Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    95s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 06:27 UTC

General

  • Target

    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe

  • Size

    1.2MB

  • MD5

    b810c0566c7fbe0ae01d0249ee370511

  • SHA1

    62fdcd9f72e9e696591b6714106601fcc632fcf3

  • SHA256

    902570dba745d5db1e9ee117417c55df330fdbc2222e8c983113281dc53ff5f8

  • SHA512

    50dbc1a4ded5f8213b44291accdf72f360e35c9e8dbe3f3ba766ebec34ba0f5a4cfbff6897681a5a7544d2fdcebec9b06b6333cdb8f6c140d518d4a746630ea8

  • SSDEEP

    24576:rXs21Ahkdt1yx2h0lhSMXlcN93PwtQsqmhVyfBFd6Hxg3NttV6pf1r:rJ1BdtUJm3PwtYJuHKdzwpNr

Malware Config

Extracted

Family

meduza

C2

176.124.204.206

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    bratannew

  • extensions

    .txt

  • grabber_max_size

    1.048576e+06

  • port

    15666

  • self_destruct

    false

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

  • Meduza Stealer payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe"
    1⤵
    • Checks computer location settings
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:1620

Network

  • flag-us
    DNS
    api.ipify.org
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.12.205
    api.ipify.org
    IN A
    104.26.13.205
  • flag-us
    GET
    https://api.ipify.org/
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    Remote address:
    172.67.74.152:443
    Request
    GET / HTTP/1.1
    Accept: text/html; text/plain; */*
    Host: api.ipify.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Wed, 09 Oct 2024 06:27:57 GMT
    Content-Type: text/plain
    Content-Length: 13
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8cfc4eceabf1653c-LHR
  • flag-us
    DNS
    c.pki.goog
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.187.195
  • flag-us
    DNS
    206.204.124.176.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.204.124.176.in-addr.arpa
    IN PTR
    Response
    206.204.124.176.in-addr.arpa
    IN PTR
    Hellsingaezanetwork
  • flag-us
    DNS
    152.74.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    152.74.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-gb
    GET
    http://c.pki.goog/r/gsr1.crl
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    Remote address:
    142.250.187.195:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 09 Oct 2024 05:53:38 GMT
    Expires: Wed, 09 Oct 2024 06:43:38 GMT
    Cache-Control: public, max-age=3000
    Age: 2059
    Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-gb
    GET
    http://c.pki.goog/r/r4.crl
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    Remote address:
    142.250.187.195:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Wed, 09 Oct 2024 05:53:45 GMT
    Expires: Wed, 09 Oct 2024 06:43:45 GMT
    Cache-Control: public, max-age=3000
    Age: 2052
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=204CED7C7F7367D62C89F86F7E4266E6; domain=.bing.com; expires=Mon, 03-Nov-2025 06:27:58 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: AB2298E216094438B7E71A2578BB22D2 Ref B: LON601060102060 Ref C: 2024-10-09T06:27:58Z
    date: Wed, 09 Oct 2024 06:27:57 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=204CED7C7F7367D62C89F86F7E4266E6
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=fm0P5DODF4xWqgyAxP2EgLLWLBdO3TrtodwAA7OoxhU; domain=.bing.com; expires=Mon, 03-Nov-2025 06:27:58 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 71C7FA0F331544C6BDD5D6448B42A430 Ref B: LON601060102060 Ref C: 2024-10-09T06:27:58Z
    date: Wed, 09 Oct 2024 06:27:57 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=204CED7C7F7367D62C89F86F7E4266E6; MSPTC=fm0P5DODF4xWqgyAxP2EgLLWLBdO3TrtodwAA7OoxhU
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 5DA30D231D1344D2AF92A524A865305B Ref B: LON601060102060 Ref C: 2024-10-09T06:27:58Z
    date: Wed, 09 Oct 2024 06:27:57 GMT
  • flag-us
    DNS
    195.187.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    195.187.250.142.in-addr.arpa
    IN PTR
    Response
    195.187.250.142.in-addr.arpa
    IN PTR
    lhr25s33-in-f31e100net
  • flag-us
    DNS
    23.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • 176.124.204.206:15666
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    15.3MB
    161.0kB
    11441
    3634
  • 172.67.74.152:443
    https://api.ipify.org/
    tls, http
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    896 B
    3.9kB
    11
    8

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 142.250.187.195:80
    http://c.pki.goog/r/r4.crl
    http
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    556 B
    3.8kB
    7
    5

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=
    tls, http2
    2.0kB
    9.3kB
    22
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=

    HTTP Response

    204
  • 8.8.8.8:53
    api.ipify.org
    dns
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    59 B
    107 B
    1
    1

    DNS Request

    api.ipify.org

    DNS Response

    172.67.74.152
    104.26.12.205
    104.26.13.205

  • 8.8.8.8:53
    c.pki.goog
    dns
    SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.187.195

  • 8.8.8.8:53
    206.204.124.176.in-addr.arpa
    dns
    74 B
    109 B
    1
    1

    DNS Request

    206.204.124.176.in-addr.arpa

  • 8.8.8.8:53
    152.74.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    152.74.67.172.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    195.187.250.142.in-addr.arpa
    dns
    74 B
    112 B
    1
    1

    DNS Request

    195.187.250.142.in-addr.arpa

  • 8.8.8.8:53
    23.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1620-0-0x00007FFC7BDB0000-0x00007FFC7BFA5000-memory.dmp

    Filesize

    2.0MB

  • memory/1620-1-0x000001BE84BA0000-0x000001BE84CE3000-memory.dmp

    Filesize

    1.3MB

  • memory/1620-10-0x000001BE84BA0000-0x000001BE84CE3000-memory.dmp

    Filesize

    1.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.