Analysis

  • max time kernel
    117s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    26-05-2024 08:10

General

  • Target

    14eae8dc2f67c918958429dc9166e2551ef0ee7aee51e85fb553c76aaa26705a.exe

  • Size

    793KB

  • MD5

    b7ba655c106cede1224f99efd3266aa8

  • SHA1

    068a3824c52eda24d32d483a309f6559f9c275db

  • SHA256

    14eae8dc2f67c918958429dc9166e2551ef0ee7aee51e85fb553c76aaa26705a

  • SHA512

    e8d50dc5208ea1ccc42f0f889022fb9dfee2b84051ab3437b8968e51f577efd3b142d9244bd2ed62854c69d4438865065fb193dce9abe3e7abf729173f6196b4

  • SSDEEP

    24576:L6ftojDBeSYnIWoigZt6IZx89W0CxV9asvCpm2:LLp9oIWSf8Alm

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

1.15.12.73:4567

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14eae8dc2f67c918958429dc9166e2551ef0ee7aee51e85fb553c76aaa26705a.exe
    "C:\Users\Admin\AppData\Local\Temp\14eae8dc2f67c918958429dc9166e2551ef0ee7aee51e85fb553c76aaa26705a.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\14eae8dc2f67c918958429dc9166e2551ef0ee7aee51e85fb553c76aaa26705a.exe
      "C:\Users\Admin\AppData\Local\Temp\14eae8dc2f67c918958429dc9166e2551ef0ee7aee51e85fb553c76aaa26705a.exe" Admin
      2⤵
      • Drops file in Drivers directory
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2568 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2600

Network

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e033e396f432f09658912b966227fa8b

    SHA1

    5e5d7b2565beb8006a7a85345cf5a83e5b5470ce

    SHA256

    74bbf417ac835d686d461273b30a6051315d34d7fe674ae82d432ef4ff36a695

    SHA512

    439941868acca8f2473c2be03dc858b36666733b1a635c83e4e2259ea0da77a801895b136eed6c61862c05a4293eaafdd76c582020989c61d0e28385e63c0a12

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    2024d45df0d292da9123fe00d9bc845b

    SHA1

    ed7ba4eb4df10d82e331d9683585cbd467c44d89

    SHA256

    267963a17521bd14b94d01dbedf838bd4e4c30a5937e6c3d91ff81f0d4924cf5

    SHA512

    65163b98a14a7ff121dde0308f75c84864f465f70ca4ac87399524170cd5326c3c65290072713ac163604e6fdc1746d20e2f691b7fabc2f76033fe616605051c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    89cdeb0817b21b06cf9ecd5cf7e66b8f

    SHA1

    202818f0807a93c93a31f54bc32e6b507dcf7846

    SHA256

    5b3bbb2fe09ba6b9d2f3bb4cdaf388444367053ae87a53968ad0fa401ba212b8

    SHA512

    49eb306f3f63184400ea83dabafda0d5b42f9538eb8a3fe2d6b07ba24686e2f969c8b8a1012f8170167a68da26513bf7fe6d0dff6d829535a63cbb8cd59e2d2b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    f57805fbccb26851cd95a4d1dcd438c4

    SHA1

    2c3e1a115d61d21f8f78ac37f97418823711f725

    SHA256

    39d8cfef0796f1ee3b606c7c561bfeab1153963e21ed80b16864d8e362106965

    SHA512

    a6201f95561ab66f95b1de32f1cf579fee8701847a77851c6c154d17f6de8154e27f6ed3c75efc78eedbb84668a386aba4d3d0c29267be43493c222c4067e4f7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    4752ab45062d6df6b46cf921f0b92431

    SHA1

    94aea97b63f1c1d55a65c7a0419a77994b5a490c

    SHA256

    6acdad195fe01ee16a47d1aa5b7d3382049f753c3f16d37e985376d5d4027416

    SHA512

    34237b397ebfa94cd2e897fb24655dbb78ec3227d2c7173cf978c47e6bb87ea2dd3509d80b814273db7781e3d5cafaa17dc09dd739bdd954faa38ff948640f83

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a4aa96e1a313fea7a02775aa0b5f9b3a

    SHA1

    d037937a10e3b61078f334071e1b296074d04f4a

    SHA256

    c7b7bac533f02d0b198cd1dc120c71921be6099c66ff2737d4bf144933db5c6e

    SHA512

    bda5b6c93c2215dd16519552e778b4bd60e02d8a5fbc59c1844983adccdbe0a065b1cbce86561158e034cc0323121d2ef4ce109a1aecf3167ea02f019fbd139b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6ac367ee23d462f87b03da05e1272c49

