430854314514a8b8fde7be91dc96f8634da20cf3bde9ccb906639349f9a6117a

Analysis

max time kernel
30s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2024, 19:02 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meduza_1.exe
Size

1.2MB
MD5

9aedcb72e8e6d27e281aa0391466e4eb
SHA1

0cdd45297f891ac6781f40107e3f2136a053a43e
SHA256

f11831ae15f892b0d4e52c6f2044efdddc9597b0b61498764ef4783275b38097
SHA512

1c1b9907acab6d051b1e8af22953e360a0712c9b24f0d4f5ee095306db580ea48a59e1edffa19b52ae67a4babc955e0315e50bf0c43d8ce38908de28e36ccab8
SSDEEP

24576:iHKcpnRtu5KIl0gOuEu9FyDre6MRntt6bh0lhSMXlzsizw:venRtu57l0TuFoDrUV36qDY

Score

7^/10

collection discovery spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	meduza_1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
4	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
708	cmd.exe
1716	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1716	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1992	meduza_1.exe
1992	meduza_1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1992	meduza_1.exe
Token: SeImpersonatePrivilege	1992	meduza_1.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 708	1992	meduza_1.exe	94
PID 1992 wrote to memory of 708	1992	meduza_1.exe	94
PID 708 wrote to memory of 1716	708	cmd.exe	96
PID 708 wrote to memory of 1716	708	cmd.exe	96

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	meduza_1.exe

C:\Users\Admin\AppData\Local\Temp\meduza_1.exe
"C:\Users\Admin\AppData\Local\Temp\meduza_1.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\meduza_1.exe"
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3000
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1716

Network

DNS

api.ipify.org

meduza_1.exe

Remote address:

8.8.8.8:53

Request

api.ipify.org

IN A

Response

api.ipify.org

IN A

104.26.13.205

api.ipify.org

IN A

172.67.74.152

api.ipify.org

IN A

104.26.12.205
GET

https://api.ipify.org/

meduza_1.exe

Remote address:

104.26.13.205:443

Request

GET / HTTP/1.1
Accept: text/html; text/plain; */*
Host: api.ipify.org
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 13 Nov 2024 19:02:21 GMT
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
cf-cache-status: DYNAMIC
Server: cloudflare
CF-RAY: 8e2103fd0ad5cd60-LHR
server-timing: cfL4;desc="?proto=TCP&rtt=26535&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3278&recv_bytes=402&delivery_rate=153298&cwnd=253&unsent_bytes=0&cid=243feba5322f60c4&ts=393&x=0"
DNS

162.181.107.109.in-addr.arpa

Remote address:

8.8.8.8:53

Request

162.181.107.109.in-addr.arpa

IN PTR

Response

162.181.107.109.in-addr.arpa

IN PTR

deluxe-quicksandaezanetwork
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

205.13.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

205.13.26.104.in-addr.arpa

IN PTR

Response
DNS

c.pki.goog

meduza_1.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

172.217.169.67
GET

http://c.pki.goog/r/gsr1.crl

meduza_1.exe

Remote address:

172.217.169.67:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 13 Nov 2024 18:56:50 GMT
Expires: Wed, 13 Nov 2024 19:46:50 GMT
Cache-Control: public, max-age=3000
Age: 330
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

meduza_1.exe

Remote address:

172.217.169.67:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 13 Nov 2024 18:56:50 GMT
Expires: Wed, 13 Nov 2024 19:46:50 GMT
Cache-Control: public, max-age=3000
Age: 330
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

83.210.23.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

83.210.23.2.in-addr.arpa

IN PTR

Response

83.210.23.2.in-addr.arpa

IN PTR

a2-23-210-83deploystaticakamaitechnologiescom
DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

67.169.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.169.217.172.in-addr.arpa

IN PTR

Response

67.169.217.172.in-addr.arpa

IN PTR

lhr48s09-in-f31e100net
DNS

72.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

72.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response

109.107.181.162:15666

meduza_1.exe

13.0MB
171.2kB
10528
3587
104.26.13.205:443

https://api.ipify.org/

tls, http

meduza_1.exe

896 B
4.1kB
11
8

HTTP Request

GET https://api.ipify.org/

HTTP Response

200
172.217.169.67:80

http://c.pki.goog/r/r4.crl

http

meduza_1.exe

556 B
3.8kB
7
5

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
52.149.20.212:443

8.8.8.8:53

api.ipify.org

dns

meduza_1.exe

59 B
107 B
1
1

DNS Request

api.ipify.org

DNS Response

104.26.13.205

172.67.74.152

104.26.12.205
8.8.8.8:53

162.181.107.109.in-addr.arpa

dns

74 B
117 B
1
1

DNS Request

162.181.107.109.in-addr.arpa
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

205.13.26.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

205.13.26.104.in-addr.arpa
8.8.8.8:53

c.pki.goog

dns

meduza_1.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

172.217.169.67
8.8.8.8:53

83.210.23.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

83.210.23.2.in-addr.arpa
8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

67.169.217.172.in-addr.arpa

dns

73 B
111 B
1
1

DNS Request

67.169.217.172.in-addr.arpa
8.8.8.8:53

72.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

72.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53