Windows Analysis Report
markiz.exe

Overview

General Information

Sample name:	markiz.exe
Analysis ID:	1581172
MD5:	bee040fc0caf73ee0cb2e55d4c703f22
SHA1:	6bf7f1fa9dcf930190cabfba9abde2e7faab486f
SHA256:	940d413dd95bc28d5c724d814f2cd1ecca005d2cb58ed28788d9c07d962d829b
Tags:	exeMeduzaStealeruser-lontze7
Infos:

Detection

CredGrabber, Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CredGrabber

Yara detected Meduza Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Suricata IDS alerts with low severity for network traffic

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection

Found malware configuration

Source: markiz.exe

Malware Configuration Extractor: Meduza Stealer {"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "mrfree", "links": "", "port": 15666}

Multi AV Scanner detection for submitted file

Source: markiz.exe	ReversingLabs: Detection: 65%
Source: markiz.exe	Virustotal: Detection: 80%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: markiz.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657467BA0 CryptUnprotectData,LocalFree,	0_2_00007FF657467BA0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657468440 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,	0_2_00007FF657468440
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574683C0 BCryptCloseAlgorithmProvider,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6574683C0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657468020 BCryptDecrypt,BCryptDecrypt,_invalid_parameter_noinfo_noreturn,	0_2_00007FF657468020
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657467EC0 CryptProtectData,LocalFree,	0_2_00007FF657467EC0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657427C20 CryptUnprotectData,LocalFree,_invalid_parameter_noinfo_noreturn,	0_2_00007FF657427C20
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657423A30 BCryptDestroyKey,	0_2_00007FF657423A30

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49708 version: TLS 1.2

Source: markiz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_00007FF6574AB5B0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB500 FindClose,FindFirstFileExW,GetLastError,		0_2_00007FF6574AB500

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574773F0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6574773F0

Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.6:49707 -> 193.3.19.151:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.6:49707 -> 193.3.19.151:15666

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49707 -> 193.3.19.151:15666

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 193.3.19.151 193.3.19.151

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.6:49707 -> 193.3.19.151:15666

Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657475240 InternetOpenA,InternetOpenUrlA,HttpQueryInfoW,HttpQueryInfoW,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,

0_2_00007FF657475240

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: markiz.exe, 00000000.00000003.2360887292.0000027B45C70000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2151933457.0000027B45C61000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2360985704.0000027B45C74000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2360913678.0000027B45C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: markiz.exe, 00000000.00000003.2152488246.0000027B43E3B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: markiz.exe, 00000000.00000003.2152488246.0000027B43E3B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/b
Source: markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46AB0000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46AB0000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: markiz.exe, 00000000.00000003.2153418967.0000027B46982000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B46983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: markiz.exe, 00000000.00000003.2153418967.0000027B46982000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B46983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: markiz.exe, 00000000.00000003.2153418967.0000027B46982000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B46983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46A2D000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2160516068.0000027B46A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46AB0000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: markiz.exe, 00000000.00000003.2158768878.0000027B46FC0000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2160410744.0000027B46AE1000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2157269577.0000027B45EB8000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2160516068.0000027B46A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org#
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49708 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657475B70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

0_2_00007FF657475B70

System Summary

Malicious sample detected (through community Yara rule)

Source: markiz.exe, type: SAMPLE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 0.0.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 0.2.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io

Contains functionality to call native functions

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747A430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,		0_2_00007FF65747A430
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657479D30 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		0_2_00007FF657479D30

