Malware Analysis Report

2025-01-03 08:10

Sample ID 240420-spv5eabh9s
Target 338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1
SHA256 338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1
Tags
metasploit backdoor discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1

Threat Level: Known bad

The file 338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor discovery spyware stealer trojan

MetaSploit

Drops file in Drivers directory

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Enumerates connected drives

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-20 15:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-20 15:18

Reported

2024-04-20 15:21

Platform

win7-20240221-en

Max time kernel

119s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419788199" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c34b373693da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000adb02527cc7069ce66e479eaa8f519316877b9a793be45cbb41cc236905183e8000000000e800000000200002000000059e764a4a293ff2b3198a54fc6234d940d5ca6ee2a9c991a436994537f13320e90000000c85322ed243848825c6a6e1dbcc060d26b354a640b309ebf2a4bb61596956d0e2e5a936191d52e4f9810a3dc7a4ee3c12c6e633833a9ce98d39f5e194a3b62f234ab34bd2981706044757de0d409fea81845b1c56cc158e3d2d8a687f70ad7af7f86fca3c1919760ec79156022ffc820ffec1069e4b94f1be964a823460afe673a94e719bf2357f4d0545d14eca1b89f400000000721bf999ab7c6a37febde8ddc65217dbc93d32bc98e2931c83bced0982536c18d3da1b466b2c34a0b39913a0e889479a5b4059ec07336aff976dc95612d82bf C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4989B681-FF29-11EE-8AAC-6EAD7206CC74} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000001944971b7778399ca68edcad9dcaa75c2bc86d0e7e8257836105f0063d64250a000000000e8000000002000020000000fc171f850fc119516ed526aa54902cc361d02082edacc5c8ec71cbcc7a9da00120000000ce1d1027ecf9f9009083b5cb6453bf89974ccd7f65054aaf8c40b493111d31ca4000000043547ed32d88bd0acde245e73dc1d0f7427368b6a40eb2dc382633e4afe425eee129351efcef083a4e807e8fee7719e110ac4d3e3cdf715a9d76af6246143ec6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe
PID 2724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe
PID 2724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe
PID 2724 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe
PID 2036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2036 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2388 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2388 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2388 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2388 wrote to memory of 2804 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe

"C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe"

C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe

"C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe" Admin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2388 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
CN 1.15.12.73:4567 tcp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 info.178stu.com udp
HK 103.133.93.52:80 info.178stu.com tcp
US 8.8.8.8:53 www.178stu.com udp
US 8.8.8.8:53 www.178stu.com udp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
HK 103.133.93.52:80 www.178stu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2724-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2724-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2724-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2724-4-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2036-6-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2036-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/2036-11-0x0000000000400000-0x00000000005E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab18D1.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1A2F.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29dd7d645e7b06bd9f3e02a1e2032da6
SHA1 8284aebbe7b8f5b32e5bbeefb5ed73230ba67467
SHA256 8f8826f02b036e8e7c45e986a6248f138c0e95832a7c4d7e3b69eb029d346eed
SHA512 b16942747934100ff861a6a1b42bf90896967122936e2a87a23ac3d13f0fc4ecc54a0dcd2c4a71fa45402bb9100c491adbb91d0c045f534db98bcf70453fe37b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad18ab69302852f8fdfb21dba726d75f
SHA1 006a1a533a3e367e1f4b410e8f657cabc1ffaa9b
SHA256 ad78e7bdf0f994180efcfe41542ca064dfd21f59089d00dfae3b1ec1d48347c9
SHA512 8d9ea6bda98bbbbbb9347663f12492535c447425cb2ca773823febb258f126a646360b3118f0c04103ccfd49ea122776886ae2a6294a96bc8a138bccadc0c877

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0215592003e4cfea15496f9e1c15197f
SHA1 7d2c32ed5f3018c33521f4b3d12121efc3f2de7b
SHA256 208e039be4c92eb2717cf9c033f25c54a8d00cc68d4b07a904c1a9aa68cc4f92
SHA512 e85cd569bc377ed9841276a00e22047ab297828a88d6a711d286a6d6e3fa93267a563475a31b1a0e9115a7846a0eeae5d3802210bc4fc507a86f0dbf67cf318a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e5445b32bd9ce659202d5b0cbbb5bf2
SHA1 218b5f9ac0b65d6a6a854d7c8a9185297b10814f
SHA256 f84305d7c1de4d8833751c3fe44a1b5fd8c4efeca1f7400a7cd6c7394d8ae777
SHA512 1be0007357a180f4615e3fb39a956d3d6402a00d8e29de6f2c7507a7a41227c89cd3c1c64d45c0c71e6759b96c9e882bcb2011a2f66e65e2bb31396109be93db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cec7bec27fba2166057102f81f9bf1d
SHA1 3927459b49e9dee70955345bf2b51e654071a689
SHA256 4715e07cc04f687900ec487e57b1e20a85a50362d89027d3ef3adf5a0ef560af
SHA512 8f6be8807799b0dc01cb49a6ebc15c5dcdc844ac19684dd70cdc30b8b185f0fc46df5bbf37697c0554b7bca1c4fd874e7485d14bd283c6d1f7edb170ac941d47

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 257edc507d88e2b44415882ead1faecf
SHA1 393fac85f3bd7b702be92aaaa75a38689d3ccea3
SHA256 141e02936e6913b5e2c3d598ff97abf340f3569c883a6edfa2991048baa42ca1
SHA512 aa1f9e79f472c13c8d82ddad88823a4107156330f59ed8b37e4e13e49d2ad4aef8cfa1cfa58e3a490e91e627d732ceec838114fe72bc04cb9db69a97612cbf8f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec929c741af10700caf1f47ac23c181d
SHA1 647fe9dcb6d6dff3e3866de7ef1afa48d587499f
SHA256 36bf8573a8964ddd88598101f61e2b5b3e5cd3d9776e38454e53fd0cf7130e6c
SHA512 9689069a06bef20cb1635745af7b05e9872b676640bcd1cc2ae5de49b7970a628b27c80c3bdf8b97d2d612c9768c8ad62436108b5bf2275f29aff6bec4d60926

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-20 15:18

Reported

2024-04-20 15:21

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe

"C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe"

C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe

"C:\Users\Admin\AppData\Local\Temp\338c62948d065986b16f3312c3ec0b66549e0d318e582c9c96d94e4aaeed53e1.exe" Admin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2756 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
CN 1.15.12.73:4567 tcp
CN 1.15.12.73:4567 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 info.178stu.com udp
HK 103.133.93.52:80 info.178stu.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 www.178stu.com udp
HK 103.133.93.52:80 www.178stu.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1596-0-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/1596-1-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/1596-2-0x0000000002630000-0x0000000002631000-memory.dmp

memory/1596-3-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-6-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1596-9-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-10-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-11-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-12-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-13-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-14-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-15-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-16-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-17-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-18-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-19-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-21-0x0000000000400000-0x00000000005E5000-memory.dmp

memory/4268-22-0x0000000000400000-0x00000000005E5000-memory.dmp