Analysis
-
max time kernel
137s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 09:38
Static task
static1
Behavioral task
behavioral1
Sample
e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
Resource
win10v2004-20220414-en
General
-
Target
e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe
-
Size
573KB
-
MD5
c9531869cbdf03333c99368be877b7e2
-
SHA1
59209818bf3261ba17de8b561801abbd2892b4aa
-
SHA256
e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c
-
SHA512
88dbab0c4b8d6918b6c3c6295ad5119a19459ff44a83ad6f39431f6478d70754e5590cbce484abbcb62ac6ce62be75ed60033279e2b8de484963f8c8a0adbbcc
Malware Config
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1772 set thread context of 4896 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 77 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe Token: SeDebugPrivilege 4896 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2852 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 75 PID 1772 wrote to memory of 2852 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 75 PID 1772 wrote to memory of 2852 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 75 PID 1772 wrote to memory of 4896 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 77 PID 1772 wrote to memory of 4896 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 77 PID 1772 wrote to memory of 4896 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 77 PID 1772 wrote to memory of 4896 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 77 PID 1772 wrote to memory of 4896 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 77 PID 1772 wrote to memory of 4896 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 77 PID 1772 wrote to memory of 4896 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 77 PID 1772 wrote to memory of 4896 1772 e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe"C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qHmmhgfjXRj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1194.tmp"2⤵
- Creates scheduled task(s)
PID:2852
-
-
C:\Users\Admin\AppData\Local\Temp\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e53abcad827ff899a596a03456d31144b26d9a4b6fc6241ce5aecf2b4841371c.exe.log
Filesize1KB
MD56f8f3a9a57cb30e686d3355e656031e0
SHA1acccd6befb1a2f40e662280bc5182e086a0d079b
SHA256283586e83b25099a5698cb9caf9c594a37060d11e0f55c81bb9c6d4f728448ea
SHA5128f11d645ff4f8d5b1c45b06eb52cd45319659255306d60e80e33abfd04b9e3b1164679f11a8a23bd493e4b3f6b9841d70e553a01835eeaf6035b4d05e4fd7b54
-
Filesize
1KB
MD51f8becf24d54efb46119f8cde865ce7e
SHA16fb7f99b560e8fa00ccb36addd548b2b6af4f8ca
SHA256a068fb37f54e275d8df22116cf0d826d440cbd361b797d3c4887094b91e4ccd9
SHA5126c02e1e918db262f386f04c7c5bd44651a7d75280d6c35f31a2241f9072366cae794ab109e9ffc698799e5dfef2b1a55cc6b67931be6cb6490900f1f9945d755