Detected potential crypto function

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657476860	0_2_00007FF657476860
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574776A0	0_2_00007FF6574776A0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574B0658	0_2_00007FF6574B0658
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65741F730	0_2_00007FF65741F730
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB5B0	0_2_00007FF6574AB5B0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742D570	0_2_00007FF65742D570
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742E610	0_2_00007FF65742E610
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747C5CB	0_2_00007FF65747C5CB
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657420450	0_2_00007FF657420450
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657456350	0_2_00007FF657456350
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657475240	0_2_00007FF657475240
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657435310	0_2_00007FF657435310
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657478330	0_2_00007FF657478330
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748918C	0_2_00007FF65748918C
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65745D080	0_2_00007FF65745D080
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574220B0	0_2_00007FF6574220B0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747D050	0_2_00007FF65747D050
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657439F80	0_2_00007FF657439F80
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65746F020	0_2_00007FF65746F020
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657492E3C	0_2_00007FF657492E3C
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65741FE20	0_2_00007FF65741FE20
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742ECB0	0_2_00007FF65742ECB0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657422CA0	0_2_00007FF657422CA0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657421B90	0_2_00007FF657421B90
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657424B70	0_2_00007FF657424B70
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657475B70	0_2_00007FF657475B70
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657455970	0_2_00007FF657455970
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742CA10	0_2_00007FF65742CA10
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748A924	0_2_00007FF65748A924
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574298CD	0_2_00007FF6574298CD
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65746C8E0	0_2_00007FF65746C8E0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747A780	0_2_00007FF65747A780
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744B780	0_2_00007FF65744B780
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748579C	0_2_00007FF65748579C
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657452750	0_2_00007FF657452750
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748F7E6	0_2_00007FF65748F7E6
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574936A8	0_2_00007FF6574936A8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748666C	0_2_00007FF65748666C
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657498674	0_2_00007FF657498674
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657444720	0_2_00007FF657444720
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574946E4	0_2_00007FF6574946E4
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657485598	0_2_00007FF657485598
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657476540	0_2_00007FF657476540
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6573F6610	0_2_00007FF6573F6610
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744B480	0_2_00007FF65744B480
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749A44F	0_2_00007FF65749A44F
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657416510	0_2_00007FF657416510
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657415520	0_2_00007FF657415520
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574914E4	0_2_00007FF6574914E4
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657485394	0_2_00007FF657485394
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574663A6	0_2_00007FF6574663A6
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747A430	0_2_00007FF65747A430
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65746B420	0_2_00007FF65746B420
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744C420	0_2_00007FF65744C420
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574183D0	0_2_00007FF6574183D0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749A3C8	0_2_00007FF65749A3C8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574602C0	0_2_00007FF6574602C0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65746E2F0	0_2_00007FF65746E2F0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6573F6180	0_2_00007FF6573F6180
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657483150	0_2_00007FF657483150
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657486164	0_2_00007FF657486164
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657481220	0_2_00007FF657481220
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574971D8	0_2_00007FF6574971D8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749C128	0_2_00007FF65749C128
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574930B8	0_2_00007FF6574930B8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6573F70E0	0_2_00007FF6573F70E0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744C0F0	0_2_00007FF65744C0F0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748F0D8	0_2_00007FF65748F0D8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742BF40	0_2_00007FF65742BF40
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AFFBC	0_2_00007FF6574AFFBC
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657470E90	0_2_00007FF657470E90
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657420E80	0_2_00007FF657420E80
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657427E70	0_2_00007FF657427E70
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657465EF0	0_2_00007FF657465EF0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6573F5DB0	0_2_00007FF6573F5DB0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657488D50	0_2_00007FF657488D50
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657464D40	0_2_00007FF657464D40
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742ADD0	0_2_00007FF65742ADD0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744BDD0	0_2_00007FF65744BDD0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657480D14	0_2_00007FF657480D14
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657447CEB	0_2_00007FF657447CEB
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749BB90	0_2_00007FF65749BB90
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657420A80	0_2_00007FF657420A80
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744BAB0	0_2_00007FF65744BAB0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657465AB0	0_2_00007FF657465AB0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657496A68	0_2_00007FF657496A68
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657468B00	0_2_00007FF657468B00
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657450AC0	0_2_00007FF657450AC0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657441AF0	0_2_00007FF657441AF0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657423A30	0_2_00007FF657423A30

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF65741BA80 appears 32 times
Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF6574386B0 appears 54 times
Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF657488254 appears 34 times
Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF657426940 appears 41 times
Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF65741E1D0 appears 33 times

Yara signature match

Source: markiz.exe, type: SAMPLE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 0.0.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 0.2.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65747B9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,

0_2_00007FF65747B9B0

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65742E610 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF65742E610

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657464EAC CoCreateInstance,

0_2_00007FF657464EAC

Source: C:\Users\user\Desktop\markiz.exe

Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69638C5AE7D1

Source: markiz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\markiz.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: markiz.exe, 00000000.00000003.2156723408.0000027B46AC0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: markiz.exe	ReversingLabs: Detection: 65%
Source: markiz.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\markiz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\markiz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\markiz.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: markiz.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: markiz.exe

Static file information: File size 1292800 > 1048576

Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: markiz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: markiz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65742D570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF65742D570

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65743CAB2 push rdi; retf 0004h

0_2_00007FF65743CAB5

Terminates after testing mutex exists (may check infected machine status)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65746C600 ExitProcess,OpenMutexA,ExitProcess,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF65746C600

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\markiz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\markiz.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_00007FF6574AB5B0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB500 FindClose,FindFirstFileExW,GetLastError,		0_2_00007FF6574AB500

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574773F0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6574773F0

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657489038 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00007FF657489038

Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: markiz.exe, 00000000.00000003.2152488246.0000027B43E58000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43E58000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43DDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: markiz.exe, 00000000.00000002.2361611375.0000027B43E8E000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2170835833.0000027B43E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft-hyper-v-drivers-migration-replacement.mananP\|
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: markiz.exe, 00000000.00000003.2152488246.0000027B43E58000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43E58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWB
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\markiz.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\markiz.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65747A430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,

0_2_00007FF65747A430

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574AD804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6574AD804

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574AD804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6574AD804

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\markiz.exe

0_2_00007FF65742D570

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657499EEC GetProcessHeap,

0_2_00007FF657499EEC

Enables debug privileges

Source: C:\Users\user\Desktop\markiz.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657487F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF657487F68
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749EC08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF65749EC08

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65746B420 ShellExecuteW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF65746B420

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\markiz.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF65749964C
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF657499468
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,	0_2_00007FF657499518
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,	0_2_00007FF657499310
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00007FF6574AB170
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6574990C8
Source: C:\Users\user\Desktop\markiz.exe	Code function: EnumSystemLocalesW,	0_2_00007FF657498F60
Source: C:\Users\user\Desktop\markiz.exe	Code function: EnumSystemLocalesW,	0_2_00007FF657499030
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,	0_2_00007FF65748E020
Source: C:\Users\user\Desktop\markiz.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF657498C04
Source: C:\Users\user\Desktop\markiz.exe	Code function: EnumSystemLocalesW,	0_2_00007FF65748DAE0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\markiz.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries time zone information

Source: C:\Users\user\Desktop\markiz.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65749F908 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF65749F908

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657476150 GetUserNameW,

0_2_00007FF657476150

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574776A0 GetTimeZoneInformation,

0_2_00007FF6574776A0

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: markiz.exe PID: 3688, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: markiz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: markiz.exe PID: 3688, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum\wallets
Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\wallets
Source: markiz.exe, 00000000.00000003.2177803521.0000027B48AAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzNF0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNTVdCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\markiz.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\markiz.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: markiz.exe PID: 3688, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: markiz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: markiz.exe PID: 3688, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
193.3.19.151	unknown	Denmark		2107	ARNES-NETAcademicandResearchNetworkofSloveniaSI	true

Contacted Domains

Name	IP	Active
api.ipify.org	104.26.13.205	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

AV Detection

Found malware configuration

Source: markiz.exe

Multi AV Scanner detection for submitted file

Source: markiz.exe	ReversingLabs: Detection: 65%
Source: markiz.exe	Virustotal: Detection: 80%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: markiz.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657467BA0 CryptUnprotectData,LocalFree,	0_2_00007FF657467BA0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657468440 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,	0_2_00007FF657468440
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574683C0 BCryptCloseAlgorithmProvider,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6574683C0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657468020 BCryptDecrypt,BCryptDecrypt,_invalid_parameter_noinfo_noreturn,	0_2_00007FF657468020
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657467EC0 CryptProtectData,LocalFree,	0_2_00007FF657467EC0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657427C20 CryptUnprotectData,LocalFree,_invalid_parameter_noinfo_noreturn,	0_2_00007FF657427C20
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657423A30 BCryptDestroyKey,	0_2_00007FF657423A30

