Analysis
-
max time kernel
119s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-10-2022 08:48
General
-
Target
MetaWorld/Meta World Launcher beta.exe
-
Size
714.9MB
-
MD5
96d65eabe7288c7590f44795a9822823
-
SHA1
080df69b94e4e7afcafd935c71098ba62aafad4d
-
SHA256
6cddbdcb02b77f840aa179df779d702c805fe48cf5b6425d062ade87450e705e
-
SHA512
b3b84c329a85f1ac9c70927bab5df924c1306ee6907ae483396c85705bf86211941b8d7423acc15a4f90cfeee69d5ae7a04504d4391e0225ba70f44318e84a40
-
SSDEEP
98304:MJmvB+wUnhopFNE8yCE+8t7PxBTylOqtKQCHb/i+E:gYin6pU8yCE+8FxBTH9QC7d
Score
6/10
Malware Config
Signatures
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MetaWorld\Meta World Launcher beta.exe"C:\Users\Admin\AppData\Local\Temp\MetaWorld\Meta World Launcher beta.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=5288842⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff814f346f8,0x7ff814f34708,0x7ff814f347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4328 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,16019993880064529594,18085324450751587094,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:13⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x2cc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\MetaWorld\Meta World Launcher beta.exe"C:\Users\Admin\AppData\Local\Temp\MetaWorld\Meta World Launcher beta.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.logFilesize
2KB
MD5c895c67ab1eebc160551541ddc852d83
SHA1bbcb903655b859cb22e72e99f380ca896273edff
SHA25666db2106de25f4874dbce0c27e8e614f5a91451648b4b3b6108bb43ba21bed51
SHA5124da210842464d541cea259f4f8b827d1bcb5df0264ed44ff7f17e7001c29fadc99fde801aced78707216317adc92ec478773ea7ebc25525de065ab57fb2476f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD546333bd6df24a6e953590a53aee5deab
SHA142eabb52d803469a3c151c6b924c6b5034803b77
SHA25662255867d19b2a3828ac58c9b7f7b855b28085c1a627fbe60da7fc1cd045e88e
SHA512aedbae6aa6fbd91e0a81fcb1b724203cc043d6290ce3eef6ae8257f7a845c3cfc07cc82c2528b38348839a0020cedf1a372133e54e48eb73d46d42a3d52c7f8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD50da20a2551ba970fb4ee3811b6534090
SHA157c87f303f811da846ede577618af6c2975846fa
SHA2565d4e5f8db42f19aadcfbeb1019e1e5e5b2d78062c335a29b013d1b509f88c33f
SHA5125b77d62e0a51328ca4794a8c39b415cd020e7e1a8dadf468345c8597816bf8728b4a19b971fb6532e719f0d8005fed2b62e281e08f0857b93e65d2ce56da3249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
9KB
MD578ea3ae5418416ab7ec75a2fd95bffb7
SHA153a1749e288934a36169655ca30d3d994012221c
SHA256a11d7a4e489bfe648937e136e69f0affd46cefc826c56fec5e468a3b58cd0804
SHA51254cfb1591e25688e410aa73e4dc552b4de333344d3a3b044102063127784c7bacbf173e7b48bf6f7765fbb128e76648e85ed144f0e45c007b7bdf823288c0883
-
\??\pipe\LOCAL\crashpad_4612_MPIMQBSFHPHYHJUHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1204-152-0x0000000000000000-mapping.dmp
-
memory/1328-149-0x0000000000000000-mapping.dmp
-
memory/1980-132-0x0000000000360000-0x00000000009D5000-memory.dmpFilesize
6.5MB
-
memory/2208-157-0x0000000000000000-mapping.dmp
-
memory/3488-165-0x0000000000000000-mapping.dmp
-
memory/3760-155-0x0000000000000000-mapping.dmp
-
memory/3904-151-0x0000000000000000-mapping.dmp
-
memory/3944-161-0x0000000000000000-mapping.dmp
-
memory/4156-143-0x0000000005AE0000-0x0000000005B46000-memory.dmpFilesize
408KB
-
memory/4156-146-0x0000000006F80000-0x0000000006FF6000-memory.dmpFilesize
472KB
-
memory/4156-135-0x0000000000000000-mapping.dmp
-
memory/4156-136-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/4156-139-0x0000000005640000-0x0000000005652000-memory.dmpFilesize
72KB
-
memory/4156-142-0x00000000061B0000-0x0000000006242000-memory.dmpFilesize
584KB
-
memory/4156-141-0x0000000006760000-0x0000000006D04000-memory.dmpFilesize
5.6MB
-
memory/4156-140-0x00000000056A0000-0x00000000056DC000-memory.dmpFilesize
240KB
-
memory/4156-137-0x0000000005B90000-0x00000000061A8000-memory.dmpFilesize
6.1MB
-
memory/4156-147-0x0000000006F30000-0x0000000006F4E000-memory.dmpFilesize
120KB
-
memory/4156-145-0x0000000008380000-0x00000000088AC000-memory.dmpFilesize
5.2MB
-
memory/4156-138-0x0000000005700000-0x000000000580A000-memory.dmpFilesize
1.0MB
-
memory/4156-144-0x0000000007C80000-0x0000000007E42000-memory.dmpFilesize
1.8MB
-
memory/4160-170-0x0000000000360000-0x00000000009D5000-memory.dmpFilesize
6.5MB
-
memory/4168-163-0x0000000000000000-mapping.dmp
-
memory/4508-159-0x0000000000000000-mapping.dmp
-
memory/4612-148-0x0000000000000000-mapping.dmp
-
memory/4652-167-0x0000000000000000-mapping.dmp
-
memory/4668-169-0x0000000000000000-mapping.dmp
-
memory/4940-173-0x0000000000000000-mapping.dmp
-
memory/4940-177-0x0000000006AE0000-0x0000000006B30000-memory.dmpFilesize
320KB