Analysis
-
max time kernel
169s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 12:54
Static task
static1
Behavioral task
behavioral1
Sample
eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe
Resource
win10v2004-20220414-en
General
-
Target
eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe
-
Size
557KB
-
MD5
a9c69fa0b7a1a2a72928c83bf48cea3e
-
SHA1
7cf88e28f6a0e12953a89aba86cc1dea8794f27e
-
SHA256
eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0
-
SHA512
de5e3403104d78951505c03e51c6ae7526612a844ebc4e989d4faf8bf8138fa9f3afcc39d80ac1d224dd1f95dfcd215cb12407273e90dc409e48908417513e5b
Malware Config
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation msconfigs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1792 msconfigs.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2936 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2936 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe Token: SeDebugPrivilege 1792 msconfigs.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2936 wrote to memory of 1580 2936 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe 80 PID 2936 wrote to memory of 1580 2936 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe 80 PID 2936 wrote to memory of 1580 2936 eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe 80 PID 1580 wrote to memory of 1792 1580 cmd.exe 82 PID 1580 wrote to memory of 1792 1580 cmd.exe 82 PID 1580 wrote to memory of 1792 1580 cmd.exe 82 PID 1792 wrote to memory of 2140 1792 msconfigs.exe 84 PID 1792 wrote to memory of 2140 1792 msconfigs.exe 84 PID 1792 wrote to memory of 2140 1792 msconfigs.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe"C:\Users\Admin\AppData\Local\Temp\eef638c058f44481d29fb8b763af94001c632cea7b8b801218de99b8a0750ed0.exe"1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\Temp\msconfigs.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\msconfigs.exe"C:\Users\Admin\AppData\Local\Temp\msconfigs.exe"3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\msconfigs.exe" "C:\Users\Admin\AppData\Roaming\msfonts.exe"4⤵PID:2140
-
-
-