metastealer | aeac583de2f996861e6a523c6759e9bebb3111d77d98277c207c5448cb8d0da6

Analysis

max time kernel
128s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libcrypto-1_1-x64.dll
Size

4.4MB
MD5

3fb14e936049e2f4102d3d67ffdefc33
SHA1

d3d4363105e45e585ccda505be946ce932a391f2
SHA256

d54e8c1727351fb3065ca2d5043c9667c6243a574fe171a7e75913373c33fb11
SHA512

522706576aca0eb2b8b334705b32d2527287b7dd2c4fa54a64d67996bf295f270e9a10c40431d3c4c020c6728707b9c5a6626b69337ba371e1ede9bd8226c088
SSDEEP

98304:C7j4FpJ88sTWfdnWu5fqlF2VOIAibpP62cCdo1CPwDv3uFfJH:C7j4FpC8sGnWukD2V9x6Kdo1CPwDv3ub

Score

10^/10

metastealer discovery stealer

Malware Config

Signatures

Meta Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

MetaStealer payload 1 IoCs

resource	yara_rule
behavioral5/memory/2808-73-0x0000000010000000-0x000000001072E000-memory.dmp	family_metastealer

Executes dropped EXE 1 IoCs

pid	Process
2808	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
2900	MsiExec.exe
2900	MsiExec.exe
2900	MsiExec.exe
2900	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2320	ICACLS.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI787A.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\f7670dc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7670dc.msi	msiexec.exe
File created	C:\Windows\Installer\f7670df.ipi	msiexec.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
960	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2100	msiexec.exe
2100	msiexec.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2100	msiexec.exe
Token: SeTakeOwnershipPrivilege	2100	msiexec.exe
Token: SeSecurityPrivilege	2100	msiexec.exe
Token: SeCreateTokenPrivilege	2732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2732	msiexec.exe
Token: SeLockMemoryPrivilege	2732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2732	msiexec.exe
Token: SeMachineAccountPrivilege	2732	msiexec.exe
Token: SeTcbPrivilege	2732	msiexec.exe
Token: SeSecurityPrivilege	2732	msiexec.exe
Token: SeTakeOwnershipPrivilege	2732	msiexec.exe
Token: SeLoadDriverPrivilege	2732	msiexec.exe
Token: SeSystemProfilePrivilege	2732	msiexec.exe
Token: SeSystemtimePrivilege	2732	msiexec.exe
Token: SeProfSingleProcessPrivilege	2732	msiexec.exe
Token: SeIncBasePriorityPrivilege	2732	msiexec.exe
Token: SeCreatePagefilePrivilege	2732	msiexec.exe
Token: SeCreatePermanentPrivilege	2732	msiexec.exe
Token: SeBackupPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2732	msiexec.exe
Token: SeShutdownPrivilege	2732	msiexec.exe
Token: SeDebugPrivilege	2732	msiexec.exe
Token: SeAuditPrivilege	2732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2732	msiexec.exe
Token: SeChangeNotifyPrivilege	2732	msiexec.exe
Token: SeRemoteShutdownPrivilege	2732	msiexec.exe
Token: SeUndockPrivilege	2732	msiexec.exe
Token: SeSyncAgentPrivilege	2732	msiexec.exe
Token: SeEnableDelegationPrivilege	2732	msiexec.exe
Token: SeManageVolumePrivilege	2732	msiexec.exe
Token: SeImpersonatePrivilege	2732	msiexec.exe
Token: SeCreateGlobalPrivilege	2732	msiexec.exe
Token: SeRestorePrivilege	2100	msiexec.exe
Token: SeTakeOwnershipPrivilege	2100	msiexec.exe
Token: SeRestorePrivilege	2100	msiexec.exe
Token: SeTakeOwnershipPrivilege	2100	msiexec.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2732	2224	rundll32.exe	28
PID 2224 wrote to memory of 2732	2224	rundll32.exe	28
PID 2224 wrote to memory of 2732	2224	rundll32.exe	28
PID 2224 wrote to memory of 2732	2224	rundll32.exe	28
PID 2224 wrote to memory of 2732	2224	rundll32.exe	28
PID 2100 wrote to memory of 2900	2100	msiexec.exe	30
PID 2100 wrote to memory of 2900	2100	msiexec.exe	30
PID 2100 wrote to memory of 2900	2100	msiexec.exe	30
PID 2100 wrote to memory of 2900	2100	msiexec.exe	30
PID 2100 wrote to memory of 2900	2100	msiexec.exe	30
PID 2100 wrote to memory of 2900	2100	msiexec.exe	30
PID 2100 wrote to memory of 2900	2100	msiexec.exe	30
PID 2900 wrote to memory of 2320	2900	MsiExec.exe	31
PID 2900 wrote to memory of 2320	2900	MsiExec.exe	31
PID 2900 wrote to memory of 2320	2900	MsiExec.exe	31
PID 2900 wrote to memory of 2320	2900	MsiExec.exe	31
PID 2900 wrote to memory of 1316	2900	MsiExec.exe	33
PID 2900 wrote to memory of 1316	2900	MsiExec.exe	33
PID 2900 wrote to memory of 1316	2900	MsiExec.exe	33
PID 2900 wrote to memory of 1316	2900	MsiExec.exe	33
PID 2900 wrote to memory of 2808	2900	MsiExec.exe	35
PID 2900 wrote to memory of 2808	2900	MsiExec.exe	35
PID 2900 wrote to memory of 2808	2900	MsiExec.exe	35
PID 2900 wrote to memory of 2808	2900	MsiExec.exe	35
PID 2900 wrote to memory of 2808	2900	MsiExec.exe	35
PID 2900 wrote to memory of 2808	2900	MsiExec.exe	35
PID 2900 wrote to memory of 2808	2900	MsiExec.exe	35
PID 2808 wrote to memory of 960	2808	setup.exe	38
PID 2808 wrote to memory of 960	2808	setup.exe	38
PID 2808 wrote to memory of 960	2808	setup.exe	38
PID 2808 wrote to memory of 960	2808	setup.exe	38

