meduza | 0ee6265fb360ff4f06ac38b3f69689d3e74889a8ed9f92c2cb21a90e9efb2263

Resubmissions

29/11/2024, 14:08

241129-rfpqlazjg1 10

29/11/2024, 14:03

241129-rcyjbsyrd1 10

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29/11/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxInjector.exe
Size

643.6MB
MD5

a726fea7cdd1d2a92cbeac73348b421e
SHA1

a5f69df93108582acc64f6dd657ba8bbcf3f59a0
SHA256

e64730dd7dafd54e6c2071bd4ea593183bea7f13cb9565b49868b791c0038fc1
SHA512

08eea35ade0f717e8e4dd642d3d6d43ccd9961744ce88847f8f6550c95b5c3e4262cda5587041f40fcb3151acdfee21341c3de014e244c167c0167bb2dce47dd
SSDEEP

196608:SQMOi4kWU+f6zuiVkwzAqdyT+Qf+RLmN45Rk:SQMOddff6PVkwttQf+RLy45R

Score

10^/10

meduza stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Work
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2948-13-0x0000000001CF0000-0x0000000001E2E000-memory.dmp	family_meduza
behavioral1/memory/2948-17-0x0000000001CF0000-0x0000000001E2E000-memory.dmp	family_meduza

Meduza family
meduza
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe

Loads dropped DLL 4 IoCs

pid	Process
1640	RobloxInjector.exe
2872	WerFault.exe
2872	WerFault.exe
2872	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
1632	timeout.exe
1488	timeout.exe
1964	timeout.exe
548	timeout.exe
1376	timeout.exe
2648	timeout.exe
2992	timeout.exe
1844	timeout.exe
3012	timeout.exe
2988	timeout.exe
2240	timeout.exe
2784	timeout.exe
1560	timeout.exe
2356	timeout.exe
1788	timeout.exe
1416	timeout.exe
1744	timeout.exe
2792	timeout.exe
2608	timeout.exe
1216	timeout.exe
1796	timeout.exe
852	timeout.exe
2968	timeout.exe
1460	timeout.exe
1500	timeout.exe
828	timeout.exe
2832	timeout.exe
448	timeout.exe
2848	timeout.exe
3036	timeout.exe
3004	timeout.exe
1976	timeout.exe
2760	timeout.exe
1760	timeout.exe
1956	timeout.exe
1504	timeout.exe
268	timeout.exe
2828	timeout.exe
2868	timeout.exe
1916	timeout.exe
1696	timeout.exe
2660	timeout.exe
1240	timeout.exe
1104	timeout.exe
2592	timeout.exe
2380	timeout.exe
2000	timeout.exe
2288	timeout.exe
1100	timeout.exe
3032	timeout.exe
1512	timeout.exe
2068	timeout.exe
600	timeout.exe
1720	timeout.exe
1980	timeout.exe
2844	timeout.exe
2024	timeout.exe
1904	timeout.exe
1784	timeout.exe
2224	timeout.exe
664	timeout.exe
1496	timeout.exe
2228	timeout.exe
2836	timeout.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	RobloxInjector.exe
Token: SeDebugPrivilege	2948	0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe
Token: SeImpersonatePrivilege	2948	0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2948	1640	RobloxInjector.exe	31
PID 1640 wrote to memory of 2948	1640	RobloxInjector.exe	31
PID 1640 wrote to memory of 2948	1640	RobloxInjector.exe	31
PID 2948 wrote to memory of 2872	2948	0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe	32
PID 2948 wrote to memory of 2872	2948	0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe	32
PID 2948 wrote to memory of 2872	2948	0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe	32
PID 1640 wrote to memory of 536	1640	RobloxInjector.exe	33
PID 1640 wrote to memory of 536	1640	RobloxInjector.exe	33
PID 1640 wrote to memory of 536	1640	RobloxInjector.exe	33
PID 536 wrote to memory of 2784	536	cmd.exe	35
PID 536 wrote to memory of 2784	536	cmd.exe	35
PID 536 wrote to memory of 2784	536	cmd.exe	35
PID 536 wrote to memory of 2648	536	cmd.exe	36
PID 536 wrote to memory of 2648	536	cmd.exe	36
PID 536 wrote to memory of 2648	536	cmd.exe	36
PID 536 wrote to memory of 2968	536	cmd.exe	37
PID 536 wrote to memory of 2968	536	cmd.exe	37
PID 536 wrote to memory of 2968	536	cmd.exe	37
PID 536 wrote to memory of 2760	536	cmd.exe	38
PID 536 wrote to memory of 2760	536	cmd.exe	38
PID 536 wrote to memory of 2760	536	cmd.exe	38
PID 536 wrote to memory of 2792	536	cmd.exe	39
PID 536 wrote to memory of 2792	536	cmd.exe	39
PID 536 wrote to memory of 2792	536	cmd.exe	39
PID 536 wrote to memory of 1512	536	cmd.exe	42
PID 536 wrote to memory of 1512	536	cmd.exe	42
PID 536 wrote to memory of 1512	536	cmd.exe	42
PID 536 wrote to memory of 1904	536	cmd.exe	43
PID 536 wrote to memory of 1904	536	cmd.exe	43
PID 536 wrote to memory of 1904	536	cmd.exe	43
PID 536 wrote to memory of 1632	536	cmd.exe	44
PID 536 wrote to memory of 1632	536	cmd.exe	44
PID 536 wrote to memory of 1632	536	cmd.exe	44
PID 536 wrote to memory of 268	536	cmd.exe	45
PID 536 wrote to memory of 268	536	cmd.exe	45
PID 536 wrote to memory of 268	536	cmd.exe	45
PID 536 wrote to memory of 2000	536	cmd.exe	46
PID 536 wrote to memory of 2000	536	cmd.exe	46
PID 536 wrote to memory of 2000	536	cmd.exe	46
PID 536 wrote to memory of 2608	536	cmd.exe	47
PID 536 wrote to memory of 2608	536	cmd.exe	47
PID 536 wrote to memory of 2608	536	cmd.exe	47
PID 536 wrote to memory of 2868	536	cmd.exe	48
PID 536 wrote to memory of 2868	536	cmd.exe	48
PID 536 wrote to memory of 2868	536	cmd.exe	48
PID 536 wrote to memory of 2832	536	cmd.exe	49
PID 536 wrote to memory of 2832	536	cmd.exe	49
PID 536 wrote to memory of 2832	536	cmd.exe	49
PID 536 wrote to memory of 1916	536	cmd.exe	50
PID 536 wrote to memory of 1916	536	cmd.exe	50
PID 536 wrote to memory of 1916	536	cmd.exe	50
PID 536 wrote to memory of 1216	536	cmd.exe	51
PID 536 wrote to memory of 1216	536	cmd.exe	51
PID 536 wrote to memory of 1216	536	cmd.exe	51
PID 536 wrote to memory of 1504	536	cmd.exe	52
PID 536 wrote to memory of 1504	536	cmd.exe	52
PID 536 wrote to memory of 1504	536	cmd.exe	52
PID 536 wrote to memory of 1560	536	cmd.exe	53
PID 536 wrote to memory of 1560	536	cmd.exe	53
PID 536 wrote to memory of 1560	536	cmd.exe	53
PID 536 wrote to memory of 2356	536	cmd.exe	54
PID 536 wrote to memory of 2356	536	cmd.exe	54
PID 536 wrote to memory of 2356	536	cmd.exe	54
PID 536 wrote to memory of 1696	536	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\RobloxInjector.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxInjector.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\ec08d170-d41b-49be-90b9-815366357fc0\0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe
  "C:\Users\Admin\AppData\Local\Temp\ec08d170-d41b-49be-90b9-815366357fc0\0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2948 -s 620
    3⤵
    - Loads dropped DLL
    PID:2872
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ec08d170-d41b-49be-90b9-815366357fc0\cleanup.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2784
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2648
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2968
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2760
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2792
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1512
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1904
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1632
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:268
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2000
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2608
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2868
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2832
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1916
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1216
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1504
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1560
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2356
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1696
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2848
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2288
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1488
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1788
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1760
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1964
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1416
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1980
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1796
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2988
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3012
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2836
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3036
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2992
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3004
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2844
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2828
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:548
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2660
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1240
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2024
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1784
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1460
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1956
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:852
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2224
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:448
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1100
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2240
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2068
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3032
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1500
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1976
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:600
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:664
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1376
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1844
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1104
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2592
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1744
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1496
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:1720
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:828
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2380
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2228

