Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 04:13
Static task
static1
Behavioral task
behavioral1
Sample
4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe
Resource
win10v2004-20241007-en
General
-
Target
4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe
-
Size
2.6MB
-
MD5
41f92168b17f6f6e3f0c2dd847b8790c
-
SHA1
d72086c8d7cf22ee4a212a8aafbf2c1cfbb68db4
-
SHA256
4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc
-
SHA512
51993dd5aed96c4dc4863ad9126be8f8e651b363cde9042561fc9fa1c9f19febacc786c9dbde8c148cd6eaf28b536e3056582e5413e507f67d4981ddde8a001f
-
SSDEEP
24576:V9L8hJZ4uB+Ch0lhSMXlnwgT59w2/rbS43qtrtgBGVb5Q:PL8hD4auX/weJBGs
Malware Config
Extracted
meduza
45.130.145.152
-
anti_dbg
true
-
anti_vm
true
-
build_name
Student
-
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
-
grabber_max_size
3.145728e+06
-
port
15666
-
self_destruct
true
Signatures
-
Meduza Stealer payload 12 IoCs
resource yara_rule behavioral1/memory/1628-1-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-7-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-3-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-4-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-6-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-10-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-2-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-9-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-11-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-14-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-16-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza behavioral1/memory/1628-12-0x0000000001E40000-0x000000000203A000-memory.dmp family_meduza -
Meduza family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation 4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1628 4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe Token: SeImpersonatePrivilege 1628 4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2652 1628 4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe 31 PID 1628 wrote to memory of 2652 1628 4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe 31 PID 1628 wrote to memory of 2652 1628 4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe"C:\Users\Admin\AppData\Local\Temp\4a5229e0157022f1f1e52bc9ddef08d3495094f596ec8b861f82778f13664ddc.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1628 -s 6202⤵PID:2652
-