Analysis Overview
SHA256
ca130b3fce182c547d93de04d673c6456f16e1eb73ce941dc7dd2c3c7d62ae5b
Threat Level: Known bad
The file 2024-11-19_394797ab6934f4db2364f672feed7669_ryuk was found to be: Known bad.
Malicious Activity Summary
Meduza family
Meduza
Meduza Stealer payload
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Checks installed software on the system
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Browser Information Discovery
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 01:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 01:33
Reported
2024-11-19 01:35
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe |
| PID 2384 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe |
| PID 2384 wrote to memory of 2552 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 01:33
Reported
2024-11-19 01:35
Platform
win10v2004-20241007-en
Max time kernel
96s
Max time network
148s
Command Line
Signatures
Meduza
Meduza Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Meduza family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3200 set thread context of 1300 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe |
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-19_394797ab6934f4db2364f672feed7669_ryuk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 109.107.181.162:15666 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 162.181.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/3200-0-0x00007FF6E8AD0000-0x00007FF6E8AD1000-memory.dmp
memory/1300-5-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-4-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-15-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-12-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-23-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-24-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-22-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-16-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-17-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-18-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-19-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-9-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-6-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-11-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-10-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-32-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-31-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-35-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-37-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-36-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-38-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-43-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-44-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-42-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-39-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-45-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-50-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-75-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-80-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-88-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-95-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-87-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-77-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-74-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-69-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-68-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-83-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-64-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-61-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-56-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-55-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-52-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-49-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-46-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1300-58-0x0000000140000000-0x00000001401FA000-memory.dmp