Analysis
-
max time kernel
45s -
max time network
38s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
20-12-2024 22:48
Static task
static1
Behavioral task
behavioral1
Sample
Lost Wallet Finder.zip
Resource
win10ltsc2021-20241023-en
Behavioral task
behavioral2
Sample
Lost Wallet Finder.zip
Resource
win11-20241007-en
General
-
Target
Lost Wallet Finder.zip
-
Size
2.4MB
-
MD5
1dd5938f1c9297734bb2f68320f1e15b
-
SHA1
779f122ca36f99bd6c3d7f8487aeff9d899ab87b
-
SHA256
7f4755eb840841ebd840f9573cf376b011afbf22829fbe2b7ac15df4167d99ac
-
SHA512
a4249b49d323a4a9fb052797fcd3bc6a57ae5273e6380c81ee309f2d42b944c5206784b4523c1a6ad814a844bf3accadfea5b32f202d3ba743780e9ac0419984
-
SSDEEP
49152:gEatR/fPylEO4/oGnJ0f1WodLw221335IZgJUvwxuYdQIsUNpTO7/CAxe:4LfPy/knJyS5Kg6vwYYdVVC/ve
Malware Config
Extracted
meduza
109.107.181.162
-
anti_dbg
true
-
anti_vm
true
-
build_name
84
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 37 IoCs
resource yara_rule behavioral1/memory/4612-25-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-34-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-35-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-31-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-30-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-28-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-29-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-23-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-37-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-41-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-40-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-36-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-48-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-49-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-55-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-52-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-76-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-100-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-101-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-95-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-94-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-91-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-89-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-88-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-83-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-77-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-73-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-71-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-70-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-67-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-65-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-64-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-61-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-59-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-58-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-53-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza behavioral1/memory/4612-82-0x0000000140000000-0x00000001401FA000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation wallet-finder.exe Key value queried \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation wallet-finder.exe -
Executes dropped EXE 4 IoCs
pid Process 3452 wallet-finder.exe 4612 wallet-finder.exe 2928 wallet-finder.exe 2972 wallet-finder.exe -
Accesses Microsoft Outlook profiles 1 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 api.ipify.org 26 api.ipify.org 42 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3452 set thread context of 4612 3452 wallet-finder.exe 91 PID 2928 set thread context of 2972 2928 wallet-finder.exe 97 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4508 PING.EXE 2252 cmd.exe 1472 cmd.exe 652 PING.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings 7zFM.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4540 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 4508 PING.EXE 652 PING.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 4612 wallet-finder.exe 4612 wallet-finder.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 2972 wallet-finder.exe 2972 wallet-finder.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3200 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 3200 7zFM.exe Token: 35 3200 7zFM.exe Token: SeSecurityPrivilege 3200 7zFM.exe Token: SeSecurityPrivilege 3200 7zFM.exe Token: SeSecurityPrivilege 3200 7zFM.exe Token: SeDebugPrivilege 4612 wallet-finder.exe Token: SeImpersonatePrivilege 4612 wallet-finder.exe Token: SeSecurityPrivilege 3200 7zFM.exe Token: SeDebugPrivilege 2972 wallet-finder.exe Token: SeImpersonatePrivilege 2972 wallet-finder.exe Token: SeSecurityPrivilege 3200 7zFM.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe 3200 7zFM.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 3200 wrote to memory of 4540 3200 7zFM.exe 81 PID 3200 wrote to memory of 4540 3200 7zFM.exe 81 PID 3200 wrote to memory of 3452 3200 7zFM.exe 89 PID 3200 wrote to memory of 3452 3200 7zFM.exe 89 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 3452 wrote to memory of 4612 3452 wallet-finder.exe 91 PID 4612 wrote to memory of 2252 4612 wallet-finder.exe 92 PID 4612 wrote to memory of 2252 4612 wallet-finder.exe 92 PID 2252 wrote to memory of 4508 2252 cmd.exe 94 PID 2252 wrote to memory of 4508 2252 cmd.exe 94 PID 3200 wrote to memory of 2928 3200 7zFM.exe 96 PID 3200 wrote to memory of 2928 3200 7zFM.exe 96 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2928 wrote to memory of 2972 2928 wallet-finder.exe 97 PID 2972 wrote to memory of 1472 2972 wallet-finder.exe 98 PID 2972 wrote to memory of 1472 2972 wallet-finder.exe 98 PID 1472 wrote to memory of 652 1472 cmd.exe 100 PID 1472 wrote to memory of 652 1472 cmd.exe 100 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wallet-finder.exe
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Lost Wallet Finder.zip"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO08CB8577\password.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe"C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exeC:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO08CED987\wallet-finder.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4508
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exe"C:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exeC:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2972 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\7zO08C4AAD7\wallet-finder.exe"4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:652
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD58ae63b2fe7d1c592ee45c6004741117f
SHA141999bcff2d94b0db50c0295df53781845a449f3
SHA256e0210038db13056a17c540572f4925bc11d90d277e0ad40dc9b5c204912da77b
SHA51255e1e9b578032e75d61c6d8663b399b50d5bd3df5f4b67c8609e16e2c6e6a8d35c4f4d05b9063afacb83fd231e21eb033e5d73ce1290175f87e709d4c572a781
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD592e58c80cb5241a2d91c3744c15a89e7
SHA16acbc268dd05d0dbe4dfed7ae7bb8aa9fdc3c2f7
SHA2569b68290706ac16440a23d9b5d0e3bc3bc83f318db2f6e143b3ecc8dd21700edb
SHA512816159e7f94aab5bac3bf2476eac3269e481da98b6cfc492e18850267b2a442fc6cbe0f1745e0142f75c1fd4eb17de6a1720e59247fa5feabbe88672c79e9e63
-
Filesize
23B
MD539a8ec593975178e252e9b88a162aced
SHA139e71e78bf8fc7e34a3ad588e8a8463dc09e4921
SHA256fd8c6dc96fa9de02647b7eba02928a6b27d5e7212cc1f4ea0c2d2bb0f7e7ce2c
SHA512c8a1165daaeeccb4455b3f6df751ebc18bb2203d2f3ecda9440619bd65a4b91527f463e79ccb5f4497f7d9f134aa6a34251332b063663a02be5661c61d8dcdfc
-
Filesize
4.1MB
MD512c13fbc1cb91f08144e44c5ed0f350c
SHA1accc1f7ea8be71ff2b5126d9c68d8b36a1be9afb
SHA256ea802b3b7bb8e2c558e14d6a946231dfa0f22e746e622296ce60babd10511f9f
SHA512c4f93dd2129ae77fd5810d623ec55f16448738bf7b4b324d4a4a5530ff4f0dbe639fb7c23d7216b96b08171f28e86852ee859b2cde3a12023b2c10555405fe91