Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/10/2024, 08:07
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10v2004-20240802-en
General
-
Target
Loader.exe
-
Size
1.7MB
-
MD5
37dc3bc48de9937c96b41c9ae8478b55
-
SHA1
9ee6ce5d510afb62df12081c86aba3d3357b51de
-
SHA256
b5ad3a524b78e657bb6aad58e09658870f8e8ceefb479a363a7304f3dfd5bbb1
-
SHA512
f60905d2d442f9cec6766a7934723057c534051b1ba807feef4f592cb69b5c1a805f4e8625d03200fd923a99a75f7a3c8195f6ff2a414d6efbf75df39b6c3aa5
-
SSDEEP
49152:ybo95a6iGYTFJqLLXi6hkwsPCF+2t0GY3HNv2x:SAHLsPW+qg3HNv2x
Malware Config
Extracted
meduza
109.107.181.162
Signatures
-
Meduza Stealer payload 5 IoCs
resource yara_rule behavioral1/memory/1404-6-0x0000000140000000-0x000000014013B000-memory.dmp family_meduza behavioral1/memory/1404-10-0x0000000140000000-0x000000014013B000-memory.dmp family_meduza behavioral1/memory/1404-7-0x0000000140000000-0x000000014013B000-memory.dmp family_meduza behavioral1/memory/1404-4-0x0000000140000000-0x000000014013B000-memory.dmp family_meduza behavioral1/memory/1404-19-0x0000000140000000-0x000000014013B000-memory.dmp family_meduza -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation Loader.exe -
Executes dropped EXE 1 IoCs
pid Process 1404 Loader.exe -
Loads dropped DLL 1 IoCs
pid Process 3960 Loader.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Loader.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Loader.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Loader.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Loader.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Loader.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3960 set thread context of 1404 3960 Loader.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2528 cmd.exe 1728 PING.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\Loader.exe:a.dll Loader.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1728 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1404 Loader.exe 1404 Loader.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1404 Loader.exe Token: SeImpersonatePrivilege 1404 Loader.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 3960 wrote to memory of 1404 3960 Loader.exe 82 PID 1404 wrote to memory of 2528 1404 Loader.exe 85 PID 1404 wrote to memory of 2528 1404 Loader.exe 85 PID 2528 wrote to memory of 1728 2528 cmd.exe 87 PID 2528 wrote to memory of 1728 2528 cmd.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Loader.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Loader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Loader.exe"3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1728
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD537dc3bc48de9937c96b41c9ae8478b55
SHA19ee6ce5d510afb62df12081c86aba3d3357b51de
SHA256b5ad3a524b78e657bb6aad58e09658870f8e8ceefb479a363a7304f3dfd5bbb1
SHA512f60905d2d442f9cec6766a7934723057c534051b1ba807feef4f592cb69b5c1a805f4e8625d03200fd923a99a75f7a3c8195f6ff2a414d6efbf75df39b6c3aa5
-
Filesize
1.4MB
MD541adf8dcaf9d1fa61dddefb1bdb39c36
SHA1daf0bedc0ca370993034e30c457deccfef556307
SHA2568567b9513b67add151dfebb1b187d65248d2bd9bb9541c189808fc41198d47d2
SHA512ad7ac052b0fd6db9cea21aa7dad680bd092f58cde6bd98dad35d5a2e77a271a357395b1eadeeaa0afaeaebe0b946d52fd6ee1bdbef824311609e957ffd98d8a2