Analysis
-
max time kernel
146s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
-
submitted
11-05-2024 06:23
General
-
Target
2b646d1981c005e7a25fe0732f9e268b73963445aa2ee0a660564b332c743981.exe
-
Size
1.8MB
-
MD5
67a6dc58a6aca634488069930f72229f
-
SHA1
a0a0146219060ff8e6530d9d4612a5973cf233f8
-
SHA256
2b646d1981c005e7a25fe0732f9e268b73963445aa2ee0a660564b332c743981
-
SHA512
184cebd5a1300ec6ab2b569c928f7c07af52374b5a4fb3f72f47e444e8b5e4eb18c3a457d8c1073570e8fccd3fde190b1ef8879154d6c10785e9684f05b7975b
-
SSDEEP
24576:R3vL762VhZBJ905EmMyPnQxhe4A27l9BoUj3QC/hR:R3P6UZTHEW
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b646d1981c005e7a25fe0732f9e268b73963445aa2ee0a660564b332c743981.exe"C:\Users\Admin\AppData\Local\Temp\2b646d1981c005e7a25fe0732f9e268b73963445aa2ee0a660564b332c743981.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2b646d1981c005e7a25fe0732f9e268b73963445aa2ee0a660564b332c743981.exe"C:\Users\Admin\AppData\Local\Temp\2b646d1981c005e7a25fe0732f9e268b73963445aa2ee0a660564b332c743981.exe" Admin2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cb6a59a87754cbe8847bcee379f8c5d4
SHA122626841fa77550f83c09fce6861344d486496f5
SHA256be201b65a703cf3c6c8134166d82aa35bf54f4f116a858d7dd363e74144d1be9
SHA5126fc4f62f23deecb85850f5fd1bdc9cf489c35f46936f72534df0dbf4bbf8b573c8086faf67a7c40c8503aed16d6a148a4c724d8e5f8251cb15fc40615528c4de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD503682aae95247dc34a8cc00bad67732b
SHA1677d6a76cad163e6fcd021cd908463e1386c4e22
SHA2560cc45f3c598b7457271c0195b9da38fa768a25bde8940f6d089a487e88e3edb9
SHA5121d1669ed72c017cc02026966f5ddba440b015a9953d931b36ae6b167fdf01dceacd32b9c35cd8aaf32d60a2c4f67a1696859e1da079b1a87792e48893bb882e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD58e0e750a939902f04df839336de1ff65
SHA19ac27418847c846dc0eefd433529fe5652220276
SHA2560fdd6fd593fa7a77edafae33dcb4fa25cf46d4a691c17c0f0f26401ba2abf363
SHA5126f356e1b8837d490bb7011eb566c0fadbb74bd26a1ad8f4aa02d425c646a9bf720648f63a5268ec103f26fc6ab1b98563d5dec766a40ac2bc27d8209ae9c37ec
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD585f8e8d31f59b0982ef7d11b9605bc72
SHA137dedb74e7853439a62ebfadb94690dfa2a56fe6
SHA256e0f99763a879724242750e04bb72bc098d6daab65c064c82cc79bba5a547f29e
SHA5129e8144dc19933e83149f2c57925c7e63fe49c7a4bf237e5deb1cb93a831f95456a5a1b5c93675ab50ec27bd8d917a51013b7b8a82e811c5d7774cf0340dde9e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD526f425acedf4c93d99aad71a9f363914
SHA1c128c7954b2bd1957a0604645abd63bb77ce8d45
SHA2567f6febdbb59330137f7fe27c15f88c9c30507f69d2b12cede97be20cb845cec5
SHA512fb33b40fd76f8293b73115e8a4b06fc06ff8ed52cfb9323d9c42c2eed96b3f6fd9362191c054922f46f485328849616a2d17859c5a74ff80d19a6911c815d76b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5376f8895decbad7300572674ccc15ffb
SHA1ab8dba1240ccdb8105a350087e652d6ebf889920
SHA256c6ce27407aba8a150fd98c5e4ba703437ef969c3df606c6c98a3f87fce82a44f
SHA51236d9535cddc07ceeb430a9ce2515043e4ba9ecfa2ea2ee26ebf7be18e3720dcd653324814e656be0b51d1c957e3c1579683550844e6e5818c32853abb5f167ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a2388690c20e0b40b29d15f9194f4ed9
SHA19bce32b0c8b904fad08914201ee4356e1d59446c
SHA256bac1caf8a4787923983ced58c4d3b39e70cf882228ba7020979a1f910a0ba9ac
SHA5125588ab413275488cd825c068d3b710a8a0ed2cd77bd21d813f3eb1862af91d91b99002afd80ce40d99b835838b43ef1425380179e0df8914050ca55d94e8a90b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5582f3866e37447b755854e0eeb4720fd
SHA18cc469ab76b691420f76f78409834c98265f181b
SHA256c3ed0e39b0b72a5d7702af3cbd648591bd6518e2de6283061021212fbd33ca36
SHA512a010a30727d0e3ae66a3016083fda0e8e1272d0bba199309f2cad6aa006531d636ec07b5e8f55bf419236db9b81a64fecd7b20e7cc7456524a5370bdf158f0b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5fe53342a564fedc7e5b09a9815b2d1a7
SHA16691b7ff32de4de25c65866df1363ce632ff8864
SHA2562f72c51903eda96f8f1a713e15f43722d2cc8a4ad4b6ad52b4f0e4174f32bfc0
SHA5123a9b1a03d1cc922544d912123b3d61025a524df6088b36e82e63316a6b15b8b385c431e1bac3686541733ab27d4123a2d229619a4dd8726e779dd006a8cd631c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5196f38a751100bd9424865493c0cf614
SHA1d4b4542434ee6bd2fbb4532c22f82e262659b844
SHA256e8ca7e884b206f46583f1307d7763627cc1d155969c132bd612487b6d33fe61e
SHA512016d4d863305e0c0f2285467a4c638bd7a5b9d752839d83bf863c32d42168b53f92fcda2fe50de86be6b8ce2ef6afe00b1821c318edd2e1f8717f5e8ac663f99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD51e85708c08e96505d65627a8b6584d2d
SHA1ce288ce700c5fda77b77174562bb711d15c2548f
SHA2564d888ad529cee43a888944332bffa4fa33442be53d2ff850e8bd4106b56004ea
SHA51215f1df9b41d0e9d0c52c6031a116dee4738abfd8c0180a4cb9e994781270f979ef695b7a770800ff5b365301be61b241aa48fded11be154f956e0fd64973cccd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD56b04c9f859593c4ea7c218aabcb6392f
SHA1d9c916001893fd6400357a4d4ba558f6f25bfce5
SHA2560d9d472a0028d9e7631c489e08753a71de10803e8e053b6add51959909542de7
SHA51268945b8642a52972dc9a9bfe87961cd03dc8f82d356d8ae3d40fad81e76668ea4dd4a5fe34bd31448ed207b08a8f5f7d806746eb1f46e04a6d53d1b32f493afe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57f818a3efe3a6b2089e37b23d7c5fff4
SHA19b789b67942f10b0a0f778523297dc0a38958523
SHA25614cb02f10a003ad0124d6a6f9577cf7041e2627d2bb5fcbd5eec32395471656b
SHA512d0eb3dd9a7ca9ba7d5c5e65151923bb20e8765a2061c5d3601a0075657f99adba3ea29da38f68ba0d86ea2a8eb671ff1cdb7b6ae9398e13e5f6600a3d39bab79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5b2cfc56fe48bf8ba5306f39d2a4393d2
SHA1621daaf7b6c588ecf3b5d0e67509be10359aa8de
SHA256d32f842afb770e17adb262380cc099793994ac06f06cb7dbb38152a012cfc61e
SHA5121e7716969e4a4db4da036894caf4e0ec08459dff5ab5313e56054cac528d6edfaa37fbd209ee46f7531a7dd9830ce53861694f411e9259a432871e6a00b6ce3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57c40aa73f02a872cfafef9d6d25fac1f
SHA11ed415492ec7ea5006c0cb7360e1482e50580de6
SHA256dfa667f6fe0de6b30b743c2c3bd4dedbe21dc31e0009f116b780717d0bf045ec
SHA512cbdbc53c5bc8af94896b14c5cee27dac242dea351afe088880ca4e7ceb0f0616fcccf5fcda00c7f19720e785d3f0dca9bc9f94b0b8474b40e2b996f3056dceac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57aa13a9c08e604ed26363073f1ec6c8e
SHA1177783a6826250811f6bab33f99106f4ecf90c7b
SHA2569e7d174eb972e728735604004980f4d33b350e41c76cc5caff64d2baf1dc26f1
SHA51282b3db1dc429022bc5c9d05b58600f8373007fa394d3592ca53ff95dc38025f7c5fb4e01e559ae73f50cd36ed249496e49d8f48a34c048f8fd71e47784e6a221
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5da8735e3a0df8be504eb983bc183917d
SHA1edef316302fb9281b10bd94711b195b7deb59c37
SHA256d14a188267ce37d9e7851906bbaa81970462da55b2597b057c08cf8d27cbc12b
SHA512d8bc05c0ae1825a18cee173b62be2eb1c816c56b7107784ec03167d10109e500791343aba67ffb1dc97ef0008a99b826929c86bdd078f89bda253c40dfe3221f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD531f5f5e6535c429ca8f95371bb513abc
SHA13c591558b8d5cdf7e138ea489d1aa3b52a9346e8
SHA25673020b9fd3ec0baada8cdb10bdece64e3bf34882f05568fffefb20e5f01cf365
SHA51219872e1b46eea0a3c77f267858dd41aa69c924110db4f296a7b8ba178e2f515aa21fa5875c36c4ec9e4454b653f73708b6aaccf192ede6f172d7ac9bea9f21e8
-
C:\Users\Admin\AppData\Local\Temp\CabBA7.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\TarC18.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
memory/2032-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2032-0-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2032-1-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2032-2-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/3056-6-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/3056-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/3056-12-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB