Malware Analysis Report

2024-11-30 20:49

Sample ID 241120-ajv84swcmb
Target 7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa
SHA256 7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa
Tags
meduza
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa

Threat Level: Known bad

The file 7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa was found to be: Known bad.

Malicious Activity Summary

meduza

Meduza Stealer payload

Meduza family

Checks computer location settings

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 00:15

Signatures

Meduza Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Meduza family

meduza

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 00:15

Reported

2024-11-20 00:17

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe

"C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe"

Network

Country Destination Domain Proto
CH 147.45.44.212:15666 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 00:15

Reported

2024-11-20 00:17

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe

"C:\Users\Admin\AppData\Local\Temp\7690c2f38dc86dbefa5d70f20912195f2173c989763e3cbee3e38139c94ff3aa.exe"

Network

Country Destination Domain Proto
CH 147.45.44.212:15666 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A