Analysis

  • max time kernel
    137s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 09:38

General

  • Target

    e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe

  • Size

    573KB

  • MD5

    c9531869cbdf03333c99368be877b7e2

  • SHA1

    59209818bf3261ba17de8b561801abbd2892b4aa

  • SHA256

    e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c

  • SHA512

    88dbab0c4b8d6918b6c3c6295ad5119a19459ff44a83ad6f39431f6478d70754e5590cbce484abbcb62ac6ce62be75ed60033279e2b8de484963f8c8a0adbbcc

Score
10/10

Malware Config

Signatures

  • Meta Stealer Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
    "C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHmmhgfjXRj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1194.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2852
    • C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
      "{path}"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe.log

    Filesize

    1KB

    MD5

    6f8f3a9a57cb30e686d3355e656031e0

    SHA1

    acccd6befb1a2f40e662280bc5182e086a0d079b

    SHA256

    283586e83b25099a5698cb9caf9c594a37060d11e0f55c81bb9c6d4f728448ea

    SHA512

    8f11d645ff4f8d5b1c45b06eb52cd45319659255306d60e80e33abfd04b9e3b1164679f11a8a23bd493e4b3f6b9841d70e553a01835eeaf6035b4d05e4fd7b54

  • C:\Users\Admin\AppData\Local\Temp\tmp1194.tmp

    Filesize

    1KB

    MD5

    1f8becf24d54efb46119f8cde865ce7e

    SHA1

    6fb7f99b560e8fa00ccb36addd548b2b6af4f8ca

    SHA256

    a068fb37f54e275d8df22116cf0d826d440cbd361b797d3c4887094b91e4ccd9

    SHA512

    6c02e1e918db262f386f04c7c5bd44651a7d75280d6c35f31a2241f9072366cae794ab109e9ffc698799e5dfef2b1a55cc6b67931be6cb6490900f1f9945d755

  • memory/1772-130-0x0000000000860000-0x00000000008F6000-memory.dmp

    Filesize

    600KB

  • memory/1772-131-0x0000000009DC0000-0x000000000A364000-memory.dmp

    Filesize

    5.6MB

  • memory/1772-132-0x00000000052E0000-0x0000000005372000-memory.dmp

    Filesize

    584KB

  • memory/1772-133-0x0000000005290000-0x000000000529A000-memory.dmp

    Filesize

    40KB

  • memory/1772-134-0x0000000008D40000-0x000000000926C000-memory.dmp

    Filesize

    5.2MB

  • memory/1772-135-0x0000000008C20000-0x0000000008CBC000-memory.dmp

    Filesize

    624KB

  • memory/4896-139-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

  • memory/4896-141-0x00000000053A0000-0x0000000005406000-memory.dmp

    Filesize

    408KB