Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04/12/2024, 18:31
Static task
static1
Behavioral task
behavioral1
Sample
venomderek.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
venomderek.exe
Resource
win10v2004-20241007-en
General
-
Target
venomderek.exe
-
Size
3.2MB
-
MD5
8c1a3371880670ae29eb22eec13df95e
-
SHA1
642e25d5a8a9e52ae970d3cc1f41388d4468259a
-
SHA256
39e4e2d97af7b2be0aa8806afbc4d4766bc057264f556733b392ffb766174dce
-
SHA512
8e7b06b4dbe4277390d504a628ada5ff65261408352c9ea66ebcec5f3afd7a7ed7cb2106cec632870d6a7945e96b44818585c21659dc4d6562d473b3e73367a1
-
SSDEEP
24576:S/frmzI7lsX7Rh7lmXh0lhSMXlWuyuLNMkda9L9kKVHnwWt:KfrmzI7OXBGuyuza9n
Malware Config
Extracted
meduza
45.130.145.152
-
anti_dbg
true
-
anti_vm
true
-
build_name
Work
-
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
-
grabber_max_size
4.194304e+06
-
port
15666
-
self_destruct
false
Signatures
-
Meduza Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/1504-0-0x0000000001B50000-0x0000000001C8E000-memory.dmp family_meduza behavioral1/memory/1504-1-0x0000000001B50000-0x0000000001C8E000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation venomderek.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1504 venomderek.exe Token: SeImpersonatePrivilege 1504 venomderek.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1504 wrote to memory of 2400 1504 venomderek.exe 31 PID 1504 wrote to memory of 2400 1504 venomderek.exe 31 PID 1504 wrote to memory of 2400 1504 venomderek.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\venomderek.exe"C:\Users\Admin\AppData\Local\Temp\venomderek.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1504 -s 6242⤵PID:2400
-