Overview

overview

10

Static

static

3

gem1.exe

windows7-x64

10

gem1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2025 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gem1.exe

  • Size

    1.1MB

  • MD5

    d61ac037c333f1bc288c1a96a4db7c21

  • SHA1

    777228616a18b98103594276775188b5e138fa11

  • SHA256

    f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896

  • SHA512

    1aae796964099e22c3ebf8632ded9a451f01161ca6d837cd447524c58088ab05e0cfff6d297495e97b3b1a370b98b563937334f0306095b8c625641430288999

  • SSDEEP

    24576:R06mH2AfjusEQ3MWTwGxXjbAnpiYQ7eVGKtFwVrJL/tXjuD/:RLmH2AfisEQ5XInpI74arx/tXj+/

Score
10/10
meduzacollectiondiscoveryspywarestealer

Malware Config

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 8 IoCs
  • Meduza family
    meduza
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gem1.exe
    "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\gem1.exe
      "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
      2⤵
        PID:2896
      • C:\Users\Admin\AppData\Local\Temp\gem1.exe
        "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
        2⤵
          PID:2924
        • C:\Users\Admin\AppData\Local\Temp\gem1.exe
          "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
          2⤵
            PID:3060
          • C:\Users\Admin\AppData\Local\Temp\gem1.exe
            "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
            2⤵
              PID:2828
            • C:\Users\Admin\AppData\Local\Temp\gem1.exe
              "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
              2⤵
                PID:2804
              • C:\Users\Admin\AppData\Local\Temp\gem1.exe
                "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
                2⤵
                  PID:3048
                • C:\Users\Admin\AppData\Local\Temp\gem1.exe
                  "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
                  2⤵
                    PID:2680
                  • C:\Users\Admin\AppData\Local\Temp\gem1.exe
                    "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
                    2⤵
                    • Checks computer location settings
                    • Accesses Microsoft Outlook profiles
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • outlook_office_path
                    • outlook_win_path
                    PID:2568
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 556
                    2⤵
                    • Program crash
                    PID:2868

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/1604-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1604-1-0x00000000001C0000-0x00000000002EE000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/1604-31-0x0000000074B90000-0x000000007527E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/1604-14-0x0000000074B90000-0x000000007527E000-memory.dmp

                  Filesize

                  6.9MB

                  Download

                • memory/2568-4-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-7-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-6-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-5-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-8-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-3-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-13-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2568-15-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-12-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-32-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/2568-33-0x0000000000400000-0x0000000000526000-memory.dmp

                  Filesize

                  1.1MB

                  Download