Analysis
-
max time kernel
120s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
23-05-2024 04:54
General
-
Target
18df735af8fc13ff1cae170c10482cd2b2b124e70bbf30b10dbc3a627edfc293.exe
-
Size
1.8MB
-
MD5
e04b7b5ce521722e5ff8429c089899aa
-
SHA1
65e8a8048871ccf44d32ec3dbaaa98985b9f9f09
-
SHA256
18df735af8fc13ff1cae170c10482cd2b2b124e70bbf30b10dbc3a627edfc293
-
SHA512
d4b55eb7414196510abb896b317d9f52dfe9f1e2fa8cc5414e040da8cfa162f545ae2dc40928cca1b01815e55f3b798f6fb3935f7d7c73abd61d5af5522b4a28
-
SSDEEP
24576:/3vLRdVhZBK8NogWYO093OGi9JbBodjwC/hR:/3d5ZQ1NxJ+
Malware Config
Extracted
metasploit
windows/shell_reverse_tcp
1.15.12.73:4567
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Drops file in Drivers directory 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18df735af8fc13ff1cae170c10482cd2b2b124e70bbf30b10dbc3a627edfc293.exe"C:\Users\Admin\AppData\Local\Temp\18df735af8fc13ff1cae170c10482cd2b2b124e70bbf30b10dbc3a627edfc293.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18df735af8fc13ff1cae170c10482cd2b2b124e70bbf30b10dbc3a627edfc293.exe"C:\Users\Admin\AppData\Local\Temp\18df735af8fc13ff1cae170c10482cd2b2b124e70bbf30b10dbc3a627edfc293.exe" Admin2⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2456 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD546e7220138d90b2817a826fb241e8526
SHA139937dc819be59c215ce0283fe3f2f1a0967444a
SHA2560ae70a05838b61c52c6c944d301bdd0aa06053ad6e18797c1e5c7379b3aa867c
SHA512cc581b085a444a7fe836a36a582c2c3c42de6c99814ef54d3cf9852c8315e47b5783cddd9657557c0a521c73665b7e32b40ee3585ef996c781ff5496bfbe463f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD50e437676d9cbe6efcd389d8233f20f8d
SHA113ec17c0d1954ac546ec075c73d8ae48651c44a4
SHA25667ae0913095dc4a69d03d2707236ee5be7c71a1ee9610f5479dc973cdbd44310
SHA512bd33add26dfb0f17df103dab150835823e8a9062435a1bf74ca846e89ee4d30dcf91d151effc7ae6ebabd9d9e52131e5d8d4df9921fa31b1e3e60a73551ef22a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5a87d256d6c8c1a92ee9beec05d8450e2
SHA1bb0ac0cf838b4139cd8f4342b1c37b8aae2a377c
SHA256c3e9ba7490422fe19e00f95dccca9a2e3637236a70a6b6495431830acb100a49
SHA51263c79d47805a429e7e8cb46d7c68c8e673bb48580ad3706d2ee02a9ad09b37bc3d5693d1d4e05313ff4099920484e331d866a71400603a2ea04e30e58801b753
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5987491999f3a2b776e84591ad1564cd9
SHA141a889308b32b9378e8379255d47ffa1ddc2ae0c
SHA256f48271b82758436fe5c8fdd1a26f6f955aa66b517c01e246b3e50b3ddc0f6b2d
SHA51275c5b125408f2a0ec38ccbbecee003c1e975fa2191d7305c23edc8f510fe770183c4ed96eea20cd53a2a68a0ff7ee89b15b9713bb262ea33563a83c9d53da209
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52a9425d3e251a8a5c8f208017cfdb6f9
SHA1a1556e33749c09506e01c8344220034c13a11f4b
SHA256b3fe553cf96ce5199f0e8eccea173d127961fbe938de931d16c7a12c78afa58f
SHA512f1659a963b4aaa35f32ed654a11fbf16da25ab7c3fb3d9d9ce2fb31d77634bec54b7990753a691d71dd6f9ab4abb3ee2460e6e5ab4f68f9ef489b27033fead95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5826a4dbcb17b71eb84d40edc18f0f479
SHA1908c425d0f24b3d2e0939a6ea4f0b0f278f1e915
SHA256605d1d0defdfd65d5b6e742405130e5f21ed11043ac5dec212190253ed33d59f
SHA512b73b68cb8745e33eaef950b42d1f998d383255e11c0d1d48cb8684ab0234c94ebaf312fd331d48e5880a6e6dc5cf70ee3e86674cd6611188a51cd0a167ad9f8c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cefcf19044305c0cdd6a99d34c0d8e46
SHA1dd5cefc3e17708f4a79219d5b2c764c2483f6390
SHA256715a58e6b5f28a4d331e698097f4cc0cd50d357dc69ef3c53bc851a151a91306
SHA51277a9e5d8c9b6c58e7f73c4ffa36e930fb98ffdaa6b653a28c889e095608b171243e9a86b2644c56677b1ccbb9191f6538b82e490fb6d7b8ced73c8271686d764
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD511b58b1c0ba2cae6852ffad85678b72f
SHA1cfd0d3387122a9b024d0326f4a60d7930b4f71e9
SHA2565345657ca878b848b117cd860e0eed823cc79dae07b60b8310f0f8b4302c2f6c
SHA512ea9f23d6613f334459ded1f05b7003bfa96191d1c8eee897de0e4222d3ef16bb13f7d7a1882346545b3dea53ed977631c8c4d81c5898fa04305a2ecb1108ab4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5686e7976ac63a1ee159a525629f50e62
SHA1438d8b11face77d56b1bb7e2266593c29c185738
SHA25624b144c145872f8dae7eced36a455358297902bccecc0dbfcf67d5411c873b6c
SHA5128e981e00fef955d5aa91df06317b09d99b19f083fb7885f5a0f5eaf3477334829a6d0339f811697186354444a61b24c211463fc2c6254ad779a6407d97374e16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d5b5f3cca6855de5239b67f94b46ca99
SHA12721f204fbb6f732661df6a91a3e6e4b17d26986
SHA25666f16b743beeb0e72de173f047ed0a71116497e9ed3f72372081d6a0ea575935
SHA51249131349f4a5e9ffc19646d590d758bffbe43e82b8400b47b30abccd4c5669619c43f0e9e4173811905ded39bf1adadc44e46d23ee6f841a167fdb3aa35a87fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5d9ca22207dcea384bc57ee191820bf34
SHA1f38393ea2e63ae368b2de1a4bb19adc804cdd440
SHA2563f596dd07e26fbd02eaccd5b089c9961228bdd1207e0033f4375e43faf0c2699
SHA5122f21aec85baa3bea52d29c8d1e695ef2937c29558aa5b5266c9b4fcd7809d3a5b8b33e372cb3f8e2b51faa5a27784ddbb1e835d102d8dfacd0c98c0abe101751
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD576e8cd9f697ce85584e580616b694497
SHA19ef0dc37ad0937b0cc87acb7dff177b5a18cf2cf
SHA25699d5a484b39bcb63229a0a97a79cb836ed5e04d1398bbd1435d09dc0b9680063
SHA5128925ab1391458f6e2f060ca2e12c671a7e06b0d2edf175031f5784b476e513827ae74d2a8c55401c20876ce013c1bc6b4d67688d31fe7c0b6779de1da754cd83
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD561d14443d54252bfff4955c48f25bf90
SHA103a8145a90b2d2a1ded063dce431c3fa96a7a0f9
SHA256c2785bdf3192c5ba549cdadc9b272772034a4aadf18b0e2989840fcb8c5f8162
SHA512dc82c6d089c858d7d2ad032a7db925953563fbb218a2afb224e16764292ccba99566892771a3beb90afb30e2f5204e9547eaecb7a0c2f63d2ce8391109936dbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD590dcbfef9cb1f904bc6995001a3614b9
SHA170c754a94b3179c2f5c49ee5c06ccd8de73360e8
SHA256b432e8678af338b2b6ccced3fca3e910ddfa5baa33a7a513985252483e061077
SHA512bb5539f1745e380e84782d6bfb37ba02f846312e9f57493649a24a4e20c80bbec03d55b2caa13d606fc873c8f410885e8fbdb050854c2f6be378d53a8b2135f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5154bbce2a157d8a1f9468671792d1499
SHA17ae55da26f2585cde9778be5847771698235e97f
SHA25694274c8ce3cddc8331884c61ccbf812f4ceb7bf1e35e87a2bd53b73d73e97574
SHA512d7fe81b5932ccf17408c0689763824063414e6daece38a95e5cbf0069b93b7718e2e8e98a2e1f39136e69116081c0b2b7423073c4d8d5436a8a3a1bf404e6286
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54628e316d1f74902cfdc81fedcb95d9d
SHA1ae9c4048218ddd42986fa6077343dc715deecd44
SHA256c455ac1f8758f011102275278ce6a4f1cfc85958016000df55eddd01261a2f17
SHA512973ce8dc9156bee93b16772905ac029a475a78bf7f45c6796340b7c3c58a7c69ab4403a7c4cea4d8f6ef191e531cdd2a737394973701fbe8eb13c75916047850
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5182f2a4cfff5faafcf041143cf4cdd28
SHA1f71c3ebffd6183fe0ae73ee185db5f4f85262a97
SHA2563622dfc305d3812a62a3ffe76c66cb74ce28582dfaa40e63180e0f753cd150c8
SHA512e335de96a0ec5cbd5dff3d8c1813387feeee202bd7c651586e5395000ab8c5cc4a7be67d2f35cc65ca53f2da75057adb0ca0710a55a81ac2ed74f92fe7b79bb2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD52db2a236fe47272c290c45a94f39da75
SHA17887f33ee87cdeda2b64a0b578ba7c9e51760b61
SHA25620fda8a1bb3a39fd34dc141ffe9e9b0e18f53a21d927ad716666f8c0bf849300
SHA512581919674376de917c3e05d029377efbde8e7bdb116ceaec7e524548c341d4dcf99404f44e697b7915ead2b6cac206cb3753bdf2cf1396229589f04b4be8a98a
-
C:\Users\Admin\AppData\Local\Temp\CabFEFB.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\TarFFCC.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
memory/1936-1-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1936-0-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1936-2-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/1936-4-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2020-6-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2020-9-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB
-
memory/2020-11-0x0000000000400000-0x00000000005E5000-memory.dmpFilesize
1.9MB