Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/12/2024, 09:50 UTC
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
-
Size
3.1MB
-
MD5
36b15b22ccf73ecfec445f9bd7dc59ff
-
SHA1
4736a7feb57398e3efde894647b038014ced93dc
-
SHA256
b4de7f656a143cb9a5a1836836f0e90d1707a92e66685d15d54e3eb203fa9476
-
SHA512
fd36ea7181b4c3466cc9401bd10e67a138935f0098480629b51d88cd498ae346f910e4fbd138c7b59d2dd56f6ad59de05e1dddeec5be724cb7cc812060f23be5
-
SSDEEP
24576:SBvVKjsyoZlCOjSXM8ZiPC9RSjFqfH48RdFNE2YRM+MBgOoJ14/fe7P/e:uJXjoM80dX87FNE7ME7P
Malware Config
Extracted
meduza
45.130.145.152
-
anti_dbg
true
-
anti_vm
true
-
build_name
SEO2.0
-
extensions
.txt; .doc; .xlsx
-
grabber_max_size
4.194304e+06
-
port
15666
-
self_destruct
false
Signatures
-
Meduza Stealer payload 6 IoCs
resource yara_rule behavioral2/memory/3424-2-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/3424-1-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/3424-3-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/3424-0-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/3424-10-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza behavioral2/memory/3424-11-0x0000000140000000-0x0000000140141000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 api.ipify.org 9 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4724 set thread context of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3424 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 3424 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3424 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe Token: SeImpersonatePrivilege 3424 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 PID 4724 wrote to memory of 3424 4724 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe 83 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe"2⤵
- Checks computer location settings
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3424
-
Network
-
Remote address:8.8.8.8:53Requestapi.ipify.orgIN AResponseapi.ipify.orgIN A172.67.74.152api.ipify.orgIN A104.26.13.205api.ipify.orgIN A104.26.12.205
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:172.67.74.152:443RequestGET / HTTP/1.1
Accept: text/html; text/plain; */*
Host: api.ipify.org
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 14
Connection: keep-alive
Vary: Origin
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 8f1d4ad6695fef58-LHR
server-timing: cfL4;desc="?proto=TCP&rtt=26030&min_rtt=25922&rtt_var=4181&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3278&recv_bytes=402&delivery_rate=156854&cwnd=253&unsent_bytes=0&cid=89c00280d456b846&ts=329&x=0"
-
Remote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.179.67
-
Remote address:142.250.179.67:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 14 Dec 2024 09:01:35 GMT
Expires: Sat, 14 Dec 2024 09:51:35 GMT
Cache-Control: public, max-age=3000
Age: 2959
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:142.250.179.67:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Sat, 14 Dec 2024 09:02:38 GMT
Expires: Sat, 14 Dec 2024 09:52:38 GMT
Cache-Control: public, max-age=3000
Age: 2896
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
Remote address:8.8.8.8:53Request152.145.130.45.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request152.74.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request67.179.250.142.in-addr.arpaIN PTRResponse67.179.250.142.in-addr.arpaIN PTRpar21s19-in-f31e100net
-
Remote address:8.8.8.8:53Request73.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request232.168.11.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request212.20.149.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request180.129.81.91.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request13.227.111.52.in-addr.arpaIN PTRResponse
-
15.8MB 203.4kB 11352 4921
-
172.67.74.152:443https://api.ipify.org/tls, http2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe896 B 4.1kB 11 8
HTTP Request
GET https://api.ipify.org/HTTP Response
200 -
142.250.179.67:80http://c.pki.goog/r/r4.crlhttp2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe556 B 3.8kB 7 5
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200
-
59 B 107 B 1 1
DNS Request
api.ipify.org
DNS Response
172.67.74.152104.26.13.205104.26.12.205
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
56 B 107 B 1 1
DNS Request
c.pki.goog
DNS Response
142.250.179.67
-
73 B 127 B 1 1
DNS Request
152.145.130.45.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
72 B 134 B 1 1
DNS Request
152.74.67.172.in-addr.arpa
-
73 B 111 B 1 1
DNS Request
67.179.250.142.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
73.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
232.168.11.51.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
212.20.149.52.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
72 B 147 B 1 1
DNS Request
180.129.81.91.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
13.227.111.52.in-addr.arpa
-