Resubmissions
04-05-2022 07:23
220504-h7vw9adca7 10Analysis
-
max time kernel
55s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-05-2022 07:23
Static task
static1
Behavioral task
behavioral1
Sample
notice.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
notice.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
notice.exe
-
Size
350.0MB
-
MD5
e74116c5efc7492fa74334a39e22afe8
-
SHA1
393e81a3d525e8b582355d855d2c367047e4e0b0
-
SHA256
f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d
-
SHA512
64999f89597bed1857252b98ffd03fba27c9514af0fb430de3913a58e035d619823bcb45a4aa5ec89abdf807f89f9db57d3856e97885144992d03804d79a2352
Score
10/10
Malware Config
Extracted
Family
metastealer
C2
http://transfer.sh/get/qT523D/Wlniornez_Dablvtrq.bmp
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1300 1992 WerFault.exe 26 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1992 notice.exe Token: 33 812 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 812 AUDIODG.EXE Token: 33 812 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 812 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1992 wrote to memory of 1736 1992 notice.exe 27 PID 1992 wrote to memory of 1736 1992 notice.exe 27 PID 1992 wrote to memory of 1736 1992 notice.exe 27 PID 1992 wrote to memory of 1736 1992 notice.exe 27 PID 1992 wrote to memory of 1300 1992 notice.exe 32 PID 1992 wrote to memory of 1300 1992 notice.exe 32 PID 1992 wrote to memory of 1300 1992 notice.exe 32 PID 1992 wrote to memory of 1300 1992 notice.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\notice.exe"C:\Users\Admin\AppData\Local\Temp\notice.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 12962⤵
- Program crash
PID:1300
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:528
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5041⤵
- Suspicious use of AdjustPrivilegeToken
PID:812