Analysis
-
max time kernel
130s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 08:58
Static task
static1
Behavioral task
behavioral1
Sample
2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe
Resource
win10v2004-20220414-en
General
-
Target
2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe
-
Size
2.2MB
-
MD5
41d2d84306230b4b34fd9bba81c8c266
-
SHA1
b50404acbac5c7d8315fecd477a1d43ddf6e812e
-
SHA256
2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8
-
SHA512
0431136940780b6e9e4565c39e78a66b9c3a677dbd8cb0aad2b29c995c11001916931d402c332d480d4806463fa51c3ae3478a17f7724c7663374455c9221bc8
Malware Config
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1436-141-0x0000000000B00000-0x0000000000BE8000-memory.dmp autoit_exe behavioral2/memory/1436-145-0x0000000000B00000-0x0000000000BE8000-memory.dmp autoit_exe behavioral2/memory/1436-149-0x0000000000B00000-0x0000000000BE8000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 924 set thread context of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 -
Program crash 1 IoCs
pid pid_target Process procid_target 1172 1436 WerFault.exe 79 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79 PID 924 wrote to memory of 1436 924 2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe"C:\Users\Admin\AppData\Local\Temp\2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Local\Temp\2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe"C:\Users\Admin\AppData\Local\Temp\2b9874c1a387cdd9bad50e5ecbb121bc5ac57afc1fcc5e830549641690f93aa8.exe"2⤵PID:1436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 5483⤵
- Program crash
PID:1172
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1436 -ip 14361⤵PID:1896