Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 00:59
Static task
static1
Behavioral task
behavioral1
Sample
be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe
Resource
win7-20240221-en
General
-
Target
be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe
-
Size
1.8MB
-
MD5
4414d2ea457ca79b4734f4d03aa10cff
-
SHA1
be055cc414a6559eb0b8f6c61aa643ffc3a042fb
-
SHA256
be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6
-
SHA512
c98808a4e483e2d2401c8dbae6cd62c321e993c85cfa406d4ddc56cef804693bcac8b8dd683f96917084f4eefa61b500c5d983b66f6b0e3c3b11585b28226172
-
SSDEEP
24576:/3vLRdVhZBK8NogWYO09SOGi9J3YiWdCMJ5QxmjwC/hR:/3d5ZQ1exJIiW0MbQxA
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
Processes:
be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exedescription ioc process File opened (read-only) \??\E: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\G: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\V: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\Y: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\P: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\R: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\U: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\H: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\L: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\M: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\O: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\J: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\S: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\N: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\Q: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\T: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\W: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\A: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\B: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\I: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\K: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\X: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe File opened (read-only) \??\Z: be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msedge.exepid process 4624 msedge.exe 4624 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 3444 msedge.exe 3444 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exebe5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exedescription pid process Token: SeDebugPrivilege 1188 be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe Token: SeDebugPrivilege 1188 be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe Token: SeDebugPrivilege 4576 be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe Token: SeDebugPrivilege 4576 be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe -
Suspicious use of FindShellTrayWindow 17 IoCs
Processes:
msedge.exepid process 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
msedge.exepid process 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe 3444 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exebe5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exemsedge.exedescription pid process target process PID 1188 wrote to memory of 4576 1188 be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe PID 1188 wrote to memory of 4576 1188 be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe PID 1188 wrote to memory of 4576 1188 be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe PID 4576 wrote to memory of 3444 4576 be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe msedge.exe PID 4576 wrote to memory of 3444 4576 be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe msedge.exe PID 3444 wrote to memory of 2468 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 2468 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 844 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 4624 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 4624 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe PID 3444 wrote to memory of 1568 3444 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe"C:\Users\Admin\AppData\Local\Temp\be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe"C:\Users\Admin\AppData\Local\Temp\be5a48fc4d92a5a26da69b562795456d9ef90ec723b4105c4b1ede5b57cb29e6.exe" Admin2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.178stu.com/my.htm3⤵
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2b6d46f8,0x7ffe2b6d4708,0x7ffe2b6d47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5189145051219210889,8639270356194488699,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:14⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52579d07b98bbefadc929d80fb3dbd32a
SHA11ceb57c4b81f0f23500e118a4b9a225116a467de
SHA256b8443c289ad36568a2bf794ac9ec1f259a9dd930c36680dafc8d0cb4de81feb6
SHA51253522ad5e8e2a272d5b1bff9b9226b7d976d47413891c60d7efebd4365baff12b6891e3f79b20e14892ec7c654ad2d437941014290c428c6b1bd78a7b3e557de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58c91c8582b0c918416d14bd7eedd686e
SHA1b2ff8149bc21144fdcec64111afda492965c6621
SHA2561e839706b748c04adf8efa2790564ca1efd707fdf6451e71af6862e07123717e
SHA512a93be868d9f08097bff39069378a0bfa0f5c78e74e9e8df820be9b0426cbfe84e03e9638b329b6142279ed140a120c4c4c21857f410fc4789a370445c3919dcf
-
C:\Windows\system32\drivers\etc\hostsFilesize
822B
MD503450e8ddb20859f242195450c19b8f1
SHA19698f8caf67c8853e14c8bf4933949f458c3044a
SHA2561bdd8f1dd7bd82b5b2313d8770dfe4f41cd3f45bbaeab8b8a7f75fc5e2d3720b
SHA51287371e57bf2296af5ec7f5db772a4ce66729d54aa23a8b384e3f4c42310b97b636576c7dff67c27a3b679339cdeee05b836563ae2a878f0367caf247b3e1ba7b
-
\??\pipe\LOCAL\crashpad_3444_XYRRBREIHMEKEATZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1188-0-0x00000000021F0000-0x00000000021F1000-memory.dmpFilesize
4KB
-
memory/1188-1-0x00000000021F0000-0x00000000021F1000-memory.dmpFilesize
4KB
-
memory/1188-2-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/1188-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-15-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-23-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-13-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-16-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-17-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-18-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-19-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-14-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-24-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-26-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-12-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-11-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/4576-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/4576-6-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB