meduza | 5af85811de6f6fd6a666e535d142aa0e36a1021bafe155f9af9a38b9f9f94f55

Analysis

max time kernel
43s
max time network
51s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

661.5MB
MD5

32afedd1343f2201b4ba1b3f647a06c0
SHA1

09430e44c1f90e0e4cd247a7f60af767a5f0ed01
SHA256

8ff929bb2e7cc8033cfa6927a7634d8c5cf6582f3be8a41bbc430b99ebbc64f5
SHA512

52551f51408660145b014b0f3e32fb61195a2e270ac6af9c4c639e5085f758db8bb27a466358895ed5772ca04269f7cb058ecb51cebc9286fa2e15dbdefada4a
SSDEEP

98304:d57plQ1rRPyQRUbhFVSDoWGbqNv2ODzfIlgrSdJD:DplMRPyQRUbhFwDp2+5fpSdJ

Score

10^/10

meduza stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Work
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
4.194304e+06
port
15666
self_destruct
false

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2968-11-0x0000000001BC0000-0x0000000001CFE000-memory.dmp	family_meduza
behavioral1/memory/2968-16-0x0000000001BC0000-0x0000000001CFE000-memory.dmp	family_meduza

Meduza family
meduza
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

installer.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	installer.exe

Executes dropped EXE 1 IoCs

Processes:

installer.exe

pid	Process
2968	installer.exe

Loads dropped DLL 4 IoCs

Processes:

Solara.exeWerFault.exe

pid	Process
2100	Solara.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
8	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Solara.exeinstaller.exe

description	pid	Process
Token: SeDebugPrivilege	2100	Solara.exe
Token: SeDebugPrivilege	2968	installer.exe
Token: SeImpersonatePrivilege	2968	installer.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Solara.exeinstaller.exe

description	pid	Process	procid_target
PID 2100 wrote to memory of 2968	2100	Solara.exe	31
PID 2100 wrote to memory of 2968	2100	Solara.exe	31
PID 2100 wrote to memory of 2968	2100	Solara.exe	31
PID 2968 wrote to memory of 2540	2968	installer.exe	32
PID 2968 wrote to memory of 2540	2968	installer.exe	32
PID 2968 wrote to memory of 2540	2968	installer.exe	32

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2968 -s 656
    3⤵
    - Loads dropped DLL
    PID:2540

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\installer.exe

Filesize
3.2MB

MD5
f16649c66acae1badb27a896fd9e97c5

SHA1
179c138197c7b6fa3c8741398d895a757d745620

SHA256
011be31b68624ff1b59d8733e7196d5be6015adba63cc7962c9f300f72a95199

SHA512
c972643df907598bde50ff812411a76670e5ec9194e6aa6f47abd445ea0b74f91a2eee41a52cb6b8bfd0ac1aef2759653c4bb582a3b6ce9daa42779a2e5814b0

Download Submit
memory/2100-0-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x0000000000370000-0x0000000001370000-memory.dmp

Filesize
16.0MB

Download
memory/2100-2-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-3-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-4-0x000007FEF5F03000-0x000007FEF5F04000-memory.dmp

Filesize
4KB

Download
memory/2100-5-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-12-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2100-17-0x000007FEF5F00000-0x000007FEF68EC000-memory.dmp

Filesize
9.9MB

Download
memory/2968-11-0x0000000001BC0000-0x0000000001CFE000-memory.dmp

Filesize
1.2MB

Download
memory/2968-16-0x0000000001BC0000-0x0000000001CFE000-memory.dmp

Filesize
1.2MB

Download