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49708 version: TLS 1.2

Source: markiz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_00007FF6574AB5B0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB500 FindClose,FindFirstFileExW,GetLastError,		0_2_00007FF6574AB500

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574773F0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6574773F0

Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.6:49707 -> 193.3.19.151:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.6:49707 -> 193.3.19.151:15666

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49707 -> 193.3.19.151:15666

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 193.3.19.151 193.3.19.151

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

May check the online IP address of the machine

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.6:49707 -> 193.3.19.151:15666

Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151

Source: C:\Users\user\Desktop\markiz.exe

0_2_00007FF657475240

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: markiz.exe, 00000000.00000003.2360887292.0000027B45C70000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2151933457.0000027B45C61000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2360985704.0000027B45C74000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2360913678.0000027B45C70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: markiz.exe, 00000000.00000003.2152488246.0000027B43E3B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: markiz.exe, 00000000.00000003.2152488246.0000027B43E3B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/b
Source: markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46AB0000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46AB0000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: markiz.exe, 00000000.00000003.2153418967.0000027B46982000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B46983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: markiz.exe, 00000000.00000003.2153418967.0000027B46982000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B46983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: markiz.exe, 00000000.00000003.2153418967.0000027B46982000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153560696.0000027B46983000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46A2D000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2160516068.0000027B46A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46AB0000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: markiz.exe, 00000000.00000003.2153560696.0000027B4699B000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2153639176.0000027B45C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: markiz.exe, 00000000.00000003.2158768878.0000027B46FC0000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2160410744.0000027B46AE1000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2157269577.0000027B45EB8000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2160516068.0000027B46A35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: markiz.exe, 00000000.00000003.2160516068.0000027B46A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org#
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: markiz.exe, 00000000.00000003.2160410744.0000027B46AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: markiz.exe, 00000000.00000003.2161154860.0000027B46AB1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49708 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\markiz.exe

0_2_00007FF657475B70

System Summary

Malicious sample detected (through community Yara rule)

Source: markiz.exe, type: SAMPLE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 0.0.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io
Source: 0.2.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE	Matched rule: Finds MeduzaStealer samples based on specific strings Author: Sekoia.io

Contains functionality to call native functions

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747A430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,		0_2_00007FF65747A430
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657479D30 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		0_2_00007FF657479D30

Detected potential crypto function

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657476860	0_2_00007FF657476860
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574776A0	0_2_00007FF6574776A0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574B0658	0_2_00007FF6574B0658
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65741F730	0_2_00007FF65741F730
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB5B0	0_2_00007FF6574AB5B0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742D570	0_2_00007FF65742D570
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742E610	0_2_00007FF65742E610
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747C5CB	0_2_00007FF65747C5CB
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657420450	0_2_00007FF657420450
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657456350	0_2_00007FF657456350
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657475240	0_2_00007FF657475240
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657435310	0_2_00007FF657435310
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657478330	0_2_00007FF657478330
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748918C	0_2_00007FF65748918C
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65745D080	0_2_00007FF65745D080
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574220B0	0_2_00007FF6574220B0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747D050	0_2_00007FF65747D050
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657439F80	0_2_00007FF657439F80
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65746F020	0_2_00007FF65746F020
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657492E3C	0_2_00007FF657492E3C
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65741FE20	0_2_00007FF65741FE20
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742ECB0	0_2_00007FF65742ECB0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657422CA0	0_2_00007FF657422CA0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657421B90	0_2_00007FF657421B90
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657424B70	0_2_00007FF657424B70
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657475B70	0_2_00007FF657475B70
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657455970	0_2_00007FF657455970
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742CA10	0_2_00007FF65742CA10
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748A924	0_2_00007FF65748A924
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574298CD	0_2_00007FF6574298CD
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65746C8E0	0_2_00007FF65746C8E0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747A780	0_2_00007FF65747A780
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744B780	0_2_00007FF65744B780
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748579C	0_2_00007FF65748579C
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657452750	0_2_00007FF657452750
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748F7E6	0_2_00007FF65748F7E6
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574936A8	0_2_00007FF6574936A8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748666C	0_2_00007FF65748666C
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657498674	0_2_00007FF657498674
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657444720	0_2_00007FF657444720
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574946E4	0_2_00007FF6574946E4
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657485598	0_2_00007FF657485598
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657476540	0_2_00007FF657476540
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6573F6610	0_2_00007FF6573F6610
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744B480	0_2_00007FF65744B480
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749A44F	0_2_00007FF65749A44F
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657416510	0_2_00007FF657416510
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657415520	0_2_00007FF657415520
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574914E4	0_2_00007FF6574914E4
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657485394	0_2_00007FF657485394
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574663A6	0_2_00007FF6574663A6
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65747A430	0_2_00007FF65747A430
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65746B420	0_2_00007FF65746B420
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744C420	0_2_00007FF65744C420
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574183D0	0_2_00007FF6574183D0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749A3C8	0_2_00007FF65749A3C8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574602C0	0_2_00007FF6574602C0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65746E2F0	0_2_00007FF65746E2F0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6573F6180	0_2_00007FF6573F6180
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657483150	0_2_00007FF657483150
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657486164	0_2_00007FF657486164
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657481220	0_2_00007FF657481220
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574971D8	0_2_00007FF6574971D8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749C128	0_2_00007FF65749C128
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574930B8	0_2_00007FF6574930B8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6573F70E0	0_2_00007FF6573F70E0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744C0F0	0_2_00007FF65744C0F0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65748F0D8	0_2_00007FF65748F0D8
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742BF40	0_2_00007FF65742BF40
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AFFBC	0_2_00007FF6574AFFBC
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657470E90	0_2_00007FF657470E90
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657420E80	0_2_00007FF657420E80
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657427E70	0_2_00007FF657427E70
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657465EF0	0_2_00007FF657465EF0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6573F5DB0	0_2_00007FF6573F5DB0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657488D50	0_2_00007FF657488D50
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657464D40	0_2_00007FF657464D40
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65742ADD0	0_2_00007FF65742ADD0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744BDD0	0_2_00007FF65744BDD0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657480D14	0_2_00007FF657480D14
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657447CEB	0_2_00007FF657447CEB
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749BB90	0_2_00007FF65749BB90
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657420A80	0_2_00007FF657420A80
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65744BAB0	0_2_00007FF65744BAB0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657465AB0	0_2_00007FF657465AB0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657496A68	0_2_00007FF657496A68
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657468B00	0_2_00007FF657468B00
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657450AC0	0_2_00007FF657450AC0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657441AF0	0_2_00007FF657441AF0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657423A30	0_2_00007FF657423A30

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF65741BA80 appears 32 times
Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF6574386B0 appears 54 times
Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF657488254 appears 34 times
Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF657426940 appears 41 times
Source: C:\Users\user\Desktop\markiz.exe	Code function: String function: 00007FF65741E1D0 appears 33 times

Yara signature match

Source: markiz.exe, type: SAMPLE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 0.0.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1
Source: 0.2.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_meduzastealer author = Sekoia.io, description = Finds MeduzaStealer samples based on specific strings, creation_date = 2023-06-20, classification = TLP:CLEAR, version = 1.0, id = 1276f485-aa5d-491b-89d8-77f98dc496e1

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65747B9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,

0_2_00007FF65747B9B0

Source: C:\Users\user\Desktop\markiz.exe

0_2_00007FF65742E610

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657464EAC CoCreateInstance,

0_2_00007FF657464EAC

Source: C:\Users\user\Desktop\markiz.exe

Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E69638C5AE7D1

Source: markiz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\markiz.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: markiz.exe, 00000000.00000003.2156723408.0000027B46AC0000.00000004.00000020.00020000.00000000.sdmp

Source: markiz.exe	ReversingLabs: Detection: 65%
Source: markiz.exe	Virustotal: Detection: 80%

