Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
22/02/2024, 13:05
General
-
Target
install.msi
-
Size
3.3MB
-
MD5
4e5903c4ff6d79dbad178815b377554d
-
SHA1
74f50126aebbd186d6defa3641113cdc88a37fa2
-
SHA256
d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46
-
SHA512
9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8
-
SSDEEP
98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg
Malware Config
Signatures
-
Meta Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
MetaStealer payload 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 9 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AE9EA3E9075E7C317B9D4BE4095426BF2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-505a002b-1dfc-4574-acd1-fb67546e41c3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbeebd46f8,0x7ffbeebd4708,0x7ffbeebd47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5128 /prefetch:65⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10905307840651035386,3053238962928789463,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MW-505a002b-1dfc-4574-acd1-fb67546e41c3\files\install.exe"C:\Users\Admin\AppData\Local\Temp\MW-505a002b-1dfc-4574-acd1-fb67546e41c3\files\install.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Microsoft\windows\systemtask.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59cafa4c8eee7ab605ab279aafd19cc14
SHA1e362e5d37d1a79e7b4a8642b068934e4571a55f1
SHA256d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166
SHA512eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6
-
Filesize
152B
MD53bde7b7b0c0c9c66bdd8e3f712bd71eb
SHA1266bd462e249f029df05311255a15c8f42719acc
SHA2562ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a
SHA5125fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818
-
Filesize
190B
MD5d5500b5aac90fd96526e8faa73d9388f
SHA1b5917249a627f8deae7e7922b9b8fd83de13b1eb
SHA2568a14eb94c762dd663a9ccc0526312bc49802af52b42e9f1530f47ec787c4d4dc
SHA512568105cd443ec3aeec1c333d4c1c66ee5027248361abe3f5a8c293a71ea5104cfea0a32d6776d137ebc78786c753c8f8c49de0de33ce31d8f0fc47b83c5eb58c
-
Filesize
6KB
MD5ff2e4d4e982d2ba1e93e5557babb987c
SHA1dcdb6b636c595da1ad7209ae2a3a4ea0bfe75d83
SHA2563070a1c7d5b9d751c950237293b40b8a9ec38cb417e4309f0e01a9eba47d7366
SHA5127cd17a07d951bd4a64db31925c01bfd0f41b900fd61779f9d0562006f25b5fbca09a01c21ed8934537218aaae29664bc4d729864fcc55408c8ddcb857524e794
-
Filesize
6KB
MD57c8772751797bade3019804865384828
SHA154f00d69fbcb17a8e735ac7d3efc3ce6b7d2a765
SHA256c4051e0002109dab467e311e8c6cfab488fa8eebd9c499b84f3b00991101f26d
SHA5123137238726a3a5b3b8e26ebf254caa15205e22c86306dcdd3c0b509c3e3a57b7fef0908050f583de89f0688ea0b444fb51aa377421a045a1c3eb6ec67fac3eda
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50d4163e514043f021b5757fecdb67ede
SHA1e765bf0b648817ab03c916597ea5cd97b5122921
SHA256b163d51a39a4a24c114a479d824d9709e11fae50ea2d3eb1fc0cabf15582e450
SHA5128654153cf55ab4e4f2c13b05d0e84017c13a8066db2e9b23dbb1739830be53f5cebe8bfc1b7c03196251e6ea8c622057789da7dcdca2e2726be09a825e2db9e8
-
Filesize
11KB
MD51d156841ba631c5c358ed6fa68d87258
SHA1d9425a6e19e5efa3f07441c1b942282eef122b31
SHA25685253f6be7301ad0db531fa715ba73e33537377671b14437f34bfcc872cfbecb
SHA5123440b3681d9646c5babceaa512f60726e64e9ef34a744901a38e20dbf381112e5679daaacb866f34c1cb38a5bce488362e87ec3b57758cdcd1f686ea910d63c5
-
Filesize
12KB
MD5835f9e4a2bb9e760fff783ad8bdd3e01
SHA18376bba63d02c6354fa315690431328f8641f76d
SHA256b18b22264af41ece79b8d2a2ff03609b3762974c0daf5fd915d5085ffc46eae8
SHA512cdbcb0d8a3fcade6f794bc0684d9c18f88313591efa8cdd281379a74444fc93137ec5f7372fc0ad84c08a6ce1f9255a77eed5a4d295b5ff1e3b4afe33bc121f7
-
Filesize
3.1MB
MD5c5251b4a0300ac59b9c51b39b48960ef
SHA11a9f4710e07aff28c8961b8bb4d5a525ea385e42
SHA2564d5fd376d65beb611b661283d72a19f92e69812c716546e3b3809062671238f2
SHA512a00ddbbd2e4d29b6e54ad422d3a69c4cf3b68cec704c677b5713afe8080774a7b35367464fe5bde19efdd07795f1f7ce2ef13f236241b048638f56fa158b2e76
-
Filesize
640KB
MD5073803a4ecc6ed955e6d0466da438fde
SHA1f39a25e5b80dc594f683f9fbee9448474435cad9
SHA25603871fb09fb637a8e36c78345e69b060729f799f53c909704d10d979748a1147
SHA512fda40109888592992cc9004db30eb5383f7400e85651ccbe2325a70d20174c16190103af91254534f8e7cf17bae0475bdf03540dd6b72802bdd8eff1099405d3
-
Filesize
5.9MB
MD5263af1bc0f5003284071727edfee1750
SHA100adfabdb8fd37fe71347b259209b58921cd676e
SHA256e896e812ef4fc6162909589258a296038c5f3452d672ad8e5192cb599fd1e34c
SHA51244bc7f92b3613b7026621cbde17f3b87814c09cc3e87461a0f8172ef14b4b1654a5e21e3cc7af23e1611ccc2572c93ba7104ecdbd49a41964c45203554fec65c
-
Filesize
378B
MD57e4674a53bad05194c7a6b5cfd667f42
SHA1844ce909f670e2c9ad9cc931763fb193d00af079
SHA2561f694e59e3df89ac7ff084967624fe9bb8ef488a45e83f333d6362b4972d47a4
SHA5128136409e84d8c54b8ca919bff0a71fbfbe743f48ff157f222fdb364472184ba48ed00109cb5ed2ec92289ad37729484e3a0e2e02e38e1cc28b92bacfd536284b
-
Filesize
1KB
MD5a8d75fb20d5713a3244cd3afbe8d1e6d
SHA1e81563818846b106ce3714b4da4b8a7002fc9ded
SHA25637a88af3747703eaa40bb4f3c800408a57da2190bf90058832f74a437f88324c
SHA5120d7a6866cb7aa1f1f44b90374dd2781a3e6cc26a011289b8ee7dc3f5974258a0953e3ae0b1e8d19a2e1878ad70f8525ba34adf003145a1c3baeece3420b1098e
-
Filesize
1KB
MD559b6d8bea08ce4551a69d695f617eafa
SHA1daa4c12a452f5269b9d1ba83a4e365f3d097c87c
SHA256f0f4198a508afc3be2eece938274ff766399f5e9c3f00231267e65c05ed1ff36
SHA51215c29eabeb8d0354e1db25a8f6a0f2c6574c052ff7ab6bc41ab6fa160dd367b80dd364f9bf1e47d85c50be1f66e4dd671b678c2cb38b6b9deb2e64b69201a8ec
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
Filesize
4.8MB
MD509fbe3d4995221709e888f05b726cfb8
SHA11c8c489adda4b7aaa365f6e6438c3d63e1cc9e64
SHA2561d459f1ecb08ca0988f30ca90d3044da6b6663672ff1276e12f6402e832d0fc3
SHA512b5415335bf3812d7644574c0b9f8e06478f958a575195a0ab33e9d037ab61ee875ab78532ed35dcbf2d0e826a78ac1dccdde6829af7e1c91f25eb3d61c0e37e3
-
Filesize
6KB
MD5c130825a5bacb9a269d93d884c9a5867
SHA18a2864aab9ae0bbce55bf90a1ed7cf2ac33c2d79
SHA25626b69373a1efa458d873c6dcc82e10907b18d8353d246fa6f31fc203d8afb7d1
SHA5123b6e6fe20e8ec6b7201be545e8b4ecf32613d30ac8b5f36765bb73912167e077feaab810de98aa59f8fc14182646961d363ed0c65ea86ee9ae077b89dd12fa15
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
7.2MB
-
Filesize
488KB
-
Filesize
3.7MB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB