Analysis
-
max time kernel
122s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
17-05-2024 14:23
General
-
Target
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe
-
Size
1.8MB
-
MD5
bcbf6cde461ac107ad366b4aafc162a8
-
SHA1
478fc541027e351de18e2b70f0218e82ce828e98
-
SHA256
87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3
-
SHA512
6ab0a6d8c288d30db2aefa593d7e82526a7cde2d54411e2f373d67d1a31e34323ce63ddcd633eae14f32f58afe3c355d90c01d973f45d417c1d70a93b8a0944f
-
SSDEEP
24576:R3vL762VhZBJ905EmMyPnQxhe4627l9BoUj3QC/hR:R3P6UZTHeW
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe"C:\Users\Admin\AppData\Local\Temp\87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe"C:\Users\Admin\AppData\Local\Temp\87228f163d1422a94f0bc4b5e58eda0f4bb51615d8146ec3c873f0b6987319a3.exe" Admin2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD559dcd04e6b26bc0bf8a4b119d60adc00
SHA1e438c48b14ea1a4c1638c48164613da1ae4be8ee
SHA256ffdb52244ff2a8238781e75ad101f0f86ba0b48f85d4d410867c54e95c76210e
SHA512b9e76e51b644b5ac8292414e78b44509ac015cb1910675be3af8272a441ad90183f9af3b25a7b21100c50910c5a9216d7f8e0e89be98f8707802019ca058ccfe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53b679d39074b8706fe43e23195c15fa4
SHA13b3a6c5e291fe1bcfa94c8200058031355392476
SHA2567096017929fa3ce982e781d312ee78d0c15b7fd1ed05017543d1e36c1d156aa2
SHA5120ddbdb3bd5aeb92f30552c8cb8534502c5b85b6218c62b427709a48ccecc29c23ab775169f0cc3bbbcbf5f08ef0e0b7c72b3e5eaaf93c8a8c75b1091057df9d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57697fd5a0538c3fb9c4b35ac94b7a09f
SHA1278b856260b2df3af4cb1f4c0da59e0efed49ab9
SHA256482dc7cc9e6b0050efd1e7691c64dc2f422346c641d4042a85eeb83543f24948
SHA512694336a0f2583fdf3f582b291246f80baab176c59975d49b35029282a54880600ca15616e3f3ee200343f69016559fd45705d325ac7115d1fb7a454b749c26f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cdf4b9c5cc0076184bbf9e3eb652d470
SHA1263e7bfcfff64986dc1ef753e2458f85ce2738af
SHA2565487bf098a33c3f8f59ff779b22e7358c73cc8b0c4b4ebed0b977411be3fffdd
SHA512d892c753c1822af5b518134da2651b9bad8c19eea6b8c83e5c580a9a5e1c4755eb91f49a6876f718f97e6e106ad348dd0e7389144db82d871e48026d41bb3664
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57921ed69133601b4b0031d9d448278d7
SHA15d7eeaae19d866c5ff55f13893d2f051995e2ac8
SHA2565e192eba7d90dc402afb854c98444908fe388d67b8747dd3c3b53e984a620852
SHA5128fbece056fc63994b5c01e7dec9012ef38aae6c9832699fb2ca732c8eb90d2cc416f7cbf976a2cf89f508cf2961d1d9397ec78514c262868d319c8eee8c10d4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD589d24bd13769ce9593312ec109f91324
SHA11564ba948d2b8ea57e31b6a1be2fe4365230de2e
SHA256861dbca2565b64dfe5f5429be97e7f074bbb21deb2300e8fe9741cbbb5fe5a11
SHA512f9349c394902f4f959b21f65ac762c83bac49c4bac34217cb7825113fd90188b8d2ea1bca4f7fafb27cc48612c1866012240a1214b6aef95865d7aaafcfb92ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53788f81c7e2921be047a0c653588d455
SHA19f4a8d841502d430350a5c78869c5bde8b643b8c
SHA256a990299696a6303b3eaba0911e29c03da9b6a052b12f94ffc2278721e856cd3f
SHA51221d03aac4524e7179f66ffaa4f9ed342c9010ecb9c01964effb6c9645b3fe7131c21518f78682caff3bfc88482651f6ee5a03f8ddb783bece933efad65a06a70
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53f2f55e988fac6cb060c1170f178a04b
SHA1cc0a2ad27342adc8ebf50dfa06e0f38fbc382844
SHA256901c8c60e5a816b88694f8cf14ffab66c417fdb178989188675a5b78c4631ae1
SHA512f8d8979575d7659e9532a646a2c6dbea210298b52f78dc4f845592606e9e3189bd31142a23f5606323d1961a9172783322c1b041fa778a613663d97ff00ec950
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD505ab911cd304df2f04c40264ea511214
SHA125cc62ef39c08f5dc3ef02616a389564558b26e6
SHA25637a05fcd4a3938753b19cff96bc13c1b867ad4e0ff01531416a1b3a9418d4b4b
SHA5124f3b63b3a46dc6035bddf44567b21a0fbd14c5d94e5fffda5bb548da267d6cb6a04f86982ef36f555bbd0913ddb257e09abeb5897ef3452096e503db68052c4d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e39f69007c562fb5b22aad031e9dc3b7