Source: C:\Users\user\Desktop\markiz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\markiz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\markiz.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: markiz.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: markiz.exe

Static file information: File size 1292800 > 1048576

Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: markiz.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: markiz.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: markiz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: markiz.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\markiz.exe

0_2_00007FF65742D570

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65743CAB2 push rdi; retf 0004h

0_2_00007FF65743CAB5

Terminates after testing mutex exists (may check infected machine status)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65746C600 ExitProcess,OpenMutexA,ExitProcess,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF65746C600

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\markiz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Found evasive API chain checking for process token information

Source: C:\Users\user\Desktop\markiz.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_00007FF6574AB5B0
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF6574AB500 FindClose,FindFirstFileExW,GetLastError,		0_2_00007FF6574AB500

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574773F0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6574773F0

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657489038 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00007FF657489038

Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: markiz.exe, 00000000.00000003.2152488246.0000027B43E58000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43E58000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43DDD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: markiz.exe, 00000000.00000002.2361611375.0000027B43E8E000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000003.2170835833.0000027B43E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft-hyper-v-drivers-migration-replacement.mananP\|
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: markiz.exe, 00000000.00000003.2152488246.0000027B43E58000.00000004.00000020.00020000.00000000.sdmp, markiz.exe, 00000000.00000002.2361417714.0000027B43E58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWB
Source: markiz.exe, 00000000.00000003.2155028613.0000027B46A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\markiz.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\markiz.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\markiz.exe

0_2_00007FF65747A430

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574AD804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6574AD804

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574AD804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6574AD804

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\markiz.exe

0_2_00007FF65742D570

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657499EEC GetProcessHeap,

0_2_00007FF657499EEC

Enables debug privileges

Source: C:\Users\user\Desktop\markiz.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF657487F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF657487F68
Source: C:\Users\user\Desktop\markiz.exe	Code function: 0_2_00007FF65749EC08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF65749EC08

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\markiz.exe

0_2_00007FF65746B420

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\markiz.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF65749964C
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF657499468
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,	0_2_00007FF657499518
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,	0_2_00007FF657499310
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00007FF6574AB170
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6574990C8
Source: C:\Users\user\Desktop\markiz.exe	Code function: EnumSystemLocalesW,	0_2_00007FF657498F60
Source: C:\Users\user\Desktop\markiz.exe	Code function: EnumSystemLocalesW,	0_2_00007FF657499030
Source: C:\Users\user\Desktop\markiz.exe	Code function: GetLocaleInfoW,	0_2_00007FF65748E020
Source: C:\Users\user\Desktop\markiz.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF657498C04
Source: C:\Users\user\Desktop\markiz.exe	Code function: EnumSystemLocalesW,	0_2_00007FF65748DAE0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\markiz.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Queries time zone information

Source: C:\Users\user\Desktop\markiz.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF65749F908 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF65749F908

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF657476150 GetUserNameW,

0_2_00007FF657476150

Source: C:\Users\user\Desktop\markiz.exe

Code function: 0_2_00007FF6574776A0 GetTimeZoneInformation,

0_2_00007FF6574776A0

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: markiz.exe PID: 3688, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: markiz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: markiz.exe PID: 3688, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum\wallets
Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\wallets
Source: markiz.exe, 00000000.00000003.2177803521.0000027B48AAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzNF0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNTVdCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: markiz.exe, 00000000.00000002.2361417714.0000027B43DBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\markiz.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\markiz.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\markiz.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: markiz.exe PID: 3688, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: markiz.exe, type: SAMPLE
Source: Yara match	File source: 0.0.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.markiz.exe.7ff6573f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: markiz.exe PID: 3688, type: MEMORYSTR

ID:	1581172
Product:	CloudBasic
Start time:	06:51:10
Start date:	27.12.2024
Sample:	markiz.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	bee040fc0caf73ee0cb2e55d4c703f22
SHA1:	6bf7f1fa9dcf930190cabfba9abde2e7faab486f
SHA256:	940d413dd95bc28d5c724d814f2cd1ecca005d2cb58ed28788d9c07d962d829b
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
markiz.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report markiz.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
markiz.exe