Overview

overview

10

Static

static

3

file_trans...ls.exe

windows7-x64

10

file_trans...ls.exe

windows10-2004-x64

10

job_descri...df.url

windows7-x64

1

job_descri...df.url

windows10-2004-x64

1

libcrypto-1_1-x64.dll

windows7-x64

10

libcrypto-1_1-x64.dll

windows10-2004-x64

10

vcruntime140.dll

windows7-x64

1

vcruntime140.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 08:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    libcrypto-1_1-x64.dll

  • Size

    4.4MB

  • MD5

    3fb14e936049e2f4102d3d67ffdefc33

  • SHA1

    d3d4363105e45e585ccda505be946ce932a391f2

  • SHA256

    d54e8c1727351fb3065ca2d5043c9667c6243a574fe171a7e75913373c33fb11

  • SHA512

    522706576aca0eb2b8b334705b32d2527287b7dd2c4fa54a64d67996bf295f270e9a10c40431d3c4c020c6728707b9c5a6626b69337ba371e1ede9bd8226c088

  • SSDEEP

    98304:C7j4FpJ88sTWfdnWu5fqlF2VOIAibpP62cCdo1CPwDv3uFfJH:C7j4FpC8sGnWukD2V9x6Kdo1CPwDv3ub

Score
10/10
metastealerdiscoveryspywarestealer

Malware Config

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • MetaStealer payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcrypto-1_1-x64.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 24A59487D798502D594672E3EECE6849
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e9b5486f-5cd3-4985-9e87-a1a6b1f9359d\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:1676
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:4436
      • C:\Users\Admin\AppData\Local\Temp\MW-e9b5486f-5cd3-4985-9e87-a1a6b1f9359d\files\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-e9b5486f-5cd3-4985-9e87-a1a6b1f9359d\files\setup.exe" /VERYSILENT /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4428
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • Gathers system information
          PID:4948
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2320,i,3025503729105798828,9325691672526736153,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4892

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi
      Filesize

      3.8MB

      MD5

      7896667f54fe3e6e0d275104d878fec1

      SHA1

      e1ba924eabb739d33036e76bb7355f8e2f5742bd

      SHA256

      6293a90db282d0b5f36a46903cf184ab3bf25e99c2b24042a84b7aebcdf08c3b

      SHA512

      7784e9cc1fa115e2026a67fe5734db22d81f35bfb3cc2f86048cbf45e2cdea9bef70aebe70ffaf8c09b729afdc7b786e2e2647c5b82551b77166af4c334ff7e3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-e9b5486f-5cd3-4985-9e87-a1a6b1f9359d\files.cab
      Filesize

      3.5MB

      MD5

      8d210cf5a4958e5b408d9416f2582661

      SHA1

      6c292799e29293a2233b3bea9e8c22734636426f

      SHA256

      37e0ec91d08372051edd9c3da83a689f6551b6fc2a50bd08429065d3c8ed3e0b

      SHA512

      7b8afcdd99d5e871afa54fb375606ecc9c693d19ace084c2121f3ae50551e102314641edaeb11331caa7a244cf40067249ffa2f71f27e040aa92874ff174b812

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-e9b5486f-5cd3-4985-9e87-a1a6b1f9359d\files\setup.exe
      Filesize

      354.2MB

      MD5

      9b25254c4e427d0946e6c3b57758bc9d

      SHA1

      9051ea055e4306e29df34263bee2ed5bfe104073

      SHA256

      2e69b2ba6310cb4ce3ddafc169c5ddcf8ec881186dc565227976bc29863fd0e9

      SHA512

      53ca94eff3e68a629d1125f3a9117ff2a181ce37b91b9a1f6f5cc814676a072e9ad52febff7cbdd3646e310162d65c96d244d1a253a279e0a216fc0f12b3971e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-e9b5486f-5cd3-4985-9e87-a1a6b1f9359d\msiwrapper.ini
      Filesize

      1KB

      MD5

      b87385760afbd9961554776120bc663e

      SHA1

      49a2adee8b99870d825f1a4e59d8d69a37029fca

      SHA256

      369cb1785d4d40f182c4792f8c81600a8467294e0d5ba8e3a5308b6fad39d177

      SHA512

      514ff1fcd22eed14c3287cb69e96b6a5c9573c7fa691d3277c133fb10abbc8cfe4c5a7613356cf2f9b1dca78c8b14f144fc04e02b3082db33dff450833a47611

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MW-e9b5486f-5cd3-4985-9e87-a1a6b1f9359d\msiwrapper.ini
      Filesize

      1KB

      MD5

      239c8d45666ef1319f08dbbac436af0f

      SHA1

      6cb988c4219c73dd7d291532673fa7fa28055f4c

      SHA256

      e89179de1b46dac4a4dacaff3936cca618e1e601d7915f7bc7c1221ef55d5715

      SHA512

      2030e355f7b4aa07264a5f8ce3e01e8d542fdbe8f4ea3b71dbeae0ba78457190f4218c55457e3e8cdaa9107190fdf605fe3cebc0559754c6f07b24ee5fdaddd8

      Download Submit

    • C:\Windows\Installer\MSI7E77.tmp
      Filesize

      208KB

      MD5

      0c8921bbcc37c6efd34faf44cf3b0cb5

      SHA1

      dcfa71246157edcd09eecaf9d4c5e360b24b3e49

      SHA256

      fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

      SHA512

      ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

      Download Submit

    • memory/4428-67-0x0000000000AE0000-0x0000000000B5A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4428-68-0x0000000000AE0000-0x0000000000B5A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4428-71-0x0000000010000000-0x000000001072E000-memory.dmp

      Filesize

      7.2MB

      Download

    • memory/4428-373-0x0000000000AE0000-0x0000000000B5A000-memory.dmp

      Filesize

      488KB

      Download