Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
24-02-2024 13:13
General
-
Target
install.msi
-
Size
3.3MB
-
MD5
4e5903c4ff6d79dbad178815b377554d
-
SHA1
74f50126aebbd186d6defa3641113cdc88a37fa2
-
SHA256
d67bc5bfd6512b944e1c5e3e7d6871771c84d9eb94c863d123c5e92c6a86dc46
-
SHA512
9a513449963c860e9be50c05a79beeea554fc6bc9748b260340711d8cb705cb022f53f10cfdc35ce1ad8d97644df57a9aae959b6dbb96c15b85d8ecaf62031a8
-
SSDEEP
98304:5pKIwis1N1AaewONvZOIUFz+PlROVt1OTLmUsg:6IHmnqvZlUFz8RtyPg
Malware Config
Signatures
-
Meta Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
MetaStealer payload 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 9 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 50 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\install.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3E86327DBEBC545221901C82246C18532⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-bcf7a0bc-50d2-4d77-9516-ba6a1a898ed5\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start msedge https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.concurtraining.com/customers/tech_pubs/Docs/_Current/UG_Inv/Inv_UG_Invoice_Pay.pdf4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffa55bc46f8,0x7ffa55bc4708,0x7ffa55bc47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5180 /prefetch:65⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,13191984325375496774,17591994414451939685,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:15⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MW-bcf7a0bc-50d2-4d77-9516-ba6a1a898ed5\files\install.exe"C:\Users\Admin\AppData\Local\Temp\MW-bcf7a0bc-50d2-4d77-9516-ba6a1a898ed5\files\install.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "%LOCALAPPDATA%\Microsoft\windows\systemtask.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53782686f747f4a85739b170a3898b645
SHA181ae1c4fd3d1fddb50b3773e66439367788c219c
SHA25667ee813be3c6598a8ea02cd5bb5453fc0aa114606e3fc7ad216f205fe46dfc13
SHA51254eb860107637a611150ff18ac57856257bf650f70dce822de234aee644423080b570632208d38e45e2f0d2bf60ca2684d3c3480f9637ea4ad81f2bcfb9f24d5
-
Filesize
152B
MD558670ac03d80eb4bd1cec7ac5672d2e8
SHA1276295d2f9e58fb0b8ef03bd9567227fb94e03f7
SHA25676e1645d9c4f363b34e554822cfe0d53ff1fce5e994acdf1edeff13ae8df30f8
SHA51299fe23263de36ec0c8b6b3b0205df264250392cc9c0dd8fa28cf954ff39f9541f722f96a84fbc0b4e42cfd042f064525a6be4b220c0180109f8b1d51bbdef8ff
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
190B
MD54bdc10b23e653edddd4b5f8977a4af9a
SHA1c8cde51ecda407cb600cde729f18fa6814d06d73
SHA25635a675f623cc8ecd983531961709c16654f4ed6233b38163d815f856771230d1
SHA512c1c1ab3dc2c48b39fddc861590b7b4534ec5de2dd4d498e5b941cd1e98cbc93e23489e7f5bcafbed66803ec905cbb084ba306f1086cb36b9e9600be75d48d2eb
-
Filesize
6KB
MD5c6f9ee79369944ef0509f1a3839ec2a1
SHA1ac6cb07aa5185c392dac8e56b7abc1bae057dd45
SHA2569fa7eaae4e92036625794dd29cff3bfc8395de4ac0ec324d6c3c106df076a584
SHA512dd7dc9c53e8599334f8be58253a455faea425a29a3308fa54b4f964b70931356b78a517291dfad477f2c68495ce3ede3f74b06e4300dbf5aad9cb754194d0404
-
Filesize
6KB
MD518411cd414112c5dbe58781568059014
SHA19133441ec9ee35d0fd7939fea4b9c467d8082150
SHA256bd0ffd138084d7cd6457d19c928f8a2924011166406f1bc9ed70762825ff0852
SHA51239bd5d0e295658dd72d80654395105c28762617a8c0706ead12b831af5b7acbbb5ddf02d1bd8f81b4fba9b044a41ae5babb99cb8a8e24ef8ebf1faf0b857e29b
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50f29f05f410c96ccf9390d096f61a9ac
SHA1819d52d7772a81e1ebe58618dea28410f84a20ed
SHA256f05c145e44eb0412b87d269a17b457bb17c02e99ad8025584eaf6d3bbc228dd2
SHA512e934974ed56bad7b960ea185069521f0739cd3f297d4236486622594b00773ba068d18f5303cf5f02b11fa069e3c7d3a2aa3ef074f05cdf9ef34950202107898
-
Filesize
11KB
MD5abedadca9c67125ae0f24d061615e875
SHA17cb0801ebd7a93aaec52b831258bd2bfa1c8fad7
SHA2562cba5cdc0d63f7e3be93d7e6a97caeac8c0c20b051bda541d9571ee7b329db4f
SHA5126fc4fa70d4eba6dcc1c120c1bbd15db4e2425cadcf156f7ec22dfd10fb68066cac1ef773ff70eb5efd9c39832fd4607f0141c2a85555ef1fe65296162e5080fb
-
Filesize
12KB
MD57b59bbe289d50ab5dc4f81a7b3507d7a
SHA1490c9f8cc1a784ba12edbf024b0157eb4db05451
SHA2568a29a4da0a7ddccc74b5ed2a4458f667821366f93ddd4517ebf24a4256f9fd97
SHA5120e5b795cccb32cc631b9d1a41e4e32ca54df5229042db7308e11883a32b39220bef6b49f28df979cecf1f1ae6227bed2ed2410b76d4d3dc15aa83f9d7d0bd465
-
Filesize
3.1MB
MD5c5251b4a0300ac59b9c51b39b48960ef
SHA11a9f4710e07aff28c8961b8bb4d5a525ea385e42
SHA2564d5fd376d65beb611b661283d72a19f92e69812c716546e3b3809062671238f2
SHA512a00ddbbd2e4d29b6e54ad422d3a69c4cf3b68cec704c677b5713afe8080774a7b35367464fe5bde19efdd07795f1f7ce2ef13f236241b048638f56fa158b2e76
-
Filesize
2.1MB
MD54029adbdf6d9c701af2f4c4e450c5c85
SHA1994d37eaefd546016eb3ea3b0b0ebc29e04e9342
SHA256b4d0dc79d44e892451bc457ded8304d35ea558fb976829af72815e1191f3fbb7
SHA512c50511b069194a72bf0dc424396fa9968d274b22ebf4ce66023d5401f759e9f87be033f85558336943d278802f93416b40904c8d54c71e07ae3daacc58b90bf8
-
Filesize
3.4MB
MD50aa61a01935a4cf9f104df2e9b86d287
SHA15201aaf6ce61875c76501745ad4a97d1aa4157bd
SHA2567f80bfa6d3293299a6deb8e43437f0f8204eebcfe32711a9d6ec0aad5b524571
SHA51239ee1e08202f233d6c780971c2075e58ead990d12fc2ce55a1de986e067360a5023f8d185feae20733b545dbe028cd3dc9450565e6df6a02da754662197b8cf6
-
Filesize
1KB
MD5df6be94bc74d283977acfb46466292ba
SHA1774e7a4e7936e804e3c25df165495523fe1e161b
SHA25666c21cf78d4ecceb149d58acae1181553dd07465833124afe1af573de931cc7c
SHA512fb26e681484fb94ee66eba06deee66d4e7937e98068930fc007a275ba2274e46d7644594443eb8576ead408190d5f871daaf9cf66599acb9b47ec54320218f82
-
Filesize
1KB
MD5b8d5c55c6fc8a5b0433ae43bb1339956
SHA1bef5dc5d20da96f9ffb739791ec671475d18d642
SHA2563f07995b15de10f9f1343536cb956ce2a203d4aefa13be57f3eb3fc42acaf892
SHA51290db4edd320646cd74c46e8139330570dab78a3b8cc7a3c541a8d4f075da590229746e16247b8d8a48c070fdead7fc2da3a21999a9d6536bcd35827c93f3852b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
Filesize
5.4MB
MD5248f9bf370cdf2fec0d8bdd13d886a7a
SHA11a5a854811e5fb2a09c70b3a445bfedae4a5d93b
SHA2560c3dc89d1bf664be45cf20d164cdf956a26a96f453b37ae124a0520ae5057b99
SHA51221882bde66161a9d7ec03586555db1eb038748cef0d416dcb3a56d957b4ba923271d78513742b9033d39eec943f94e13991f318169ae93f61b7119512b01347f
-
Filesize
6KB
MD52471d41ee3687aea44aa69aad780a9bc
SHA1e872eb4fcea8598deafd95a7306312e3aa67ab42
SHA256fa60a509a1ea375e635c336032d8dfc6fb7e24cea775d999a7bb7bd06468c11e
SHA5120ecab33073c9861c7df7bb4f8155cc090c3398f9492d2fc48d63c5ba0484c165be0bd89032819fd14f5b5b7c602b5417a09d3d0909b214ab7d29845c9f370c49
-
Filesize
7.2MB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
3.7MB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
7.7MB