meduza | 6d38c8152edc5634fa7cae67424a5b28e1dca4b1037d99704c331c91faca77b7

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

drop1.exe
Size

2.4MB
MD5

cf2ac2dce038a884fce94f9350327033
SHA1

a2d1c361993e3b1b3289e4905287cb2c9a1714de
SHA256

6d38c8152edc5634fa7cae67424a5b28e1dca4b1037d99704c331c91faca77b7
SHA512

635c847a0dba3dea3a902ab2394f466c7230e5d355c5a2aa6364b83fd7f9ab6bcc194d2dc6ae6d3b3b9623bfe110d3222bfddb2b5987ca77d95b7d871ef7a1df
SSDEEP

49152:mGnxuIaLAA4B6oztxtwt81xuIaLAA4B6oztxtwt8N:mi1NvztxuG1NvztxuU

Score

10^/10

meduza discovery stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 5 IoCs

resource	yara_rule
behavioral1/memory/2196-5-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/2196-11-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/2196-13-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/2196-8-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/2196-7-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza

Meduza family
meduza

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2432 set thread context of 2196	2432	drop1.exe	32

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2548	2196	WerFault.exe	32

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drop1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drop1.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2432 wrote to memory of 2196	2432	drop1.exe	32
PID 2196 wrote to memory of 2548	2196	drop1.exe	33
PID 2196 wrote to memory of 2548	2196	drop1.exe	33
PID 2196 wrote to memory of 2548	2196	drop1.exe	33
PID 2196 wrote to memory of 2548	2196	drop1.exe	33

C:\Users\Admin\AppData\Local\Temp\drop1.exe
"C:\Users\Admin\AppData\Local\Temp\drop1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\drop1.exe
  "C:\Users\Admin\AppData\Local\Temp\drop1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 188
    3⤵
    - Program crash
    PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-1-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2196-2-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2196-5-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2196-11-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2196-13-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2196-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2196-8-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2196-7-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2196-3-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2432-0-0x0000000000915000-0x0000000000916000-memory.dmp

Filesize
4KB

Download