meduza | 62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1

Resubmissions

26-06-2024 00:44

240626-a3kxgswgmn 10

24-06-2024 05:24

240624-f35vjsyblg 10

Analysis

max time kernel
231s
max time network
311s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe
Size

1.4MB
MD5

d357d6c05936c8eb6dd5bea8ac7c251e
SHA1

34680347e1bd884e50c279ef18a861a2067b7482
SHA256

62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1
SHA512

4d90f5e274f66dc223c7d55ab2997fb217861fe4b8a683c03d3f46b767dfb4c3463cb9a62aeacef6527d3ea7f1699a5952659415eff4d7f3bdac48c0d3b2ef6c
SSDEEP

24576:tfPEX8SkcR5uPze7dH1ZkivEdLeC+fJCHLQo3u5aUC6/wA4oAH:hPEX8StRX1ZkGpCqd5a76oA

Score

10^/10

meduza collection spyware stealer

Malware Config

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza
Meduza Stealer payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/5020-0-0x00000132FDE30000-0x00000132FDF18000-memory.dmp family_meduza

resource	yara_rule
behavioral2/memory/5020-0-0x00000132FDE30000-0x00000132FDF18000-memory.dmp	family_meduza

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

pid process

5020 62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe
5020 62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

pid	process
5020	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe
5020	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

outlook_office_path 1 IoCs

Processes:

62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

outlook_win_path 1 IoCs

Processes:

62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe

C:\Users\Admin\AppData\Local\Temp\62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe
"C:\Users\Admin\AppData\Local\Temp\62460105edf1636fd9605894deba01a417fcd8558c9a43ceefbf9fdda536a9c1.exe"
1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5020-0-0x00000132FDE30000-0x00000132FDF18000-memory.dmp

Filesize
928KB

Download