Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 20:23
Static task
static1
Behavioral task
behavioral1
Sample
Solara Executor.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Solara Executor.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Solara Executor.exe
Resource
win11-20241007-en
General
-
Target
Solara Executor.exe
-
Size
527.1MB
-
MD5
2f0279eca2b15f105600d0fa8634b40a
-
SHA1
a61a80b6a5915f014f7b9d311386905a1cf30f0a
-
SHA256
68f2893e72bb79f1da5d8b3c9f5dbe29d6f1c1c583356cd5a2221d8a54bf3010
-
SHA512
1aa89b075a4d3a58439b88ca82c79b425707b65ff8b1685a57e70e55e3718e48f2942d8399d843d6fb504da3bcf931c400c30e368d213a2b1d0149899868254f
-
SSDEEP
98304:HJxFqrqnIGHYeUt7wSTsEitaAo4N/nl3x0NlBuQa3HUQxrFD:pxFqrqnwtwSccAoKl3fQa3f
Malware Config
Extracted
meduza
45.130.145.152
-
anti_dbg
true
-
anti_vm
true
-
build_name
Work
-
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
-
grabber_max_size
4.194304e+06
-
port
15666
-
self_destruct
false
Signatures
-
Meduza Stealer payload 2 IoCs
resource yara_rule behavioral1/memory/2680-12-0x0000000001F30000-0x000000000206E000-memory.dmp family_meduza behavioral1/memory/2680-25-0x0000000001F30000-0x000000000206E000-memory.dmp family_meduza -
Meduza family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation 78643400aaca4701b7bbddbfe9fde79c.exe -
Executes dropped EXE 2 IoCs
pid Process 2680 78643400aaca4701b7bbddbfe9fde79c.exe 2104 9d52dc19fecb43e793f03d6fbe7f9472.exe -
Loads dropped DLL 5 IoCs
pid Process 2692 Solara Executor.exe 2664 WerFault.exe 2664 WerFault.exe 2692 Solara Executor.exe 2664 WerFault.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2692 Solara Executor.exe Token: SeDebugPrivilege 2680 78643400aaca4701b7bbddbfe9fde79c.exe Token: SeImpersonatePrivilege 2680 78643400aaca4701b7bbddbfe9fde79c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2680 2692 Solara Executor.exe 31 PID 2692 wrote to memory of 2680 2692 Solara Executor.exe 31 PID 2692 wrote to memory of 2680 2692 Solara Executor.exe 31 PID 2680 wrote to memory of 2664 2680 78643400aaca4701b7bbddbfe9fde79c.exe 32 PID 2680 wrote to memory of 2664 2680 78643400aaca4701b7bbddbfe9fde79c.exe 32 PID 2680 wrote to memory of 2664 2680 78643400aaca4701b7bbddbfe9fde79c.exe 32 PID 2692 wrote to memory of 2104 2692 Solara Executor.exe 33 PID 2692 wrote to memory of 2104 2692 Solara Executor.exe 33 PID 2692 wrote to memory of 2104 2692 Solara Executor.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe"C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\78643400aaca4701b7bbddbfe9fde79c.exe"C:\Users\Admin\AppData\Local\Temp\78643400aaca4701b7bbddbfe9fde79c.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2680 -s 6563⤵
- Loads dropped DLL
PID:2664
-
-
-
C:\Users\Admin\AppData\Local\Temp\9d52dc19fecb43e793f03d6fbe7f9472.exe"C:\Users\Admin\AppData\Local\Temp\9d52dc19fecb43e793f03d6fbe7f9472.exe"2⤵
- Executes dropped EXE
PID:2104
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD55ad98066bfaea71873af260814cdebb0
SHA15dc890fd83e13d1b3b9ffc8b9e691bf5923fe7d4
SHA256bec45a7561b438237598f772b08e4e67f480e2330619fb3e7cd175156627c5f8
SHA5124373e339b09fef72e8da394933b42a04ff4c9b1e31636c0cad6a0fc8d60d7a4e23b43d744f3725fb506078fdb2521879c785978e1aef066898eb3762a72b262e
-
Filesize
2.6MB
MD5c3242cab034e773dad42d6fbff0b4ecf
SHA1c4b7daa973a191f9dcd6e6f637602b5683899571
SHA256fbe49c90e24fb5b6be83157db5a5415411b410c6b13fdb9ef12740a157f60481
SHA512e74a8e474f4385531387e0f51cff631a8e7c0eacb5d23021f0ac4701f356f869889472814cc5856aef776fefa8703a94578af4feec8e037d89cbe95a409027c3