Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

2024-12-18...uk.exe

windows7-x64

10

2024-12-18...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/12/2024, 01:28 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-18_bcf52a0a47b0ad28d13e6c0002ca79b9_cobalt-strike_ryuk.exe

  • Size

    3.1MB

  • MD5

    bcf52a0a47b0ad28d13e6c0002ca79b9

  • SHA1

    46331f1bea07b857fbb69bdd50ffd945e9e5f94c

  • SHA256

    908b67569cb0ade3de4b268c6434fc6f1bd1dd6c34e450f85a970a2b9ba96b12

  • SHA512

    c2a4a09448974c1bc95cb66e923c67ee0ea74826338838a76c11fc907f7fa762e1da90135c8ea3a6aeea5da16a6a63fce76c6ace4cc02a0685f8d03937fddc82

  • SSDEEP

    24576:SBvGLDqo2AH/mhrnOG1HuHPIsfHGY+++Ct+bNZUTRoB71b0P7SY8Vvhdri2:uCzHubDsy9Rb0J8Jn

Score
10/10
meduzastealer

Malware Config

Extracted

Family

meduza

C2

147.45.44.228

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    542

  • extensions

    none

  • grabber_max_size

    1.048576e+06

  • links

    none

  • port

    15666

  • self_destruct

    true

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

    stealermeduza
  • Meduza Stealer payload 8 IoCs
  • Meduza family
    meduza
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-18_bcf52a0a47b0ad28d13e6c0002ca79b9_cobalt-strike_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-18_bcf52a0a47b0ad28d13e6c0002ca79b9_cobalt-strike_ryuk.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\2024-12-18_bcf52a0a47b0ad28d13e6c0002ca79b9_cobalt-strike_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-12-18_bcf52a0a47b0ad28d13e6c0002ca79b9_cobalt-strike_ryuk.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      PID:2064

Network

    No results found
  • 147.45.44.228:15666
    2024-12-18_bcf52a0a47b0ad28d13e6c0002ca79b9_cobalt-strike_ryuk.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2064-0-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-2-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-8-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-10-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-11-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-7-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2064-6-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-5-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-4-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-3-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-1-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2064-12-0x0000000140000000-0x0000000140141000-memory.dmp

    Filesize

    1.3MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.