meduza | 93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29

General

Target

93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
Size

4.1MB
MD5

dd0b9382bc7d77840b168800bc8cb812
SHA1

d5b635efbf79662929b311572e41d7ea612749cc
SHA256

93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29
SHA512

d59b6f1496eade71a929c054523fa4815b5786226e0f1a62a6c0855ce5f2d2759ade49f1c00f657474c87a0d0a8a01fbc49644a766dde3556ccc9994152679de
SSDEEP

49152:qxGK0l3e3uIR/ubXjQI9WOizBV4gxvQwnZ:qxGK09yuyZ

Score

10^/10

meduza stealer

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Work
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/212-4-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral2/memory/212-6-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral2/memory/212-5-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza
behavioral2/memory/212-7-0x0000000140000000-0x000000014013E000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe

description	pid	process	target process
PID 2980 set thread context of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe

description	pid	process
Token: SeDebugPrivilege	212	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
Token: SeImpersonatePrivilege	212	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe

description	pid	process	target process
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
PID 2980 wrote to memory of 212	2980	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe	93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe

C:\Users\Admin\AppData\Local\Temp\93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
"C:\Users\Admin\AppData\Local\Temp\93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
  C:\Users\Admin\AppData\Local\Temp\93626f2a12a4ab1fbe7e284af0a3368c4041e58428f18429acc64d3f09067a29.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/212-4-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/212-6-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/212-5-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/212-7-0x0000000140000000-0x000000014013E000-memory.dmp

Filesize
1.2MB

Download
memory/2980-0-0x00007FF5F7B00000-0x00007FF5F7B01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads