Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
22-02-2024 12:48
General
-
Target
install.msi
-
Size
3.3MB
-
MD5
4e5903c4ff6d79dbad178815b377554d
-
SHA1
74f50126aebbd186d6defa3641113cdc88a37fa2
-
SHA256
d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46
-
SHA512
9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8
-
SSDEEP
98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg
Malware Config
Signatures
-
Meta Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
MetaStealer payload 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 9 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FEFC821C6646F9A6133A7B8C166FFE892⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-17d94ee4-4f54-494d-9872-8e07c1e84393\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffe6c046f8,0x7fffe6c04708,0x7fffe6c047185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5096 /prefetch:65⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15154708564389696871,18046201757685040581,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2920 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MW-17d94ee4-4f54-494d-9872-8e07c1e84393\files\install.exe"C:\Users\Admin\AppData\Local\Temp\MW-17d94ee4-4f54-494d-9872-8e07c1e84393\files\install.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Microsoft\windows\systemtask.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f5b0bf4edca2187f7715ddd49777a1b2
SHA1eb78099013d0894a11c48d496f48973585f0c7c0
SHA256562016f9159ef363fcbe62ed13ee26052b31d4f67dc5ea6d60864a7d5dfa50a1
SHA5121039b98cffd32ca4c9e37486b96e01b167d76b19dd8440a21da4932d677c463f4c5ce2260239e8337f59bd61ff3111905e23ab71d3ca5b20e7d2935fea7952c9
-
Filesize
152B
MD5f4db60c9bb06ea5452df26771fa873ac
SHA1c118183a1315a285606f81da05fc19367a2cdfe1
SHA256f168242e74bfde18bacb9e18945a39bb447188eba916c7adf0f342ed8d82281e
SHA512180ed98f9d5a14a22687a099c4a0ba6b586610f7b8b4c8de89f3b91713b07a2ef3726fcd318cb4e270b1745213b898037d29cca4b490d0c91833b797d69ac406
-
Filesize
190B
MD5d5500b5aac90fd96526e8faa73d9388f
SHA1b5917249a627f8deae7e7922b9b8fd83de13b1eb
SHA2568a14eb94c762dd663a9ccc0526312bc49802af52b42e9f1530f47ec787c4d4dc
SHA512568105cd443ec3aeec1c333d4c1c66ee5027248361abe3f5a8c293a71ea5104cfea0a32d6776d137ebc78786c753c8f8c49de0de33ce31d8f0fc47b83c5eb58c
-
Filesize
6KB
MD5bbabcb7f6f9e93e177f52e9d16024bc2
SHA15724ff601abeefe016a954c75d8ad102ca2c8e56
SHA256784c44c0c8aeef695bcfd83fde2791f71c24cedfd0ffad3a7002c0767a40875d
SHA51298bf4d01d9da928684e192459cf554e08ab99b07555bc9e4d20bdd1f998a83cba71429bdf1cfb42bd581ee55cbf9bd32dca93d4868eccc13f521166d094a1763
-
Filesize
6KB
MD549c1dddeb2fc6b5717b59ec08f8b42ea
SHA14d13662f4a763394c71a0a7061696a21b0706289
SHA25627aefff77642cecf512b790fc6cf38852683787276fd2a6cc456708c89051034
SHA5126925204d2584997045f81ce6cccd631411c6b673157601be89e1bf4fac0db3e18569f0bb29c97d657db363fd848320ddbbe744a3cddb744ad8775a65fe528558
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD575e33d050228231ac193aa4f2b0d4bd8
SHA1f7a594261d9b994687eb82b5f32d24ba4c9e1e3c
SHA25603d887233570a3d8047a7079eeccfd1859853f634dcf174facca87cb888b63b9
SHA51231eba1d76d24d133486dc9b9286b9539c66e5982a49851fe8781f0bc6984565602be082de53361a1089c6f2ec48422338b14150300618c94ab7160ed2b3277ed
-
Filesize
12KB
MD5e65145489c2085244d56417933652f4e
SHA11800e322b54226a0bcbd23fb005bb41c95452d70
SHA25627b20c291f0bf54988d30339cfb93fa26cee44b40a3e0bbc52f93ada7d291f1d
SHA5128def7a90c6881a8a2e04949f6a7172238ceb14be0319af7b47c8e518e3b739d8185205ab60c14b383dbc303626ccb736217656075bcf03d6f9457462be9c1ab2
-
Filesize
11KB
MD566f180c453ae30a5aee5ab5af08929b1
SHA1165c65032ce32da75cc36cd189922a3025344184
SHA256a817dfd7b84715b5ecd7cb2be83c5c2cfc4430a231c0073ac747333679c8208a
SHA5128190d65465e9eb242ab362eee53b7c771a2afdd4351066bd76ac18bb4ddd810a15228a1aba174681fac2a5f000f7376f599c216f0f5b17eba425e633850c6853
-
Filesize
1.5MB
MD57f535f122be29f78c93db0b371176415
SHA120d49fad3d7155ab30df757c566dc83673bba186
SHA256a2bfab4eedc0284a111ad069195034a0b2733351bc38c466c4c4ca5b0b243685
SHA5120f83364295ee8267f26c20f064df3e638927a62418d2a1f39fd0fd98787333171f7b2ce91cfeefe7517fc0bfe675f14788e410bdd6e4525ea72dd0af05468b44
-
Filesize
17.4MB
MD5930b292d0be0195909fff9d994ff9a24
SHA1c5d6d018d19681e45ad9360df6f57776636bc575
SHA2562761aa8ceababb7e4956e9459e6f51758227dd7d334c5d28147e54f99841f1e1
SHA512c77cff6e250c0fd3356cf229264e3823f873fc8be05a57cea6dc3e87883856afa015c9f243fafcd12c4366d790f6bc4385df0c1532d585c7a6bf9cbe610b54db
-
Filesize
4.1MB
MD5deeaa0d12475d64be9e7a2815a2e0b7c
SHA16c4970b81d6114df83dc3842c602b6de0e8de847
SHA2560bb62899e1c098cd87f198d994d6d2cabcea93ca3145399f3194158cc7b6cbd5
SHA5129a5658e38850241070cbf31106f235428c2ad1e77d7472048cc0544e0316e0c8e4be6de2726432d93275ffb783317d5713d611f98b4d078f0a3b732528e2a7a2
-
Filesize
336B
MD5bf445f051cd626e6c1fc8c5cad4fc13f
SHA1f37077939b8f27da0b381f96a627fd2cba89c719
SHA2563adf1e3c9e3f4ed46bea6f0f8db183400732026d9418018fe4bc1869ad9763b6
SHA51260ab7bd88e6958cc956482293334f3bd8934fb116ce482592bda84a595327e65a916ab3826e758e440920b47b5f6a58ab3387a6ed22d5bd2e46ae9fff86fdbd6
-
Filesize
1KB
MD5897b34ee44908720efb1d6d773618601
SHA1775597f2e6217f714152f18c5c6cae196c618d12
SHA256dad8d2e429a3b1508d78a11cb8abf537ae92892855d3fa3da7393db5d1f7ac19
SHA51209827dafe07082a7f66a9460bdad6709f39927b4ae025b4a55c5452445f341b8e17c9055712f0f817b444246b74106005dd7b9c7b4d4a8d80722b67bc1577f52
-
Filesize
1KB
MD5b2920ff7040d62782630740131cd4356
SHA1114df8e0ea2dd5f487e5ed2dbc369ac714a9719c
SHA256977103ef0f0d25fc51b79790856d1273c17912f05c8a0b8bc26f6f3e46351c54
SHA51217081b3cb022f749d7388f303e7581a0213698f6bb547e6d1bba1de5456da48dc022d6f9f5fdff3612d65c19a62f695919c1139bc07329bd48e8644fbf2df81e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
7.2MB
-
Filesize
3.7MB