Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 06:27 UTC
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
Resource
win10v2004-20241007-en
General
-
Target
SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
-
Size
1.2MB
-
MD5
b810c0566c7fbe0ae01d0249ee370511
-
SHA1
62fdcd9f72e9e696591b6714106601fcc632fcf3
-
SHA256
902570dba745d5db1e9ee117417c55df330fdbc2222e8c983113281dc53ff5f8
-
SHA512
50dbc1a4ded5f8213b44291accdf72f360e35c9e8dbe3f3ba766ebec34ba0f5a4cfbff6897681a5a7544d2fdcebec9b06b6333cdb8f6c140d518d4a746630ea8
-
SSDEEP
24576:rXs21Ahkdt1yx2h0lhSMXlcN93PwtQsqmhVyfBFd6Hxg3NttV6pf1r:rJ1BdtUJm3PwtYJuHKdzwpNr
Malware Config
Extracted
meduza
176.124.204.206
-
anti_dbg
true
-
anti_vm
true
-
build_name
bratannew
-
extensions
.txt
-
grabber_max_size
1.048576e+06
-
port
15666
-
self_destruct
false
Signatures
-
Meduza Stealer payload 2 IoCs
resource yara_rule behavioral2/memory/1620-1-0x000001BE84BA0000-0x000001BE84CE3000-memory.dmp family_meduza behavioral2/memory/1620-10-0x000001BE84BA0000-0x000001BE84CE3000-memory.dmp family_meduza -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1620 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe 1620 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe 1620 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe 1620 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1620 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe Token: SeImpersonatePrivilege 1620 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.11198.18925.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1620
Network
-
Remote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN A172.67.74.152api.ipify.orgIN A104.26.12.205api.ipify.orgIN A104.26.13.205
-
Remote address:172.67.74.152:443RequestGET / HTTP/1.1
Accept: text/html; text/plain; */*
Host: api.ipify.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 13
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8cfc4eceabf1653c-LHR
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.187.195
-
Remote address:8.8.8.8:53Request206.204.124.176.in-addr.arpaIN PTRResponse206.204.124.176.in-addr.arpaIN PTRHellsingaezanetwork
-
Remote address:8.8.8.8:53Request152.74.67.172.in-addr.arpaIN PTRResponse
-
Remote address:142.250.187.195:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 09 Oct 2024 05:53:38 GMT
Expires: Wed, 09 Oct 2024 06:43:38 GMT
Cache-Control: public, max-age=3000
Age: 2059
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:142.250.187.195:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 09 Oct 2024 05:53:45 GMT
Expires: Wed, 09 Oct 2024 06:43:45 GMT
Cache-Control: public, max-age=3000
Age: 2052
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Requestg.bing.comIN AResponseg.bing.comIN CNAMEg-bing-com.ax-0001.ax-msedge.netg-bing-com.ax-0001.ax-msedge.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=204CED7C7F7367D62C89F86F7E4266E6; domain=.bing.com; expires=Mon, 03-Nov-2025 06:27:58 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AB2298E216094438B7E71A2578BB22D2 Ref B: LON601060102060 Ref C: 2024-10-09T06:27:58Z
date: Wed, 09 Oct 2024 06:27:57 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=204CED7C7F7367D62C89F86F7E4266E6
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=fm0P5DODF4xWqgyAxP2EgLLWLBdO3TrtodwAA7OoxhU; domain=.bing.com; expires=Mon, 03-Nov-2025 06:27:58 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 71C7FA0F331544C6BDD5D6448B42A430 Ref B: LON601060102060 Ref C: 2024-10-09T06:27:58Z
date: Wed, 09 Oct 2024 06:27:57 GMT
-
GEThttps://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=Remote address:150.171.28.10:443RequestGET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=204CED7C7F7367D62C89F86F7E4266E6; MSPTC=fm0P5DODF4xWqgyAxP2EgLLWLBdO3TrtodwAA7OoxhU
ResponseHTTP/2.0 204
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 5DA30D231D1344D2AF92A524A865305B Ref B: LON601060102060 Ref C: 2024-10-09T06:27:58Z
date: Wed, 09 Oct 2024 06:27:57 GMT
-
Remote address:8.8.8.8:53Request195.187.250.142.in-addr.arpaIN PTRResponse195.187.250.142.in-addr.arpaIN PTRlhr25s33-in-f31e100net
-
Remote address:8.8.8.8:53Request23.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request10.28.171.150.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
15.3MB 161.0kB 11441 3634
-
896 B 3.9kB 11 8
HTTP Request
GET https://api.ipify.org/HTTP Response
200 -
556 B 3.8kB 7 5
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200 -
150.171.28.10:443https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=tls, http22.0kB 9.3kB 22 18
HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=HTTP Response
204HTTP Request
GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=eb54a13ec48a4c488c7f5b5da1227016&localId=w:54ECD007-E294-A159-E37D-CA55023ED6B0&deviceId=6966572651497155&anid=HTTP Response
204
-
59 B 107 B 1 1
DNS Request
api.ipify.org
DNS Response
172.67.74.152104.26.12.205104.26.13.205
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.187.195
-
74 B 109 B 1 1
DNS Request
206.204.124.176.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
152.74.67.172.in-addr.arpa
-
56 B 148 B 1 1
DNS Request
g.bing.com
DNS Response
150.171.28.10150.171.27.10
-
74 B 112 B 1 1
DNS Request
195.187.250.142.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
23.159.190.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
10.28.171.150.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa