

f11831ae15f892b0d4e52c6f2044efdddc9597b0b61498764ef4783275b38097
SHA512

1c1b9907acab6d051b1e8af22953e360a0712c9b24f0d4f5ee095306db580ea48a59e1edffa19b52ae67a4babc955e0315e50bf0c43d8ce38908de28e36ccab8
SSDEEP

24576:iHKcpnRtu5KIl0gOuEu9FyDre6MRntt6bh0lhSMXlzsizw:venRtu57l0TuFoDrUV36qDY

Score

7^/10

collection discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

meduza_1.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	meduza_1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

meduza_1.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	api.ipify.org
4	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
708	cmd.exe
1716	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1716	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

meduza_1.exe

pid	Process
1992	meduza_1.exe
1992	meduza_1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

meduza_1.exe

description	pid	Process
Token: SeDebugPrivilege	1992	meduza_1.exe
Token: SeImpersonatePrivilege	1992	meduza_1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

meduza_1.execmd.exe

description	pid	Process	procid_target
PID 1992 wrote to memory of 708	1992	meduza_1.exe	94
PID 1992 wrote to memory of 708	1992	meduza_1.exe	94
PID 708 wrote to memory of 1716	708	cmd.exe	96
PID 708 wrote to memory of 1716	708	cmd.exe	96

outlook_office_path 1 IoCs

Processes:

meduza_1.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe

outlook_win_path 1 IoCs

Processes:

meduza_1.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe

C:\Users\Admin\AppData\Local\Temp\meduza_1.exe
"C:\Users\Admin\AppData\Local\Temp\meduza_1.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\meduza_1.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1716