meduza | 48ce31ecda937253d2ccc1dfd01053eb4f3d93486c1ee36edd97347bf21a9e72

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

754.0MB
MD5

6d2557890012c957faaae8d35a4f0e56
SHA1

1225cd40742576895f74b42bdc18b3af21d96eef
SHA256

b29da8d3e2117236d9f8af71bed0addf68093ccf61acad5a979b2531b0049310
SHA512

145b3471f498d9579b466695407c03a3bd0fad9b98cabbdab9f34ee0ba534d4734fcdb1ce357b90e0de1ec8d9ded04f5576b06e94abed79601510d05cfc4d65a
SSDEEP

98304:pJxFqrqnIGHYeUt7w8TsEitaAo4N/nl3x0NlBuQa3HUQLrFD:/xFqrqnwtw8ccAoKl3fQa3J

Score

10^/10

meduza stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 12 IoCs

resource	yara_rule
behavioral1/memory/2824-22-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-21-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-19-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-17-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-16-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-15-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-14-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-27-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-26-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-24-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-23-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza
behavioral1/memory/2824-20-0x0000000002010000-0x000000000220A000-memory.dmp	family_meduza

Meduza family
meduza
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	6913443b0115448c83476db5ede0d48e.exe

Executes dropped EXE 2 IoCs

pid	Process
2824	6913443b0115448c83476db5ede0d48e.exe
2632	9a87340c591a46439c6c2ab52c9738bb.exe

Loads dropped DLL 5 IoCs

pid	Process
2380	Solara.exe
2668	WerFault.exe
2668	WerFault.exe
2380	Solara.exe
2668	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	Solara.exe
Token: SeDebugPrivilege	2824	6913443b0115448c83476db5ede0d48e.exe
Token: SeImpersonatePrivilege	2824	6913443b0115448c83476db5ede0d48e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2824	2380	Solara.exe	31
PID 2380 wrote to memory of 2824	2380	Solara.exe	31
PID 2380 wrote to memory of 2824	2380	Solara.exe	31
PID 2824 wrote to memory of 2668	2824	6913443b0115448c83476db5ede0d48e.exe	32
PID 2824 wrote to memory of 2668	2824	6913443b0115448c83476db5ede0d48e.exe	32
PID 2824 wrote to memory of 2668	2824	6913443b0115448c83476db5ede0d48e.exe	32
PID 2380 wrote to memory of 2632	2380	Solara.exe	33
PID 2380 wrote to memory of 2632	2380	Solara.exe	33
PID 2380 wrote to memory of 2632	2380	Solara.exe	33

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\6913443b0115448c83476db5ede0d48e.exe
  "C:\Users\Admin\AppData\Local\Temp\6913443b0115448c83476db5ede0d48e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2824 -s 620
    3⤵
    - Loads dropped DLL
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\9a87340c591a46439c6c2ab52c9738bb.exe
  "C:\Users\Admin\AppData\Local\Temp\9a87340c591a46439c6c2ab52c9738bb.exe"
  2⤵
  - Executes dropped EXE
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9a87340c591a46439c6c2ab52c9738bb.exe

Filesize
2.6MB

MD5
2a045f1c2771df69aba71df4c648e7d8

SHA1
511264dafdae9bcced2679c5146c431937ae7409

SHA256
54ca3bdf5c29db04809899fd837a130e9653885a78c6600ea813158e88efd740

SHA512
84a0a8c76a75fb35e29e39dbd4f0c531d2f8457840deb732966c5cae792cd09e75332b232153426adfa80a26b550452cd6fb803d0be9442dc79382429aefb97c

Download Submit
\Users\Admin\AppData\Local\Temp\6913443b0115448c83476db5ede0d48e.exe

Filesize
2.6MB

MD5
7d822df39b176d6fd8cedf539ba0e95e

SHA1
0af3b8f8099b533e55112f5f7162ef8bfdbdd718

SHA256
9d94ec88ae8df58aaa9c15670724c23a34fee48b1e7c049745bb6046b28970bd

SHA512
62a7cc8ed18ca42eaf904b23302e653a4f6f5c0238a91b24f28c5c514f63e0df6d3225cf59ecadfba4989728e709946167cfb163b59fef93064b476314f7926d

Download Submit
memory/2380-6-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-3-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-4-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-5-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2380-2-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-7-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2380-1-0x0000000000F60000-0x0000000001F60000-memory.dmp

Filesize
16.0MB

Download
memory/2380-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2632-38-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/2632-35-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/2632-37-0x00000000001F0000-0x0000000000271000-memory.dmp

Filesize
516KB

Download
memory/2824-17-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-15-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-14-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-27-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-26-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-24-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-23-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-20-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-16-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-19-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-21-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download
memory/2824-22-0x0000000002010000-0x000000000220A000-memory.dmp

Filesize
2.0MB

Download