Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-12-2024 04:13

General

  • Target

    4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe

  • Size

    2.6MB

  • MD5

    41f92168b17f6f6e3f0c2dd847b8790c

  • SHA1

    d72086c8d7cf22ee4a212a8aafbf2c1cfbb68db4

  • SHA256

    4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc

  • SHA512

    51993dd5aed96c4dc4863ad9126be8f8e651b363cde9042561fc9fa1c9f19febacc786c9dbde8c148cd6eaf28b536e3056582e5413e507f67d4981ddde8a001f

  • SSDEEP

    24576:V9L8hJZ4uB+Ch0lhSMXlnwgT59w2/rbS43qtrtgBGVb5Q:PL8hD4auX/weJBGs

Score
10/10

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Student

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    3.145728e+06

  • port

    15666

  • self_destruct

    true

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

  • Meduza Stealer payload 12 IoCs
  • Meduza family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe
    "C:\Users\Admin\AppData\Local\Temp\4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1628 -s 620
      2⤵
        PID:2652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1628-1-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-7-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-3-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-4-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-6-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-10-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-2-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-9-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-11-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-14-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-16-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB

    • memory/1628-12-0x0000000001E40000-0x000000000203A000-memory.dmp

      Filesize

      2.0MB