metastealer | ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307

General

Target

ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe
Size

363KB
MD5

e994f3f5e18e7b0ef95f1642aba62333
SHA1

56a394dd005af54587a913e495d6b2ef3e3f4278
SHA256

ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307
SHA512

daab466ab5b748f8fa79b48f10df717283daa6c376fc14f3d86e6196e32f0c8083ccc5a0b69269ac8c5b6b7eaea2d555ff9f8ac460d94a7ef91cd4d7a324b455

Score

10^/10

metastealer stealer upx

Malware Config

Signatures

Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

Executes dropped EXE 3 IoCs

pid	Process
1280	server v2.exe
1408	ReduceMemory.exe
2144	ReduceMemory.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023156-135.dat	upx
behavioral2/files/0x0007000000023156-136.dat	upx
behavioral2/files/0x0007000000023156-140.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4136	1280	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1408	ReduceMemory.exe
1408	ReduceMemory.exe
2144	ReduceMemory.exe
2144	ReduceMemory.exe
2144	ReduceMemory.exe
2144	ReduceMemory.exe
1408	ReduceMemory.exe
1408	ReduceMemory.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1280	server v2.exe
Token: SeIncBasePriorityPrivilege	1408	ReduceMemory.exe
Token: SeIncBasePriorityPrivilege	2144	ReduceMemory.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1280	1304	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	76
PID 1304 wrote to memory of 1280	1304	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	76
PID 1304 wrote to memory of 1408	1304	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	77
PID 1304 wrote to memory of 1408	1304	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	77
PID 1304 wrote to memory of 1408	1304	ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe	77

C:\Users\Admin\AppData\Local\Temp\ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe
"C:\Users\Admin\AppData\Local\Temp\ff7c0bfb277316c5fd4f506fc108ea616dad82aae5eb6a42c71777be8a303307.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\server v2.exe
  "C:\Users\Admin\AppData\Local\Temp\server v2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1280 -s 1420
    3⤵
    - Program crash
    PID:4136
- C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe
  "C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408

C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe
"C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe" /S
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 1280 -ip 1280
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe

Filesize
313KB

MD5
879007aa82419d86b66648f4a38e7850

SHA1
a85b4295e65a96e32580bda391c0c1af0d02b30a

SHA256
ba2af21b6d0fed46085d38bad2a6e87821b95998f07710fb0edec53d8fa43e00

SHA512
98b1f1910a444b227af47d439a40e74f49193e894a313b8069d7ac29c73df341a9913cd357ed8c3e5d9481887fca61394dd2143117b4785d30fd54e6aed06ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe

Filesize
313KB

MD5
879007aa82419d86b66648f4a38e7850

SHA1
a85b4295e65a96e32580bda391c0c1af0d02b30a

SHA256
ba2af21b6d0fed46085d38bad2a6e87821b95998f07710fb0edec53d8fa43e00

SHA512
98b1f1910a444b227af47d439a40e74f49193e894a313b8069d7ac29c73df341a9913cd357ed8c3e5d9481887fca61394dd2143117b4785d30fd54e6aed06ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe

Filesize
313KB

MD5
879007aa82419d86b66648f4a38e7850

SHA1
a85b4295e65a96e32580bda391c0c1af0d02b30a

SHA256
ba2af21b6d0fed46085d38bad2a6e87821b95998f07710fb0edec53d8fa43e00

SHA512
98b1f1910a444b227af47d439a40e74f49193e894a313b8069d7ac29c73df341a9913cd357ed8c3e5d9481887fca61394dd2143117b4785d30fd54e6aed06ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\server v2.exe

Filesize
9KB

MD5
74e9f40026618822a263410fa4f45fc6

SHA1
ef5259d0f4b920cf69f608467ccdee285e31fc8e

SHA256
a04430655909bdb60d4442d4601d380e28ab26bc022c3ddef17a156136fe015e

SHA512
6c67c239e9581365d6082b9a42a42698178e6583a5e95d8bdcedfe13bd3f12ac43418308849326fe7ae6c8b39340d2b998540a5c502ce22071dcea73d4f0c23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\server v2.exe

Filesize
9KB

MD5
74e9f40026618822a263410fa4f45fc6

SHA1
ef5259d0f4b920cf69f608467ccdee285e31fc8e

SHA256
a04430655909bdb60d4442d4601d380e28ab26bc022c3ddef17a156136fe015e

SHA512
6c67c239e9581365d6082b9a42a42698178e6583a5e95d8bdcedfe13bd3f12ac43418308849326fe7ae6c8b39340d2b998540a5c502ce22071dcea73d4f0c23e

Download Submit
memory/1280-133-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/1280-137-0x000000001C710000-0x000000001CC38000-memory.dmp

Filesize
5.2MB

Download
memory/1280-138-0x00007FF89A910000-0x00007FF89B3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-139-0x000000001B670000-0x000000001B672000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing