Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 09:21
Static task
static1
Behavioral task
behavioral1
Sample
b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe
Resource
win10v2004-20241007-en
General
-
Target
b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe
-
Size
2.5MB
-
MD5
ff7dd1a36b5d47acfe5126686798360f
-
SHA1
0ac92e3abf73fa6cd956d0ebb49ac99bf6f52cb6
-
SHA256
b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e
-
SHA512
717d943460d56fe59303f781a94ac6e8e7b30c4efd85d167e77e52cf21d03390d424969f1a56d6ba876289665f4e7f230b95abaed667d57c2a99aaf7ae73d7ae
-
SSDEEP
24576:xf2KQ7MvYPh0lhSMXlo0w2LzdgVJURfmtpvcHh:tpHvZ4t46zt
Malware Config
Extracted
meduza
45.130.145.152
-
anti_dbg
true
-
anti_vm
true
-
build_name
Work
-
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
-
grabber_max_size
4.194304e+06
-
port
15666
-
self_destruct
false
Signatures
-
Meduza Stealer payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2308-0-0x0000000001BA0000-0x0000000001CDE000-memory.dmp family_meduza behavioral1/memory/2308-1-0x0000000001BA0000-0x0000000001CDE000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exedescription pid Process Token: SeDebugPrivilege 2308 b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe Token: SeImpersonatePrivilege 2308 b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exedescription pid Process procid_target PID 2308 wrote to memory of 2088 2308 b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe 31 PID 2308 wrote to memory of 2088 2308 b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe 31 PID 2308 wrote to memory of 2088 2308 b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe"C:\Users\Admin\AppData\Local\Temp\b8fd01f55852c69dec12d284b550e27cf9e577fff4a70a5d47181e7e304e7f7e.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2308 -s 6202⤵PID:2088
-