Overview
overview
10Static
static
10Crack.exe
windows7-x64
10Crack.exe
windows10-2004-x64
10WindowsManager.dll
windows7-x64
1WindowsManager.dll
windows10-2004-x64
1assets/Tap...er.dll
windows7-x64
1assets/Tap...er.dll
windows10-2004-x64
1assets/WSe...in.dll
windows10-2004-x64
5assets/Wpc...el.dll
windows10-2004-x64
1assets/WsUpgrade.dll
windows10-2004-x64
7library/AR...et.dll
windows7-x64
1library/AR...et.dll
windows10-2004-x64
1library/Autofac.dll
windows7-x64
1library/Autofac.dll
windows10-2004-x64
1library/Ga...rm.dll
windows7-x64
1library/Ga...rm.dll
windows10-2004-x64
1library/Ga...ht.dll
windows7-x64
1library/Ga...ht.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 11:31
Behavioral task
behavioral1
Sample
Crack.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Crack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
WindowsManager.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
WindowsManager.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
assets/TapInstaller.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
assets/TapInstaller.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
assets/WSearchMigPlugin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
assets/WpcMigration.Uplevel.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
assets/WsUpgrade.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
library/ARSoft.Tools.Net.dll
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
library/ARSoft.Tools.Net.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
library/Autofac.dll
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
library/Autofac.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
library/GalaSoft.MvvmLight.Platform.dll
Resource
win7-20241023-en
Behavioral task
behavioral15
Sample
library/GalaSoft.MvvmLight.Platform.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
library/GalaSoft.MvvmLight.dll
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
library/GalaSoft.MvvmLight.dll
Resource
win10v2004-20241007-en
General
-
Target
Crack.exe
-
Size
2.5MB
-
MD5
713454ca909efaf3a83b636423a6c248
-
SHA1
6c197870b9646b90f5b55bdcd4cfd07019864e98
-
SHA256
9d1701e0510ea2a76a1292999d89627ba30384bcb7eacc3000e331ba728bf8ad
-
SHA512
8a31b7fdfe7a4d1c21f7af401e14c7ae7b420e66bab2fc8310c1341fc8b559a80a12b6b3fb1544358f1e505eb931e466abdf1bd3289618846c4a9167b789a80b
-
SSDEEP
24576:xf2KQ7MvYPh0lhSMXlJu78bG8AQs7QZqxwB42EyuzCBorM5c9ech:tpHvZM78b9Ab7aTEZzwoN
Malware Config
Extracted
meduza
45.130.145.152
-
anti_dbg
true
-
anti_vm
true
-
build_name
Mazti
-
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
-
grabber_max_size
3.145728e+06
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 48 IoCs
Processes:
resource yara_rule behavioral2/memory/4344-6-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-5-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-16-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-18-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-13-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-12-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-11-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-3-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-10-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-9-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-4-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-27-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-28-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-31-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-32-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-33-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-38-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-39-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-40-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-34-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-35-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-46-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-45-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-42-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-41-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-49-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-78-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-77-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-86-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-84-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-88-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-87-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-74-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-72-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-68-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-71-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-65-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-60-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-55-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-58-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-54-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-52-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-94-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-93-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-89-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-90-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-97-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza behavioral2/memory/4344-98-0x00000265078C0000-0x0000026507ABA000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Crack.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Crack.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
Processes:
Crack.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Crack.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Crack.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Crack.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Crack.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Crack.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 5 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid Process 5028 cmd.exe 556 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Crack.exepid Process 4344 Crack.exe 4344 Crack.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Crack.exedescription pid Process Token: SeDebugPrivilege 4344 Crack.exe Token: SeImpersonatePrivilege 4344 Crack.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Crack.execmd.exedescription pid Process procid_target PID 4344 wrote to memory of 5028 4344 Crack.exe 103 PID 4344 wrote to memory of 5028 4344 Crack.exe 103 PID 5028 wrote to memory of 556 5028 cmd.exe 105 PID 5028 wrote to memory of 556 5028 cmd.exe 105 -
outlook_office_path 1 IoCs
Processes:
Crack.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Crack.exe -
outlook_win_path 1 IoCs
Processes:
Crack.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Crack.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Crack.exe"C:\Users\Admin\AppData\Local\Temp\Crack.exe"1⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Crack.exe"2⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:556
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1