Analysis
-
max time kernel
95s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 17:12
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20241007-en
General
-
Target
file.exe
-
Size
4.1MB
-
MD5
399b2859420738500eb977f816fe61e1
-
SHA1
3136c6ce4de53ee344f51d99606bdd68b2116767
-
SHA256
c611fe9b5ae81cc5cce3c7f428d98e082898ee4e76c8566100ac41527e4c9a18
-
SHA512
1bfa955fc301ee63d3b5bfbcea2e9bd9d9df8ff01ed634e6b6eb01b287cac437d08af9d4e61da21d2fd3ecc3297a8cf1c2f514cb0e178b63be65e366991da086
-
SSDEEP
49152:Xl4UjB0jUu8Xywd2qeDScrUXVIqWLskA:14UjKgufA
Malware Config
Extracted
meduza
5.252.155.28
-
anti_dbg
true
-
anti_vm
true
-
build_name
824
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 6 IoCs
resource yara_rule behavioral2/memory/808-4-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/808-5-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/808-6-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/808-7-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/808-16-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/808-17-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation file.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 692 set thread context of 808 692 file.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5016 cmd.exe 2244 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2244 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 808 file.exe 808 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 808 file.exe Token: SeImpersonatePrivilege 808 file.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 692 wrote to memory of 808 692 file.exe 82 PID 692 wrote to memory of 808 692 file.exe 82 PID 692 wrote to memory of 808 692 file.exe 82 PID 692 wrote to memory of 808 692 file.exe 82 PID 692 wrote to memory of 808 692 file.exe 82 PID 692 wrote to memory of 808 692 file.exe 82 PID 692 wrote to memory of 808 692 file.exe 82 PID 692 wrote to memory of 808 692 file.exe 82 PID 692 wrote to memory of 808 692 file.exe 82 PID 692 wrote to memory of 808 692 file.exe 82 PID 808 wrote to memory of 5016 808 file.exe 90 PID 808 wrote to memory of 5016 808 file.exe 90 PID 5016 wrote to memory of 2244 5016 cmd.exe 92 PID 5016 wrote to memory of 2244 5016 cmd.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:808 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2244
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1