Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/12/2024, 09:50 UTC

General

  • Target

    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe

  • Size

    3.1MB

  • MD5

    36b15b22ccf73ecfec445f9bd7dc59ff

  • SHA1

    4736a7feb57398e3efde894647b038014ced93dc

  • SHA256

    b4de7f656a143cb9a5a1836836f0e90d1707a92e66685d15d54e3eb203fa9476

  • SHA512

    fd36ea7181b4c3466cc9401bd10e67a138935f0098480629b51d88cd498ae346f910e4fbd138c7b59d2dd56f6ad59de05e1dddeec5be724cb7cc812060f23be5

  • SSDEEP

    24576:SBvVKjsyoZlCOjSXM8ZiPC9RSjFqfH48RdFNE2YRM+MBgOoJ14/fe7P/e:uJXjoM80dX87FNE7ME7P

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    SEO2.0

  • extensions

    .txt; .doc; .xlsx

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

  • Meduza Stealer payload 6 IoCs
  • Meduza family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Users\Admin\AppData\Local\Temp\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe"
      2⤵
      • Checks computer location settings
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3424

Network

  • flag-us
    DNS
    api.ipify.org
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    172.67.74.152
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    104.26.12.205
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    GET
    https://api.ipify.org/
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    Remote address:
    172.67.74.152:443
    Request
    GET / HTTP/1.1
    Accept: text/html; text/plain; */*
    Host: api.ipify.org
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 14 Dec 2024 09:50:54 GMT
    Content-Type: text/plain
    Content-Length: 14
    Connection: keep-alive
    Vary: Origin
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8f1d4ad6695fef58-LHR
    server-timing: cfL4;desc="?proto=TCP&rtt=26030&min_rtt=25922&rtt_var=4181&sent=6&recv=9&lost=0&retrans=0&sent_bytes=3278&recv_bytes=402&delivery_rate=156854&cwnd=253&unsent_bytes=0&cid=89c00280d456b846&ts=329&x=0"
  • flag-us
    DNS
    c.pki.goog
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.67
  • flag-fr
    GET
    http://c.pki.goog/r/gsr1.crl
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 14 Dec 2024 09:01:35 GMT
    Expires: Sat, 14 Dec 2024 09:51:35 GMT
    Cache-Control: public, max-age=3000
    Age: 2959
    Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-fr
    GET
    http://c.pki.goog/r/r4.crl
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    Remote address:
    142.250.179.67:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 14 Dec 2024 09:02:38 GMT
    Expires: Sat, 14 Dec 2024 09:52:38 GMT
    Cache-Control: public, max-age=3000
    Age: 2896
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    152.145.130.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    152.145.130.45.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    152.74.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    152.74.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    67.179.250.142.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.179.250.142.in-addr.arpa
    IN PTR
    Response
    67.179.250.142.in-addr.arpa
    IN PTR
    par21s19-in-f31e100net
  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    212.20.149.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    212.20.149.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 45.130.145.152:15666
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    15.8MB
    203.4kB
    11352
    4921
  • 172.67.74.152:443
    https://api.ipify.org/
    tls, http
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    896 B
    4.1kB
    11
    8

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 142.250.179.67:80
    http://c.pki.goog/r/r4.crl
    http
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    556 B
    3.8kB
    7
    5

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 8.8.8.8:53
    api.ipify.org
    dns
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    59 B
    107 B
    1
    1

    DNS Request

    api.ipify.org

    DNS Response

    172.67.74.152
    104.26.13.205
    104.26.12.205

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    c.pki.goog
    dns
    2024-12-14_36b15b22ccf73ecfec445f9bd7dc59ff_cobalt-strike_ryuk.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.179.67

  • 8.8.8.8:53
    152.145.130.45.in-addr.arpa
    dns
    73 B
    127 B
    1
    1

    DNS Request

    152.145.130.45.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    152.74.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    152.74.67.172.in-addr.arpa

  • 8.8.8.8:53
    67.179.250.142.in-addr.arpa
    dns
    73 B
    111 B
    1
    1

    DNS Request

    67.179.250.142.in-addr.arpa

  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    212.20.149.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    212.20.149.52.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    180.129.81.91.in-addr.arpa
    dns
    72 B
    147 B
    1
    1

    DNS Request

    180.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

  • 8.8.8.8:53

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3424-2-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

  • memory/3424-1-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

  • memory/3424-3-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

  • memory/3424-0-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

  • memory/3424-10-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

  • memory/3424-11-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.