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcrypto-1_1-x64.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 96245271C1C0817686AA032EBA53387B
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2320
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1316
- - C:\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\files\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\files\setup.exe" /VERYSILENT /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi

Filesize
3.8MB

MD5
7896667f54fe3e6e0d275104d878fec1

SHA1
e1ba924eabb739d33036e76bb7355f8e2f5742bd

SHA256
6293a90db282d0b5f36a46903cf184ab3bf25e99c2b24042a84b7aebcdf08c3b

SHA512
7784e9cc1fa115e2026a67fe5734db22d81f35bfb3cc2f86048cbf45e2cdea9bef70aebe70ffaf8c09b729afdc7b786e2e2647c5b82551b77166af4c334ff7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\files.cab

Filesize
3.5MB

MD5
8d210cf5a4958e5b408d9416f2582661

SHA1
6c292799e29293a2233b3bea9e8c22734636426f

SHA256
37e0ec91d08372051edd9c3da83a689f6551b6fc2a50bd08429065d3c8ed3e0b

SHA512
7b8afcdd99d5e871afa54fb375606ecc9c693d19ace084c2121f3ae50551e102314641edaeb11331caa7a244cf40067249ffa2f71f27e040aa92874ff174b812

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\files\setup.exe

Filesize
354.2MB

MD5
9b25254c4e427d0946e6c3b57758bc9d

SHA1
9051ea055e4306e29df34263bee2ed5bfe104073

SHA256
2e69b2ba6310cb4ce3ddafc169c5ddcf8ec881186dc565227976bc29863fd0e9

SHA512
53ca94eff3e68a629d1125f3a9117ff2a181ce37b91b9a1f6f5cc814676a072e9ad52febff7cbdd3646e310162d65c96d244d1a253a279e0a216fc0f12b3971e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\files\setup.exe

Filesize
333.4MB

MD5
f64a24a2b45e7474b019a58d18fa93b7

SHA1
50d4e9550fc9f455ba237ea4743497a5c453fd3b

SHA256
bbd7aa5e1efecaf5a1dd79dd0573e840758b140e1cbab218675821489b0f3a7b

SHA512
647180925ea8e96664b9b7336e66625fcf9499e9d4b087a872572ac34504a26b74ece939f9e605e3788c35696f0090c3449d747d5f6eed8ca2ffdae3995cab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\msiwrapper.ini

Filesize
1KB

MD5
b701bea54fec94fb3e73566d0e19ce6d

SHA1
03cbdb70a1a64a887a65e89249f6bc1abb671b8c

SHA256
c279b5077f65c4a334f0067d547efa4fe6c57074e31cc0be923257ff0f724286

SHA512
5fc2dffe741fb2539aee8a4dcf567c7613b164a817f99f2bec218a76bf51996a401edeb5b0390fd9a16940f0b1f47a623b644321f194b1760c8e11bec9a52806

Download Submit
C:\Windows\Installer\MSI787A.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\files\setup.exe

Filesize
348.0MB

MD5
b340dd321b64d88e63378a5b09669a2b

SHA1
ddc8c3e0a8914a9486a90065c332b852c8a4845f

SHA256
e0ac7bd1915ec6331c8fe7b3cab13d3b88ab65364364b212d5a4ae9248490e4d

SHA512
5105ea5585dac3764a05931dd22f206a6708279a3ac2b38634af4d2df082f98e2f4538ccb8be85249f041265d6556fa1f6ae881a60cbc986e653452ce88adb1b

Download Submit
\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\files\setup.exe

Filesize
332.0MB

MD5
0c06d532fe37c9277263fca25e371d6d

SHA1
586e92d1e41d25c641c7e7357825a7be431b68b2

SHA256
af68ef15fe8c95da6304212fe729fe2c68b42ea3243abee87a3e9a5f3abde386

SHA512
bd13a3c7033a353584fbb5b7a9e43b937b9c4bd907666efdeee94335e911e536e538b71b2acad699658fe61f8092d112689e37641c6c5feecc46c8a2e55da502

Download Submit
\Users\Admin\AppData\Local\Temp\MW-fda8c607-f9e0-4a19-af15-39d31d0f7ace\files\setup.exe

Filesize
334.9MB

MD5
76c174f1a2d6a683180930dc1497ddad

SHA1
905a559ac8b31341bd362b1e569940a493ecfb79

SHA256
3846f0f816d72e08b1f6ec4bcb49058e7a72873f4afb0cfcc9bca2046840148d

SHA512
16f792c122e83229308d22f4792a482a6876d56efe4e9ce52350b7a647f66ffa60741752b88a13dc883ee8f6f02dde4ce0bafead68d152d829951ba3e24a88c6

Download Submit
memory/2808-68-0x0000000000380000-0x00000000003FA000-memory.dmp

Filesize
488KB

Download
memory/2808-71-0x0000000000380000-0x00000000003FA000-memory.dmp

Filesize
488KB

Download
memory/2808-73-0x0000000010000000-0x000000001072E000-memory.dmp

Filesize
7.2MB

Download