Analysis

  • max time kernel
    45s
  • max time network
    38s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    20-12-2024 22:48

General

  • Target

    Lost Wallet Finder.zip

  • Size

    2.4MB

  • MD5

    1dd5938f1c9297734bb2f68320f1e15b

  • SHA1

    779f122ca36f99bd6c3d7f8487aeff9d899ab87b

  • SHA256

    7f4755eb840841ebd840f9573cf376b011afbf22829fbe2b7ac15df4167d99ac

  • SHA512

    a4249b49d323a4a9fb052797fcd3bc6a57ae5273e6380c81ee309f2d42b944c5206784b4523c1a6ad814a844bf3accadfea5b32f202d3ba743780e9ac0419984

  • SSDEEP

    49152:gEatR/fPylEO4/oGnJ0f1WodLw221335IZgJUvwxuYdQIsUNpTO7/CAxe:4LfPy/knJyS5Kg6vwYYdVVC/ve

Malware Config

Extracted

Family

meduza

C2

109.107.181.162

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    84

  • extensions

    none

  • grabber_max_size

    1.048576e+06

  • links

    none

  • port

    15666

  • self_destruct

    true

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

  • Meduza Stealer payload 37 IoCs
  • Meduza family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lost Wallet Finder.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3200
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO08CB8577\password.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:4540
    • C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe
        C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4612
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe"
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:2252
          • C:\Windows\system32\PING.EXE
            ping 1.1.1.1 -n 1 -w 3000
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4508
    • C:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exe
        C:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:2972
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exe"
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1472
          • C:\Windows\system32\PING.EXE
            ping 1.1.1.1 -n 1 -w 3000
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

    Filesize

    1KB

    MD5

    67e486b2f148a3fca863728242b6273e

    SHA1

    452a84c183d7ea5b7c015b597e94af8eef66d44a

    SHA256

    facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

    SHA512

    d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

    Filesize

    436B

    MD5

    971c514f84bba0785f80aa1c23edfd79

    SHA1

    732acea710a87530c6b08ecdf32a110d254a54c8

    SHA256

    f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

    SHA512

    43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

    Filesize

    174B

    MD5

    8ae63b2fe7d1c592ee45c6004741117f

    SHA1

    41999bcff2d94b0db50c0295df53781845a449f3

    SHA256

    e0210038db13056a17c540572f4925bc11d90d277e0ad40dc9b5c204912da77b

    SHA512

    55e1e9b578032e75d61c6d8663b399b50d5bd3df5f4b67c8609e16e2c6e6a8d35c4f4d05b9063afacb83fd231e21eb033e5d73ce1290175f87e709d4c572a781

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

    Filesize

    170B

    MD5

    92e58c80cb5241a2d91c3744c15a89e7

    SHA1

    6acbc268dd05d0dbe4dfed7ae7bb8aa9fdc3c2f7

    SHA256

    9b68290706ac16440a23d9b5d0e3bc3bc83f318db2f6e143b3ecc8dd21700edb

    SHA512

    816159e7f94aab5bac3bf2476eac3269e481da98b6cfc492e18850267b2a442fc6cbe0f1745e0142f75c1fd4eb17de6a1720e59247fa5feabbe88672c79e9e63

  • C:\Users\Admin\AppData\Local\Temp\7zO08CB8577\password.txt

    Filesize

    23B

    MD5

    39a8ec593975178e252e9b88a162aced

    SHA1

    39e71e78bf8fc7e34a3ad588e8a8463dc09e4921

    SHA256

    fd8c6dc96fa9de02647b7eba02928a6b27d5e7212cc1f4ea0c2d2bb0f7e7ce2c

    SHA512

    c8a1165daaeeccb4455b3f6df751ebc18bb2203d2f3ecda9440619bd65a4b91527f463e79ccb5f4497f7d9f134aa6a34251332b063663a02be5661c61d8dcdfc

  • C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe

    Filesize

    4.1MB

    MD5

    12c13fbc1cb91f08144e44c5ed0f350c

    SHA1

    accc1f7ea8be71ff2b5126d9c68d8b36a1be9afb

    SHA256

    ea802b3b7bb8e2c558e14d6a946231dfa0f22e746e622296ce60babd10511f9f

    SHA512

    c4f93dd2129ae77fd5810d623ec55f16448738bf7b4b324d4a4a5530ff4f0dbe639fb7c23d7216b96b08171f28e86852ee859b2cde3a12023b2c10555405fe91

  • memory/3452-19-0x00007FF5E7020000-0x00007FF5E7021000-memory.dmp

    Filesize

    4KB

  • memory/4612-95-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-88-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-29-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-23-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-37-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-41-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-40-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-36-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-48-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-49-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-55-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-52-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-76-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-100-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-101-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-30-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-94-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-91-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-89-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-28-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-83-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-77-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-73-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-71-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-70-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-67-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-65-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-64-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-61-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-59-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-58-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-53-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-82-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-31-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-35-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-34-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB

  • memory/4612-25-0x0000000140000000-0x00000001401FA000-memory.dmp

    Filesize

    2.0MB