Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 14:34
Static task
static1
Behavioral task
behavioral1
Sample
DLLs/Packaged/Resource.dll
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
DLLs/Packaged/Resource.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Serilog.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Serilog.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
SevenZip.dll
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
SevenZip.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Xeno Executor.exe
Resource
win7-20241023-en
Behavioral task
behavioral8
Sample
Xeno Executor.exe
Resource
win10v2004-20241007-en
General
-
Target
Xeno Executor.exe
-
Size
4.1MB
-
MD5
36517f5bfae396a1d223e7491a3044cc
-
SHA1
591a20349741340b21e0d3ea7d70a7df4043e925
-
SHA256
e5d7e8537578b6c2f2ad9d842c51fcda0535c82b4e84c52537afe852687aa5f2
-
SHA512
23dac5a4cca030209d9e35ba04bf0388aa0088d5e7ba4020978e77e1eeefe7f70be60bd8ccdfb81732523b726b225c6df48d005857f5b4424ec3df52f13b6394
-
SSDEEP
49152:Xl4UjB0jUuB5ykrT/v+Qcr9tF3Vm2Jzd8SgN1IRA:14UjKguKA
Malware Config
Extracted
meduza
5.252.155.28
-
anti_dbg
true
-
anti_vm
true
-
build_name
703
-
extensions
none
-
grabber_max_size
1.048576e+06
-
links
none
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 9 IoCs
resource yara_rule behavioral7/memory/2396-10-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral7/memory/2396-12-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral7/memory/2396-13-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral7/memory/2396-8-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral7/memory/2396-7-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral7/memory/2396-6-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral7/memory/2396-5-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral7/memory/2396-27-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral7/memory/2396-28-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation Xeno Executor.exe -
Deletes itself 1 IoCs
pid Process 2844 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Xeno Executor.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Xeno Executor.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Xeno Executor.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Xeno Executor.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Xeno Executor.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 api.ipify.org 6 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2604 set thread context of 2396 2604 Xeno Executor.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2672 PING.EXE 2844 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2672 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2396 Xeno Executor.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2396 Xeno Executor.exe Token: SeImpersonatePrivilege 2396 Xeno Executor.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2604 wrote to memory of 2396 2604 Xeno Executor.exe 30 PID 2396 wrote to memory of 2844 2396 Xeno Executor.exe 33 PID 2396 wrote to memory of 2844 2396 Xeno Executor.exe 33 PID 2396 wrote to memory of 2844 2396 Xeno Executor.exe 33 PID 2844 wrote to memory of 2672 2844 cmd.exe 35 PID 2844 wrote to memory of 2672 2844 cmd.exe 35 PID 2844 wrote to memory of 2672 2844 cmd.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Xeno Executor.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Xeno Executor.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xeno Executor.exe"C:\Users\Admin\AppData\Local\Temp\Xeno Executor.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\Xeno Executor.exe"C:\Users\Admin\AppData\Local\Temp\Xeno Executor.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2396 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\Xeno Executor.exe"3⤵
- Deletes itself
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\system32\PING.EXEping 1.1.1.1 -n 1 -w 30004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2672
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1