Analysis
-
max time kernel
157s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
10-04-2024 08:23
General
-
Target
file_transfer_tools.exe
-
Size
801KB
-
MD5
41dcc29d7eaba7b84fd54323394712af
-
SHA1
ddc0100723cc2dc9ae8b02a0cb7fe4a86c02d54b
-
SHA256
a909bef708a47ae428fedbc566132c56f15ae7511dc460cf22055ec1a72d485a
-
SHA512
5a3e8c1eda558e0b90470d752490bc4d04610f93e453cbfd9013a363cfdf5e607974d526c49efe2ef0440e241d775b66bd7c48c74ee9e8677a37cdedc30c42ee
-
SSDEEP
6144:xmbuKA33X1rgMuu+xdaXkW+zF6m8XZPELSrPzA:x6XA33X1rTuuyrVZ6m8XGH
Malware Config
Signatures
-
Meta Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
MetaStealer payload 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 9 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 37 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file_transfer_tools.exe"C:\Users\Admin\AppData\Local\Temp\file_transfer_tools.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A1CFD7558EAF674C496F578BB7C3ED122⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4507836d-34ea-450c-887a-cc17ee5f6e05\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
-
C:\Users\Admin\AppData\Local\Temp\MW-4507836d-34ea-450c-887a-cc17ee5f6e05\files\setup.exe"C:\Users\Admin\AppData\Local\Temp\MW-4507836d-34ea-450c-887a-cc17ee5f6e05\files\setup.exe" /VERYSILENT /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Microsoft\windows\systemtask.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD57896667f54fe3e6e0d275104d878fec1
SHA1e1ba924eabb739d33036e76bb7355f8e2f5742bd
SHA2566293a90db282d0b5f36a46903cf184ab3bf25e99c2b24042a84b7aebcdf08c3b
SHA5127784e9cc1fa115e2026a67fe5734db22d81f35bfb3cc2f86048cbf45e2cdea9bef70aebe70ffaf8c09b729afdc7b786e2e2647c5b82551b77166af4c334ff7e3
-
Filesize
3.5MB
MD58d210cf5a4958e5b408d9416f2582661
SHA16c292799e29293a2233b3bea9e8c22734636426f
SHA25637e0ec91d08372051edd9c3da83a689f6551b6fc2a50bd08429065d3c8ed3e0b
SHA5127b8afcdd99d5e871afa54fb375606ecc9c693d19ace084c2121f3ae50551e102314641edaeb11331caa7a244cf40067249ffa2f71f27e040aa92874ff174b812
-
Filesize
354.2MB
MD59b25254c4e427d0946e6c3b57758bc9d
SHA19051ea055e4306e29df34263bee2ed5bfe104073
SHA2562e69b2ba6310cb4ce3ddafc169c5ddcf8ec881186dc565227976bc29863fd0e9
SHA51253ca94eff3e68a629d1125f3a9117ff2a181ce37b91b9a1f6f5cc814676a072e9ad52febff7cbdd3646e310162d65c96d244d1a253a279e0a216fc0f12b3971e
-
Filesize
342B
MD5503dbdcdc9e573d16f55813b59ece1de
SHA138903b7193558334282fd23d9be86b32ebd513a1
SHA2564a9167526da5a5e45e3f3c39e28ca77113b79ee1895a94cfeeec3a19cd298e75
SHA512204e115269eb60501ab792dd392a716bbfa105cacf23c62f235ce727004ae46d797de82d1d5922788c130be1d96ff0337bc7af8146e5c6e067f9d99099b02406
-
Filesize
1KB
MD53d627f406812eb1e46335176b62244a8
SHA16870be5a040cef27b48f40fdeaa17e6a4d1c8c85
SHA2560c6ed0694c2f7efc5a530d6328046f04b00551497269d9972ef6fc6dfac358bb
SHA512cdc2f01f7cdf6e3a3a5574b05efce311c231141670b625b14b953d222b6c346fd7ba777118a766a7de84c2ee7c6e85349defa5dccdf9d292362ad263541c37be
-
Filesize
1KB
MD553ebbf0b6da2793273f39b663d667731
SHA1904a36cf2f13c28fc9eee61fad174b902e20a626
SHA256f18c6a68be4222596259b0f53881dd7b1ea60895f9a3130aa0b3f3f62f116153
SHA512d1e74b2896d605bdcf01ee555eb57e5c08f0bea0e2e2dc58f1b31f006a495af1f20342a9398bd733df9f1a44a46373ae332d0abb872f93de64ee978ddade6d90
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
208KB
MD50c8921bbcc37c6efd34faf44cf3b0cb5
SHA1dcfa71246157edcd09eecaf9d4c5e360b24b3e49
SHA256fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1
SHA512ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
56KB
-
Filesize
652KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
488KB
-
Filesize
7.2MB