metastealer | d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

install.msi
Size

3.3MB
MD5

4e5903c4ff6d79dbad178815b377554d
SHA1

74f50126aebbd186d6defa3641113cdc88a37fa2
SHA256

d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46
SHA512

9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8
SSDEEP

98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg

Score

10^/10

metastealer discovery spyware stealer

Malware Config

Signatures

Meta Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

MetaStealer payload 1 IoCs

resource	yara_rule
behavioral2/memory/2276-192-0x0000000010000000-0x0000000010731000-memory.dmp	family_metastealer

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3400	ICACLS.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI60FC.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\e576060.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e576060.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0EE48DF4-66A0-4D55-A54B-0602B9F3BDE1}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE

Executes dropped EXE 1 IoCs

pid	Process
2276	install.exe

Loads dropped DLL 1 IoCs

pid	Process
4132	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000008713e697204af040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000008713e690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090008713e69000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d08713e69000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000008713e6900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5880	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3824	msiexec.exe
3824	msiexec.exe
4616	msedge.exe
4616	msedge.exe
4344	msedge.exe
4344	msedge.exe
3788	identity_helper.exe
3788	identity_helper.exe
4216	powershell.exe
4216	powershell.exe
4216	powershell.exe
2276	install.exe
2276	install.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3876	msiexec.exe
Token: SeSecurityPrivilege	3824	msiexec.exe
Token: SeCreateTokenPrivilege	3876	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3876	msiexec.exe
Token: SeLockMemoryPrivilege	3876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3876	msiexec.exe
Token: SeMachineAccountPrivilege	3876	msiexec.exe
Token: SeTcbPrivilege	3876	msiexec.exe
Token: SeSecurityPrivilege	3876	msiexec.exe
Token: SeTakeOwnershipPrivilege	3876	msiexec.exe
Token: SeLoadDriverPrivilege	3876	msiexec.exe
Token: SeSystemProfilePrivilege	3876	msiexec.exe
Token: SeSystemtimePrivilege	3876	msiexec.exe
Token: SeProfSingleProcessPrivilege	3876	msiexec.exe
Token: SeIncBasePriorityPrivilege	3876	msiexec.exe
Token: SeCreatePagefilePrivilege	3876	msiexec.exe
Token: SeCreatePermanentPrivilege	3876	msiexec.exe
Token: SeBackupPrivilege	3876	msiexec.exe
Token: SeRestorePrivilege	3876	msiexec.exe
Token: SeShutdownPrivilege	3876	msiexec.exe
Token: SeDebugPrivilege	3876	msiexec.exe
Token: SeAuditPrivilege	3876	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3876	msiexec.exe
Token: SeChangeNotifyPrivilege	3876	msiexec.exe
Token: SeRemoteShutdownPrivilege	3876	msiexec.exe
Token: SeUndockPrivilege	3876	msiexec.exe
Token: SeSyncAgentPrivilege	3876	msiexec.exe
Token: SeEnableDelegationPrivilege	3876	msiexec.exe
Token: SeManageVolumePrivilege	3876	msiexec.exe
Token: SeImpersonatePrivilege	3876	msiexec.exe
Token: SeCreateGlobalPrivilege	3876	msiexec.exe
Token: SeBackupPrivilege	4716	vssvc.exe
Token: SeRestorePrivilege	4716	vssvc.exe
Token: SeAuditPrivilege	4716	vssvc.exe
Token: SeBackupPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeRestorePrivilege	3824	msiexec.exe
Token: SeTakeOwnershipPrivilege	3824	msiexec.exe
Token: SeBackupPrivilege	4216	srtasks.exe
Token: SeRestorePrivilege	4216	srtasks.exe
Token: SeSecurityPrivilege	4216	srtasks.exe
Token: SeTakeOwnershipPrivilege	4216	srtasks.exe
Token: SeBackupPrivilege	4216	srtasks.exe
Token: SeRestorePrivilege	4216	srtasks.exe
Token: SeSecurityPrivilege	4216	srtasks.exe
Token: SeTakeOwnershipPrivilege	4216	srtasks.exe
Token: SeDebugPrivilege	4216	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3876	msiexec.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe
4344	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 4216	3824	msiexec.exe	97
PID 3824 wrote to memory of 4216	3824	msiexec.exe	97
PID 3824 wrote to memory of 4132	3824	msiexec.exe	99
PID 3824 wrote to memory of 4132	3824	msiexec.exe	99
PID 3824 wrote to memory of 4132	3824	msiexec.exe	99
PID 4132 wrote to memory of 3400	4132	MsiExec.exe	101
PID 4132 wrote to memory of 3400	4132	MsiExec.exe	101
PID 4132 wrote to memory of 3400	4132	MsiExec.exe	101
PID 4132 wrote to memory of 2624	4132	MsiExec.exe	104
PID 4132 wrote to memory of 2624	4132	MsiExec.exe	104
PID 4132 wrote to memory of 2624	4132	MsiExec.exe	104
PID 4132 wrote to memory of 1476	4132	MsiExec.exe	105
PID 4132 wrote to memory of 1476	4132	MsiExec.exe	105
PID 4132 wrote to memory of 1476	4132	MsiExec.exe	105
PID 1476 wrote to memory of 4344	1476	cmd.exe	107
PID 1476 wrote to memory of 4344	1476	cmd.exe	107
PID 4344 wrote to memory of 4484	4344	msedge.exe	108
PID 4344 wrote to memory of 4484	4344	msedge.exe	108
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 1336	4344	msedge.exe	111
PID 4344 wrote to memory of 4616	4344	msedge.exe	110
PID 4344 wrote to memory of 4616	4344	msedge.exe	110
PID 4344 wrote to memory of 3016	4344	msedge.exe	112
PID 4344 wrote to memory of 3016	4344	msedge.exe	112
PID 4344 wrote to memory of 3016	4344	msedge.exe	112
PID 4344 wrote to memory of 3016	4344	msedge.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3876

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4216
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2705BCB489776021A86B17C376311144
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4132
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5149becb-6c87-400a-a1f8-01ed4e2417e8\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3400
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbae7d46f8,0x7ffbae7d4708,0x7ffbae7d4718
        5⤵
        
        PID:4484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        5⤵
        
        PID:1336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
        5⤵
        
        PID:3016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        
        PID:3528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:3664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
        5⤵
        
        PID:1632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5164 /prefetch:6
        5⤵
        
        PID:744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
        5⤵
        
        PID:4944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
        5⤵
        
        PID:1420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
        5⤵
        
        PID:4944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
        5⤵
        
        PID:5292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
        5⤵
        
        PID:5284
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,15673178166013795909,12529603536019021429,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3596
- - C:\Users\Admin\AppData\Local\Temp\MW-5149becb-6c87-400a-a1f8-01ed4e2417e8\files\install.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-5149becb-6c87-400a-a1f8-01ed4e2417e8\files\install.exe" /VERYSILENT /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2276
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Microsoft\windows\systemtask.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4216
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ee1c6757da82ca0a9ae699227f619bc

SHA1
72dcf8262c6400dcbb5228afcb36795ae1b8001f

SHA256
62320bde5e037d4ac1aa0f5ff0314b661f13bb56c02432814bffb0bd6e34ed31

SHA512
dca56a99b7463eddf0af3656a4f7d0177a43116f401a6de9f56e5c40a49676cea5c38b6c458f426c6bff11165eec21104cfa9ca3e38af39d43188b36d3f22a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d62cefeb0c8fbab806b3b96c7b215c16

SHA1
dc36684019f7ac8a632f5401cc3bedd482526ed7

SHA256
752b0793cf152e9ea51b8a2dc1d7e622c1c1009677d8f29e8b88d3aa9427dd01

SHA512
9fc3968fec094be5ca10a0d927cb829f7f8157425946ebd99a346b7e63c977cb3f37560af1a4bc8f87ab19b43b3ed86fd5b37f89d1a9b2dc86e3c73142c3065b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
190B

MD5
4bdc10b23e653edddd4b5f8977a4af9a

SHA1
c8cde51ecda407cb600cde729f18fa6814d06d73

SHA256
35a675f623cc8ecd983531961709c16654f4ed6233b38163d815f856771230d1

SHA512
c1c1ab3dc2c48b39fddc861590b7b4534ec5de2dd4d498e5b941cd1e98cbc93e23489e7f5bcafbed66803ec905cbb084ba306f1086cb36b9e9600be75d48d2eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3bd444b0b2364cf92b7ca83e1a2aed3

SHA1
784633d106ef366a1dc156166a9d50cfb8ac97ac

SHA256
ddf135b8c64850532e7df4a5d765f0abd8f4b24c9cfb23e23cc6e78e3bfef8ef

SHA512
1f0a4bdaa6d4128bf6a08ca624b780b0789267257a94bda0c1b957a00d575fc895df677392df8159f4d8f1c24c47348fdad63759c9a560eececa543e06b799e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cdafc3ae898ccb51dd9a1b79d2d4a501

SHA1
e45083a6e511bb31561ba7b74add4206fd54befe

SHA256
f7bd175b9b10d4dca1a90249a619a4c87d480c7229e321f27318b0d114c27735

SHA512
dbfdaa250426aa4be0c6ff6c12b92460478f48f4459b89512434d15ca0153a8d8d751569021b25fe9d0e5390bea933e06e639a8fc8835a6a7f0b5aab8a335e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a83b25630db859a260b0e7168c439934

SHA1
32a2f71a85e3fb36ade06356394760065cf26260

SHA256
1af2724c277842b71047ca751d4dfd2fbd76f6a7625e59171c4af66fdaded150

SHA512
4f07fed205e3df6c224898c8ccd86835b058c157e41b8934121ab93b5ccd764e79f01ca03b30412c27fb0348550ef33dd5ff3aa531ab595fbd1310c1c0f3233c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
28c23c9c5ddf3d6980cab8314682c99f

SHA1
eff4413cc2db967f159b44f3801691271f2bb7d0

SHA256
14ecc0bcefeba691495a99e6d6ebf52841955908a5351c4a37eed8c143baa7f6

SHA512
d6971777c12b15b7171a5c5ba88cf8c80025ff6e6c65d340879a910fe1b8501315d4e570e422cd36ae5fe725143cd88cedcba165fd7fec2b42bd3645bfbcc5fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5149becb-6c87-400a-a1f8-01ed4e2417e8\files.cab

Filesize
3.1MB

MD5
c5251b4a0300ac59b9c51b39b48960ef

SHA1
1a9f4710e07aff28c8961b8bb4d5a525ea385e42

SHA256
4d5fd376d65beb611b661283d72a19f92e69812c716546e3b3809062671238f2

SHA512
a00ddbbd2e4d29b6e54ad422d3a69c4cf3b68cec704c677b5713afe8080774a7b35367464fe5bde19efdd07795f1f7ce2ef13f236241b048638f56fa158b2e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5149becb-6c87-400a-a1f8-01ed4e2417e8\files\install.exe

Filesize
20.5MB

MD5
d6a37e8bbdc35f4bc999fb1a54d71315

SHA1
8df869074d1aa2f206a7c0189b388f66fb467e46

SHA256
a2d9d522eb7b7a3765b0dc652a21799213eefc5cf7cedca337034e08e2553365

SHA512
77bbf136167bf27d9d146930b0050c67864e30413a3b9452b5589293a49d61b141ec03a8481796d3f7f692e332c8285d045d29980eb61a5ffcbbdb9788bf38cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5149becb-6c87-400a-a1f8-01ed4e2417e8\files\install.exe

Filesize
5.6MB

MD5
86d848efc5a1b56bdb0f0116deeea4df

SHA1
f278d81252aa54bf87bd2fabe6dc13a1549d1de7

SHA256
bebb550e6dacb7651617e23ab16a0485025280b1fd3b73a27581077cc8259057

SHA512
7591d5e0a2dc90a476f89a2d8a81a49fb0c78ed8be940d740099f90609ebcad15b7b4abff55505e38dcb9a84b8002f9448d21c5a90e2b053325c538491996445

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5149becb-6c87-400a-a1f8-01ed4e2417e8\msiwrapper.ini

Filesize
1KB

MD5
f2654391ea3a5a2dad632837a6b9998a

SHA1
89be2b1eb62e671fd066ac3ae16b6843a44ef7fb

SHA256
6a4f6734db6229c007fc4dc42a9a1a810c60317d1da1d3bbdfd690ffb085e892

SHA512
1f5ab58a803b0c21ec1af166f2fcced9883b05c71935a5efd04f4b027484974ad56b229fcd98d427f453ba9ca7623ad4adac237affe8829686b3a6dfbd0b35ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tg53selr.avw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\MSI60FC.tmp

Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
16.3MB

MD5
a5ba75a67b7ffaf9df020b05dd5a12ae

SHA1
4d3135c8c5e64e2430c505055bff1414ef6848c0

SHA256
c4fc8a04a266d3f1423a58d5d4afcd8dfbe212160f3a1e57aaec2e9889d32d09

SHA512
9f89de746954014b8214b7f842ceae433e01a220b16892d36ebf7580b1445431460c2ff43d13a0d29636caae71bd01d115deb9092364b83a53b7c2c0cf9731fc

Download Submit
\??\Volume{693e7108-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9b03c5de-4b93-4024-a0d0-f75e10000b09}_OnDiskSnapshotProp

Filesize
6KB

MD5
630dc995dfcee199adc5b6529ffa5464

SHA1
c075e882462bd76c1931420c3815d3dd90c1d6fd

SHA256
40f8ccb67780b5ade5575cb5af9d03e3facf5f147795447414ed2b2032b31411

SHA512
aefb29c7e75d6d51232f6c403e4bdfcd9f8dd9eecc164eed52421b48d6181be849665c6e8e96e29ff77e88541563ac2d24b3a03f8093328c0a13327805199a6f

Download Submit
memory/2276-111-0x0000000000400000-0x00000000007B7000-memory.dmp

Filesize
3.7MB

Download
memory/2276-137-0x0000000000A10000-0x0000000000A8A000-memory.dmp

Filesize
488KB

Download
memory/2276-138-0x0000000000A10000-0x0000000000A8A000-memory.dmp

Filesize
488KB

Download
memory/2276-157-0x0000000000A10000-0x0000000000A8A000-memory.dmp

Filesize
488KB

Download
memory/2276-192-0x0000000010000000-0x0000000010731000-memory.dmp

Filesize
7.2MB

Download
memory/4216-200-0x0000000004C10000-0x0000000005238000-memory.dmp

Filesize
6.2MB

Download
memory/4216-230-0x0000000004550000-0x0000000004560000-memory.dmp

Filesize
64KB

Download
memory/4216-201-0x0000000004B50000-0x0000000004B72000-memory.dmp

Filesize
136KB

Download
memory/4216-202-0x00000000052B0000-0x0000000005316000-memory.dmp

Filesize
408KB

Download
memory/4216-208-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/4216-198-0x0000000072500000-0x0000000072CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4216-213-0x0000000005640000-0x0000000005994000-memory.dmp

Filesize
3.3MB

Download
memory/4216-214-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

Filesize
120KB

Download
memory/4216-215-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/4216-217-0x000000007FAA0000-0x000000007FAB0000-memory.dmp

Filesize
64KB

Download
memory/4216-218-0x0000000006CB0000-0x0000000006CE2000-memory.dmp

Filesize
200KB

Download
memory/4216-219-0x000000006EDF0000-0x000000006EE3C000-memory.dmp

Filesize
304KB

Download
memory/4216-229-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/4216-199-0x0000000004550000-0x0000000004560000-memory.dmp

Filesize
64KB

Download
memory/4216-231-0x0000000006CF0000-0x0000000006D93000-memory.dmp

Filesize
652KB

Download
memory/4216-233-0x0000000006E30000-0x0000000006E4A000-memory.dmp

Filesize
104KB

Download
memory/4216-232-0x0000000007470000-0x0000000007AEA000-memory.dmp

Filesize
6.5MB

Download
memory/4216-234-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/4216-235-0x00000000070C0000-0x0000000007156000-memory.dmp

Filesize
600KB

Download
memory/4216-236-0x0000000007030000-0x0000000007041000-memory.dmp

Filesize
68KB

Download
memory/4216-237-0x0000000007060000-0x000000000706E000-memory.dmp

Filesize
56KB

Download
memory/4216-238-0x0000000007070000-0x0000000007084000-memory.dmp

Filesize
80KB

Download
memory/4216-239-0x0000000007180000-0x000000000719A000-memory.dmp

Filesize
104KB

Download
memory/4216-240-0x00000000070B0000-0x00000000070B8000-memory.dmp

Filesize
32KB

Download
memory/4216-243-0x0000000072500000-0x0000000072CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4216-197-0x00000000045A0000-0x00000000045D6000-memory.dmp

Filesize
216KB

Download