SHA182263b560c4474c9966cc0fb844b5d686c8d93ed
SHA25693058474a4ecd706effc1d57e0adecc53cf85b5f13af4dbcb96291dbfbe3f02b
SHA5127edbaa999e5bb6876d4479d29e34b259d1d691ddbeff452abf49aed879b35364364b8e0ac45f7024887d62f5d9cfee5f5cdc7314128856a774f7128afc284061
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5293885f880ade8956647d3bece59e937
SHA111be2ef010514079d93a46e9ff25004931703a3d
SHA256f0a699340f1f07817a5fe7dc0f65d02e1675e380b6ba8473992f958eacfa58ec
SHA512a01de852f90aa37cfe3791afef7f163d797cc2948cdfc5227fea376f375b29877cb3d2212b55c5c1a00d5cadebfe2d8bc9f941bbc686ed2338a2c9ca16b135da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52de5dd431e7784b0f04b5b3a413351ab
SHA19f13f580dca3523f2cfad98af1bde2e09aeacd61
SHA256bac7448c05c06bbfb2e425e6f7fee9b3c77d58871201df3968827b0e27b5d520
SHA512470a35a703f898c026eae241c38a38c73df589c97d444e87b352eafa0df891827118cfcd61874291c977feec4d2c4bcc5e96542c8b5b8bde927bcfa742ed11a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50158ae452cdbbdb0d23a5550367243b9
SHA1e8657ee150b4e7e9f1743e26bc02dcc938e5d891
SHA25636cfd621d21476e732ad37357151447f183e9b1b58de2e30e36fe38dd7b2d9d6
SHA51206da6030b0f4101d4b0fd8216fc8f25e898ccd413c1dab32f00f962e1a98be46acc027b06ab4adc29df009bde4fee224353671479ff037ef2a177ee4fa352355
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5c53af61a4d7e807b10ebc63619d7df91
SHA1c7932569f77d61a4d9098684061c01472ac4c52d
SHA256e28a4a95884cf5238a12da7a835f06579e89da2298f1f514733f94768c82d14b
SHA51255127f87dfa30cb5916072552032d38a61b89ca488b816153a1840d75c2c1666e94b87e6853533979a0c817fc40e20300b85dfea5e637b778949d895f1ffc7c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD532d2c602e8a500a1d00b2650a56515e8
SHA18bf795ad5eee0421e3aea5bbb291a0abfa2ddd44
SHA256e7942fcacf0ac10f47bf26a8ee31191ebe4cf5ec492e16649c37073c94846429
SHA512aa77a1de378957dc44cf8abfa59901ae287eceee25b1a7a81e59549679c03560b96ad4e6855d0b3a08e7d7c6edd013e335a6b54c54d2fda15c45525475b817c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD53efc20125b7b7d78e8a6cea0c44150aa
SHA158cdc8c4d6e4eaadafd9ba09aa309fde05f42093
SHA256b06f8d8b73b6f35b34b2d4c480ba9ada1c868b831a9c40b19032e58989bd683e
SHA512f1dbeb3b29eadbba7dc1e93993fbbd927573d8638bbe84a4478077739ffbcca2ac5660a29a7f1cb864f94397249cffcf5d46a588ec93f2bc6ee0b7b1da1ff712
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5e51f8cb6ab0a67e1a77b71d5c2a29615
SHA166e430ef2fcd7cfa2f0ce2f4030b9fe0a1004930
SHA2566dd3c5649b32c399d411c06c2492bb894f0480df9d0e37f760e34de3552c576c
SHA51271a4dc1ce6b2d04981069420781efb90034dae2ad2e63dafd7def5a83c2e079115d14e7912d9ac547804789389a5a860e0d34ec35b0f71018a86becb0f9a80ab
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5fd358f4590055c025e778309fb10e548
SHA140c45faea7715c681e92efa7d469746b2c09b2e7
SHA2566465bcb9a26862a66da1646b45fca10d1a013496755a54c364b2adc4e3d1ce4d
SHA5128fe168755de0b9fa528e610878edef965dd0ffcfa658f12f71367b47abc7d73404865388e9d0bfb56b35953a7121636d11a04459a446b7f7ff64b988ac55fc49
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50327ce85c2b7e9579a265900224198b5
SHA1b4bc6992555cf889dcaa7b2791dd3e1296097dec
SHA256463ed034f56ce91996101f6ad08ba058b352b92c235661f34fc709eb77f073a8
SHA512e49be55ff172ce0d07d729c45d04a2d9d6361eac60566705fef2a83edccea05431f2ec0f84a005d771b8ff3aa5723eae8673b05e9229c18264d6ad2f02c0ee54
-
C:\Users\Admin\AppData\Local\Temp\CabFAC6.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\TarFBA8.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
memory/2496-1-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2496-0-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2496-2-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2496-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2980-6-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2980-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2980-11-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB