Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
23/02/2024, 13:10
General
-
Target
install.msi
-
Size
3.3MB
-
MD5
4e5903c4ff6d79dbad178815b377554d
-
SHA1
74f50126aebbd186d6defa3641113cdc88a37fa2
-
SHA256
d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46
-
SHA512
9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8
-
SSDEEP
98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg
Malware Config
Signatures
-
Meta Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
MetaStealer payload 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 9 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7927437F68D5570765FDD44B7CB5594B2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b12bcd20-f938-4bce-9219-73be31aa1434\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x40,0x128,0x7ff86f0046f8,0x7ff86f004708,0x7ff86f0047185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4968 /prefetch:65⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5293075850599380821,17108613896248108613,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MW-b12bcd20-f938-4bce-9219-73be31aa1434\files\install.exe"C:\Users\Admin\AppData\Local\Temp\MW-b12bcd20-f938-4bce-9219-73be31aa1434\files\install.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Microsoft\windows\systemtask.exe"4⤵
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59cafa4c8eee7ab605ab279aafd19cc14
SHA1e362e5d37d1a79e7b4a8642b068934e4571a55f1
SHA256d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166
SHA512eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6
-
Filesize
152B
MD53bde7b7b0c0c9c66bdd8e3f712bd71eb
SHA1266bd462e249f029df05311255a15c8f42719acc
SHA2562ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a
SHA5125fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
190B
MD54bdc10b23e653edddd4b5f8977a4af9a
SHA1c8cde51ecda407cb600cde729f18fa6814d06d73
SHA25635a675f623cc8ecd983531961709c16654f4ed6233b38163d815f856771230d1
SHA512c1c1ab3dc2c48b39fddc861590b7b4534ec5de2dd4d498e5b941cd1e98cbc93e23489e7f5bcafbed66803ec905cbb084ba306f1086cb36b9e9600be75d48d2eb
-
Filesize
6KB
MD54eafeaea65e6db07ab89ddb800183aa0
SHA16bb2200b4cc7a6c0471a6514854cbadc785fb06c
SHA256cd5934630bc31ef62d0fe94925ff157636c8cc3869f993e004838b9b4916cca1
SHA5120377e8a70a771020d144552e543897177055353ed3cf2b4badc7310c6e506b94b5f982d4938f8fc48e7e8fd1eb537fa686c956d705c1dd37695decf936fbbcbb
-
Filesize
6KB
MD59fd2cf9810132f78d76168ac5379b193
SHA169aa020198d6f7d42e5f177ae78d12b15acde9b8
SHA2566df2b815a9c9dde28e440068cc500f1155c46ab6cdfac8b212713929c1db6dbc
SHA512cd60f3ee92d53a5a705b73f9997ebdd922cfc88e68bb620562af7d9669f7daa955873876f21fae6e696665cd54af83657c1f709c6d2debc3da5a9e36a6aaadda
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD532bb59b927650c3cc34f1c132b9753e2
SHA1dccadd5ab229099bcc643ae1a3d2eac511a215be
SHA2563fb7f71f14d8bc46768dc3309670f202b67403c4f903b66fcaa90115ce17a228
SHA51229162d33a6ccbcac61651978c297cd47173dad238d62072640b783b9775303e50917bfd72df8865e5d81974619437b31a38404c3129b515f4aa5b880d444e698
-
Filesize
11KB
MD57789fd8f96d960a39e85d5bcb59e1f67
SHA1921bd8c481f38c239979aee8fb21b6591991b4bc
SHA256bc57aa3b0d3d3450b39d4c43350eaa354bc86917941e8d93fcd6619968224809
SHA512bc9c24649a3c34f2004f0822dcab31a6cfdc23a23026c247a53c8dc33c0a1e2cb63d771e45d570d55ec1c4947bbaa6ace8418f2117d043cb2de3c286d170d6b3
-
Filesize
3.1MB
MD5c5251b4a0300ac59b9c51b39b48960ef
SHA11a9f4710e07aff28c8961b8bb4d5a525ea385e42
SHA2564d5fd376d65beb611b661283d72a19f92e69812c716546e3b3809062671238f2
SHA512a00ddbbd2e4d29b6e54ad422d3a69c4cf3b68cec704c677b5713afe8080774a7b35367464fe5bde19efdd07795f1f7ce2ef13f236241b048638f56fa158b2e76
-
Filesize
8.7MB
MD565d5b54eb85c5b95fac5b24ee68a8c09
SHA13269e5e4dc8d7c438b2e00f072253a4532ab1686
SHA256f3efa4e676e412c4122b12b7bdc5d9c24efc1d578bd7d692082ac2e3015f5579
SHA5121e003903a314d9e55b45826c0f2d2c9c678000125301b5718cbf521d92b1924b68efc71a5b66f88a4c42a3af72cee51cca66f003f06f3957ec883e00b96443d1
-
Filesize
4.8MB
MD52f0ce845e7694f6a465e31f57cf8bd94
SHA10347d303097f72393dde6953a95ee031749e46f6
SHA25605b51e1475c1de98e413edcc4d19cf8677e84bd67301c0a29efa8778adc56bf8
SHA5121ef2b2c4a4e5761952c6ca5105a40a782f8c1d925fc45665e4b3eb4839a8ad462e7615d64001f97abf0a0ec356c2ab08b6da376b36f53be05a8dc23661cfc2f5
-
Filesize
1KB
MD5acb6fae7a50cc09367dfff525a525141
SHA1b2110a99b4668e1ee91089dbc2c54f016ef93a44
SHA256642a9694fcf100db080f75542451c782a8257c02ba2ab73db5682f5440cbe630
SHA512717b27ec7364e0544d0d344a67e4f98f964ff34023035bdf1ec5d2aabd7dd3e34eeac7352b1f4c88c00c040d53bf59d1e2faca0c4a8340aa06b7aa63d361ab13
-
Filesize
1KB
MD5135942db7f9fa2db4151abe134687863
SHA16a6292c8cdd62f166f1fb4c434e5ab325c611280
SHA25628577c53f96b7bd8124aa274d877182e0033f90056bfe8cbdbe7b5c83edfebb6
SHA5128def1a3f4f8ff861d7c53592ad511f365d68954770481a14d94481852c14b86e9d8e7c3942495a214fe4a1baba2b12df25c9cb360a4f902326d5b349f04c8ae0
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
Filesize
4.8MB
MD5137a640a58e976a4be62afb4a5fceec9
SHA1c10a522f25d89e702c94f8f5f28f952a95b63eeb
SHA256ffff8effe993d8745877a4fd419f1c39e79c3ff30ebd5a8d63e1a59f2fb6e43c
SHA512ccc54c97cfe42b956e9c3be1e14b82cfd04bc46a3001be100c8a9c72b25022d5c3c6f64a892d5e6df04b1db56aff7ebd3bc5f3b53a137eef883809475228108e
-
Filesize
6KB
MD55ed717aaa170e207029e7aa4a9c53351
SHA1a95279b10f21d383b56b1fa925bbd9f198a067d0
SHA2561850690a08da71d611b63d77b5f3c01e677b6b6db11068c92501c3fdc9910d75
SHA51299408cc737cfb99951fede10ebf16d189b27af86b4cea56163fe76b58d81ebcfc66c91e49f20dd415a8e416104be6bb68ba2f274fb374d38fed95ca1b2eeeda5
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
3.7MB
-
Filesize
488KB
-
Filesize
7.2MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
216KB