meduza | 0bc6bab2870e143444b50d5b7e3fed642d23c1ba9101422bc4dcff8bcbe589e3

General

Target

f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
Size

1.1MB
MD5

d61ac037c333f1bc288c1a96a4db7c21
SHA1

777228616a18b98103594276775188b5e138fa11
SHA256

f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896
SHA512

1aae796964099e22c3ebf8632ded9a451f01161ca6d837cd447524c58088ab05e0cfff6d297495e97b3b1a370b98b563937334f0306095b8c625641430288999
SSDEEP

24576:R06mH2AfjusEQ3MWTwGxXjbAnpiYQ7eVGKtFwVrJL/tXjuD/:RLmH2AfisEQ5XInpI74arx/tXj+/

Score

10^/10

meduza 1 discovery stealer

Malware Config

Extracted

Family

meduza

Botnet

1

C2

66.63.187.173

Attributes

anti_dbg
true
anti_vm
true
build_name
1
extensions
.txt; .doc; .xlsx
grabber_maximum_size
4194304
port
15666
self_destruct
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 7 IoCs

resource	yara_rule
behavioral1/memory/2096-4-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/2096-7-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/1068-8-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/1068-9-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/2096-12-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/1068-11-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza
behavioral1/memory/2096-5-0x0000000000400000-0x0000000000526000-memory.dmp	family_meduza

Meduza family
meduza

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3932 set thread context of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 set thread context of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1892	3932	WerFault.exe	77

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2096	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
Token: SeImpersonatePrivilege	2096	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
Token: SeDebugPrivilege	1068	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
Token: SeImpersonatePrivilege	1068	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4940	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 1028	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	79
PID 3932 wrote to memory of 1028	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	79
PID 3932 wrote to memory of 1028	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	79
PID 3932 wrote to memory of 1992	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	80
PID 3932 wrote to memory of 1992	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	80
PID 3932 wrote to memory of 1992	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	80
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 2096	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	81
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82
PID 3932 wrote to memory of 1068	3932	f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe	82

C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
"C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
  "C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe"
  2⤵
  PID:1028
- C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
  "C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe"
  2⤵
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
  "C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe
  "C:\Users\Admin\AppData\Local\Temp\f5946e9f0ab4dbbd8d8171e708607c98df283cb1a6145444ba6a5f86bb2b0896.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 456
  2⤵
  - Program crash
  PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3932 -ip 3932
1⤵
PID:4200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4812

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5104

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\bf527096-0efd-4365-bba5-64cdcbbdc1bc.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/1068-8-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1068-9-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1068-11-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2096-4-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2096-7-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2096-12-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2096-5-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3932-0-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/3932-1-0x00000000003A0000-0x00000000004CE000-memory.dmp

Filesize
1.2MB

Download
memory/3932-2-0x0000000005490000-0x0000000005A36000-memory.dmp

Filesize
5.6MB

Download
memory/3932-10-0x0000000075220000-0x00000000759D1000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing