Overview

overview

10

Static

static

3

gem1.exe

windows10-ltsc 2021-x64

10

Resubmissions

14/01/2025, 00:57 UTC

250114-ba9ktaske1 10

13/01/2025, 23:05 UTC

250113-226lcasnam 10

Analysis

  • max time kernel
    96s
  • max time network
    208s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    14/01/2025, 00:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gem1.exe

  • Size

    1.2MB

  • MD5

    b151d347d2f47dad2db0aa029dd6c9dd

  • SHA1

    8e191fc786e010f93c9bcc41de3a42e1e16fa345

  • SHA256

    5c0ead3d71e0c901aef2a4c7a2ad29212fcb9f8dc49c5e6b524f822ec65511fd

  • SHA512

    cb6e1d0d13a00713afc45557cff0a6d71024fda5d509356a04e09d0c999b219e221c3bdd7702043f1cb9290329c3fb9ad121168f60f5a94f5a0d50e45abdc81b

  • SSDEEP

    24576:RQu06mH2AfjusEQ3MWTwGxXjfAnpiYQ7eVGKtFwVrJa/tXjuD/:3LmH2AfisEQ5XEnpI74arM/tXj+/

Score
10/10
meduzacollectiondiscoveryspywarestealer

Malware Config

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 6 IoCs
  • Meduza family
    meduza
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gem1.exe
    "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4500
    • C:\Users\Admin\AppData\Local\Temp\gem1.exe
      "C:\Users\Admin\AppData\Local\Temp\gem1.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1984
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 820
      2⤵
      • Program crash
      PID:3432
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4500 -ip 4500
    1⤵
      PID:5112

    Network

    • flag-us
      DNS
      api.ipify.org
      gem1.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ipify.org
      IN A
      Response
      api.ipify.org
      IN A
      104.26.13.205
      api.ipify.org
      IN A
      104.26.12.205
      api.ipify.org
      IN A
      172.67.74.152
    • flag-us
      GET
      https://api.ipify.org/
      gem1.exe
      Remote address:
      104.26.13.205:443
      Request
      GET / HTTP/1.1
      Accept: text/html; text/plain; */*
      Host: api.ipify.org
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Tue, 14 Jan 2025 00:57:49 GMT
      Content-Type: text/plain
      Content-Length: 14
      Connection: keep-alive
      Vary: Origin
      CF-Cache-Status: DYNAMIC
      Server: cloudflare
      CF-RAY: 9019ac94fa9963e0-LHR
      server-timing: cfL4;desc="?proto=TCP&rtt=48787&min_rtt=47393&rtt_var=9580&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3276&recv_bytes=402&delivery_rate=78042&cwnd=234&unsent_bytes=0&cid=6819e7bfaa27d820&ts=620&x=0"
    • flag-us
      DNS
      173.187.63.66.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      173.187.63.66.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      76.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      76.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      c.pki.goog
      gem1.exe
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.178.3
    • flag-gb
      GET
      http://c.pki.goog/r/gsr1.crl
      gem1.exe
      Remote address:
      142.250.178.3:80
      Request
      GET /r/gsr1.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 1739
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Tue, 14 Jan 2025 00:27:17 GMT
      Expires: Tue, 14 Jan 2025 01:17:17 GMT
      Cache-Control: public, max-age=3000
      Age: 1832
      Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • flag-gb
      GET
      http://c.pki.goog/r/r4.crl
      gem1.exe
      Remote address:
      142.250.178.3:80
      Request
      GET /r/r4.crl HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
      Cross-Origin-Resource-Policy: cross-origin
      Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
      Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
      Content-Length: 436
      X-Content-Type-Options: nosniff
      Server: sffe
      X-XSS-Protection: 0
      Date: Tue, 14 Jan 2025 00:38:41 GMT
      Expires: Tue, 14 Jan 2025 01:28:41 GMT
      Cache-Control: public, max-age=3000
      Age: 1148
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Content-Type: application/pkix-crl
      Vary: Accept-Encoding
    • flag-us
      DNS
      205.13.26.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      205.13.26.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      167.173.78.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      167.173.78.104.in-addr.arpa
      IN PTR
      Response
      167.173.78.104.in-addr.arpa
      IN PTR
      a104-78-173-167deploystaticakamaitechnologiescom
    • flag-us
      DNS
      86.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.49.80.91.in-addr.arpa
      IN PTR
      Response
    • 66.63.187.173:15666
      gem1.exe
      14.0MB
       215.0kB
       10119
      5047
    • 104.26.13.205:443
      https://api.ipify.org/
      tls, http
      gem1.exe
      896 B
       4.1kB
       11
      8

      HTTP Request

      GET https://api.ipify.org/

      HTTP Response

      200
    • 142.250.178.3:80
      http://c.pki.goog/r/r4.crl
      http
      gem1.exe
      556 B
       3.8kB
       7
      5

      HTTP Request

      GET http://c.pki.goog/r/gsr1.crl

      HTTP Response

      200

      HTTP Request

      GET http://c.pki.goog/r/r4.crl

      HTTP Response

      200
    • 8.8.8.8:53
      api.ipify.org
      dns
      gem1.exe
      59 B
       107 B
       1
      1

      DNS Request

      api.ipify.org

      DNS Response

      104.26.13.205
      104.26.12.205
      172.67.74.152

    • 8.8.8.8:53
      173.187.63.66.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      173.187.63.66.in-addr.arpa

    • 8.8.8.8:53
      76.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      76.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      c.pki.goog
      dns
      gem1.exe
      56 B
       107 B
       1
      1

      DNS Request

      c.pki.goog

      DNS Response

      142.250.178.3

    • 8.8.8.8:53
      205.13.26.104.in-addr.arpa
      dns
      72 B
       134 B
       1
      1

      DNS Request

      205.13.26.104.in-addr.arpa

    • 8.8.8.8:53
      167.173.78.104.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      167.173.78.104.in-addr.arpa

    • 8.8.8.8:53
      86.49.80.91.in-addr.arpa
      dns
      70 B
       145 B
       1
      1

      DNS Request

      86.49.80.91.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1984-4-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1984-5-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1984-6-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1984-8-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1984-15-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1984-16-0x0000000000400000-0x0000000000526000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4500-0-0x000000007493E000-0x000000007493F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4500-1-0x00000000000D0000-0x0000000000200000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/4500-2-0x0000000005100000-0x00000000056A6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4500-7-0x0000000074930000-0x00000000750E1000-memory.dmp

      Filesize

      7.7MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.