Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
28-11-2024 01:00
General
-
Target
https://dar.vin/sola_updatev4
Malware Config
Extracted
meduza
45.130.145.152
-
anti_dbg
true
-
anti_vm
true
-
build_name
Oxoxox
-
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
-
grabber_max_size
3.145728e+06
-
port
15666
-
self_destruct
true
Signatures
-
Meduza
Meduza is a crypto wallet and info stealer written in C++.
-
Meduza Stealer payload 41 IoCs
-
Meduza family
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 54 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://dar.vin/sola_updatev41⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe0e083cb8,0x7ffe0e083cc8,0x7ffe0e083cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7586321649907675591,14290609729081701218,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4892 /prefetch:22⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\Solara.exe"C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\Solara.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\8b9ea571-5aa5-4d27-9c1c-b4cab8ba7f19\f6303183-6dbb-4e5b-9441-77a5592b99c1.exe"C:\Users\Admin\AppData\Local\Temp\8b9ea571-5aa5-4d27-9c1c-b4cab8ba7f19\f6303183-6dbb-4e5b-9441-77a5592b99c1.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\Solara.exe"C:\Users\Admin\Downloads\Update_v4\Update_v4(password_github)\Solara.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b8418ed2a59189acecef48efbc2eba7d
SHA114f53c898215122eb28ab41c94697e63a63ff925
SHA256e17b3fd5b8c8ac454e8fa71e04fd011f27bfab2de07e0319be1d32e916f37a84
SHA5121ffcaa0e0e5507fdbdb06eb08be210aa3482e587f76be82f2d35ba43a218e3b8c8e8c2aa37ab9d211ebdc7be7896cc53f6064b0694500cb235ef6a720ed9d25d
-
Filesize
152B
MD5554d6d27186fa7d6762d95dde7a17584
SHA193ea7b20b8fae384cf0be0d65e4295097112fdca
SHA2562fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA51257d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7
-
Filesize
152B
MD5a28bb0d36049e72d00393056dce10a26
SHA1c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA51220940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7
-
Filesize
20KB
MD5f5146f1525a91414ff9219fd72f6796c
SHA1697a24ac2bb3a94064cd7569b79eb1cb18cfc551
SHA256a2eaa9ecf81d7b848323519903a8a4a24a4707b38a625c0ef9448d9059fdfbb2
SHA5120ab97afb0783e30d5a9ac292b400787ed641c0e1abd89145b710818e0b73cd50471bb76d07eaa6fcd71f0ce083c54e6e1542d9b28707e28e6b1fdd9315f43e96
-
Filesize
331B
MD5ac252dda3ec1472a478e28250181a5b7
SHA1e1c337413d7c24a4177d5e683c4a0eb90d814977
SHA256d321fac04f3497658fe48673a481b2e5b6c7f7fba4c9a4b0a400bcc4beef87e6
SHA512046b7cd573e1bf510cb768770a2d55eaee88e8bcf3add2301547bb41c0f352f942890206517af9645076af99731b95e37ea5852f161e49b65f9df229378d5a84
-
Filesize
330B
MD565e6b3aa7b7020bbc70877e5a7c5a862
SHA183d2a59848570458bc9484833ee2ac30436b92ce
SHA256b2d050fc35aa581ba8d776bbff9b3985920058f79c9c133b21d6aa56640a98f8
SHA51270b03e4d1d0d26d81a8f037c8146f9600bd9ffac973d983f510b4f22e47630cb4d27a3349c6c6644617354a19246e102402fb5331e10fcd9614ebebd39150f62
-
Filesize
5KB
MD50ae08a338c6c92acb33f004d6ca577a2
SHA17b0a0ad708a55e3f9bf63587fd70b162de817c3d
SHA256fe2cf3436642aa5bc0c8a85393355ee66cc061d0e737da4362221f1f0a16a84a
SHA512b1b10fbf425fe0c401824765f044602156f0746f9b4c14e4e76b027fd4f438211af452900371d2c8b04d61895eeec3771b35423b25ec0228b40d94ab99b6d92b
-
Filesize
5KB
MD54ef25f8f0007d3e96631cefa8d4a1ee0
SHA11a10f65f3cb6f272cf4ff4272b9fa7c7fb20cb99
SHA256d8e1aae38be28d319c59b64574d3c83cdbf932e6789e2cd21d472b4911ce9671
SHA51267f81ec08949f920f78ffabb2c42cbd2a037c51e2d754fb1a81b01caf51d0332586c3ed149ad3dddb23e434eaa7917a9a7ed2e35d5b62a3815ee6fcf831b0ce6
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5c2b55de00206a4a25c90296b6d7ee1be
SHA1db1fa1af953a41aed5e9f8af2070b99e58703b14
SHA25618f43b5bda345e4136919fa8740234936b3636dd59e2431d8c0e0b0c61e6eb94
SHA5129dc668f794711292a565247a1a9d14dc9c2340d9590dab90f9128dfa752de55b995cc1d9482c21cf9aaccb08b1b27bf913d5771ca004a68ec34718661917bccc
-
Filesize
10KB
MD5c34561a9d770870e473711334796d4fc
SHA1a80391b01ae2622b3ea1dbe1459c726e05441f35
SHA25632c063bb70be8da297e498971e31110acc92b6e84a296859ff2f687baffafaa7
SHA512b5003d0b45f71923a631c52c2310b7163529e6bca226e880cd1cef90e55c54b8715ae9cf3d3d1250a07b4d2f9d1ce2fdc1aa3349f2350514d474e79c083cefb2
-
Filesize
3.2MB
MD5011f94bdd586dd10dfe0ecdc0f60ac38
SHA150f4c3146227526b95f125cccd71b4808752508c
SHA256e57ff0cc203e686500317de1eb7a7912ee0e1ce4d8378c6c19c6d81e7de6c9f4
SHA51226ccd364cf720a7c8b1f357a63eb23081d6c83580a38659482f0b3268ddbcc97c555482887aba3415f5a5b0d34ad77f3a663dcba6294ee91a3e6f359528c31a0
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
16.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB