Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 20:23

General

  • Target

    Solara Executor.exe

  • Size

    527.1MB

  • MD5

    2f0279eca2b15f105600d0fa8634b40a

  • SHA1

    a61a80b6a5915f014f7b9d311386905a1cf30f0a

  • SHA256

    68f2893e72bb79f1da5d8b3c9f5dbe29d6f1c1c583356cd5a2221d8a54bf3010

  • SHA512

    1aa89b075a4d3a58439b88ca82c79b425707b65ff8b1685a57e70e55e3718e48f2942d8399d843d6fb504da3bcf931c400c30e368d213a2b1d0149899868254f

  • SSDEEP

    98304:HJxFqrqnIGHYeUt7wSTsEitaAo4N/nl3x0NlBuQa3HUQxrFD:pxFqrqnwtwSccAoKl3fQa3f

Score
10/10

Malware Config

Extracted

Family

meduza

C2

45.130.145.152

Attributes
  • anti_dbg

    true

  • anti_vm

    true

  • build_name

    Work

  • extensions

    .txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite

  • grabber_max_size

    4.194304e+06

  • port

    15666

  • self_destruct

    false

Signatures

  • Meduza

    Meduza is a crypto wallet and info stealer written in C++.

  • Meduza Stealer payload 2 IoCs
  • Meduza family
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara Executor.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\78643400aaca4701b7bbddbfe9fde79c.exe
      "C:\Users\Admin\AppData\Local\Temp\78643400aaca4701b7bbddbfe9fde79c.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2680 -s 656
        3⤵
        • Loads dropped DLL
        PID:2664
    • C:\Users\Admin\AppData\Local\Temp\9d52dc19fecb43e793f03d6fbe7f9472.exe
      "C:\Users\Admin\AppData\Local\Temp\9d52dc19fecb43e793f03d6fbe7f9472.exe"
      2⤵
      • Executes dropped EXE
      PID:2104

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9d52dc19fecb43e793f03d6fbe7f9472.exe

    Filesize

    2.6MB

    MD5

    5ad98066bfaea71873af260814cdebb0

    SHA1

    5dc890fd83e13d1b3b9ffc8b9e691bf5923fe7d4

    SHA256

    bec45a7561b438237598f772b08e4e67f480e2330619fb3e7cd175156627c5f8

    SHA512

    4373e339b09fef72e8da394933b42a04ff4c9b1e31636c0cad6a0fc8d60d7a4e23b43d744f3725fb506078fdb2521879c785978e1aef066898eb3762a72b262e

  • \Users\Admin\AppData\Local\Temp\78643400aaca4701b7bbddbfe9fde79c.exe

    Filesize

    2.6MB

    MD5

    c3242cab034e773dad42d6fbff0b4ecf

    SHA1

    c4b7daa973a191f9dcd6e6f637602b5683899571

    SHA256

    fbe49c90e24fb5b6be83157db5a5415411b410c6b13fdb9ef12740a157f60481

    SHA512

    e74a8e474f4385531387e0f51cff631a8e7c0eacb5d23021f0ac4701f356f869889472814cc5856aef776fefa8703a94578af4feec8e037d89cbe95a409027c3

  • memory/2104-26-0x00000000000F0000-0x0000000000170000-memory.dmp

    Filesize

    512KB

  • memory/2104-23-0x00000000000F0000-0x0000000000170000-memory.dmp

    Filesize

    512KB

  • memory/2104-21-0x00000000000F0000-0x0000000000170000-memory.dmp

    Filesize

    512KB

  • memory/2680-25-0x0000000001F30000-0x000000000206E000-memory.dmp

    Filesize

    1.2MB

  • memory/2680-12-0x0000000001F30000-0x000000000206E000-memory.dmp

    Filesize

    1.2MB

  • memory/2692-4-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/2692-6-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/2692-5-0x000007FEF61F3000-0x000007FEF61F4000-memory.dmp

    Filesize

    4KB

  • memory/2692-0-0x000007FEF61F3000-0x000007FEF61F4000-memory.dmp

    Filesize

    4KB

  • memory/2692-3-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/2692-22-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/2692-24-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/2692-2-0x000007FEF61F0000-0x000007FEF6BDC000-memory.dmp

    Filesize

    9.9MB

  • memory/2692-1-0x0000000000D30000-0x0000000001D30000-memory.dmp

    Filesize

    16.0MB