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ec08d170-d41b-49be-90b9-815366357fc0\cleanup.bat

Filesize
379B

MD5
e0d6a376d14a655dc3c72ddab179662f

SHA1
2dda72cd473894a32388ec2f309b72fad3e62e04

SHA256
001c74fbe12b266e468ca37c57f04445ab7246135f58ac350f07243542734878

SHA512
2cf279e22710673c979876c5d86c0f38f8209f39e3e23b71e3ec0c7d2c0953181f3a9e8a9eb6a5cb23c14e8fb352879ea3198b9e527ccddb36fda4b7199cb237

Download Submit
\Users\Admin\AppData\Local\Temp\ec08d170-d41b-49be-90b9-815366357fc0\0e9c76bc-9a35-40b3-b7fd-73fe1b5dd4ee.exe

Filesize
3.2MB

MD5
814a59368670f8d35ad8eb71ab874666

SHA1
ca386125774e35b84c16bacfbe52919a354434ac

SHA256
98d8aa77d46e09b79c04b5f4556b1d389c6f62549a5ac0f961a6d8f2961fa55d

SHA512
57c30c5838a59f7d82343d40cbb539a1405485f51ceaf6350c52b27b1e54d5a9c9e2b8e08a8a73644e1ddd2733135128b1339c53676ba770a3bd0d69f33c192f

Download Submit
memory/1640-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1640-1-0x0000000000300000-0x0000000001300000-memory.dmp

Filesize
16.0MB

Download
memory/1640-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1640-3-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1640-4-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1640-5-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1640-25-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1640-26-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2948-13-0x0000000001CF0000-0x0000000001E2E000-memory.dmp

Filesize
1.2MB

Download
memory/2948-17-0x0000000001CF0000-0x0000000001E2E000-memory.dmp

Filesize
1.2MB

Download