    SHA1

    f32e3018be004b53093227193275c03eb8a1f3b1

    SHA256

    ff9660c6498ce59b5c2b34f39ecc0137eac7f3c56e6e5763b8ce75d25c46da8c

    SHA512

    280321051fd659e50b285637d23a11d2bc68a51644f71ac0b469c2416430d0bc608de34fb735f7263b2aa774d13e6bc31bb28dfe4b5bc14343a1d1ac531a0b8a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    3d6d017a2f8a543c3ad16b05e1d0bb39

    SHA1

    283e4f0ec054295e2c6770a400ed20555d6351ad

    SHA256

    fe178527f63964c9dd6e01cf6bf7d55031cd8b13f0ecb596b7d7bf1a1cd1b911

    SHA512

    811ccee4e3017ffdd759a912de56dfab116109d960bed412dbfe80e14981b45f1802ff4e2e729a7aaaa5a290cbbb7c411f78857878296f7dc3ad595a05c19315

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e917cbaa9bcda34111150fd1d472208e

    SHA1

    bd81db54a601513b8622ad4bd35e4184f39f3908

    SHA256

    f9f4db27f14cb1662cc7bb6a6c36a79002227bcecb32be7c25cb2ec7e2449875

    SHA512

    f7206a2d8617550dcc0404b340064108b247f2e5e17bfddae4305afdfa157cc25beac8f4e9963e0ee105ecc0590c5e7cb28ccbf8a4e68a5a96ff75a6a5e4442d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ba822d644edc7d139f0a43df75730513

    SHA1

    6bea0f930b9af3dfbd950bf0f2f97e7212d93f38

    SHA256

    032cd13f726aa6d3ffe62682d245912d104f2b74a307da0c6c32140a9df3b8bf

    SHA512

    10cd31a2c5815217e285e45adc4037977a5c058fa996272cf586b614959469dc3ef6bc988fd27950b30a0383c173c37a33e0f326d68aa31181221a11fbb8c869

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9b789621bd37c146e179acdae2db0b87

    SHA1

    7b878d8d7b848db2ba4aeb90d0fcc4bca1650f7a

    SHA256

    d9129cb4f179b3c53528ffe1f851e524f13ed23b95add0db7737bbbdb5a2e825

    SHA512

    280f7272bbc66ac75c6063523b0120c4c8b309362e40f8d0fe2338954d524df6b17758bab1eb57cc7d162cc19102f772947ef618d8a45a5db84e85a9ddd9d6e9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    cd446f119b083d07cfd246672ea30aa0

    SHA1

    5a738f98b16e09e5f1e27864be6a8852db3dc0f7

    SHA256

    77d8edccaca46f4486988b1fb75e4bdbfa4a6ce614cae7498c298fa1b70d1db4

    SHA512

    43169b2daa955d6d086d0e1a3a1918baa79ba139e63794a74ca0bad0107e62822936622528dc39677631d12a35bc022500a405a90bbc56ef4ac622c11f92c6b3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    ec62859f57a2ff443e6c5c76ce44dc6a

    SHA1

    7c96768ab076e19db44a14129b5860767b44f915

    SHA256

    0667b0500744422b85ca01e257504308bb049758933eb9f86462624707588649

    SHA512

    2be72a95e2b70544f7743c66d03b32d67990d239a700044202615e2e412fdb1b0281c89bed8c33c87801e5db847c870c9ca939c64997534e7a0774daacbaf5bd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    d1951e589ffde788aac3bd60f56f31ff

    SHA1

    e01406b34cb70a45ede4f102434c0c20fe4cc949

    SHA256

    c1b103f098a23ea7e22a76f507b54c8ace90c7f6467171875eff3121f9add831

    SHA512

    6571a4f16290c3b485b29e33e95c9180574cf0fd7e43191175d76e451cc165af2751d373ce13c1f1649b942ffeef1728bec4b7ec294eaf14d0a58e333560f8f9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    418005f78dfea04fc05fdcd5520c5d59

    SHA1

    f89f4e155d8e81240a9322d5ee87876a0f162081

    SHA256

    279d839506d6b61d629bba48f85cd69922673c66706227e1ffdac29a3085bc76

    SHA512

    60678edef3f11fd6b09e7a2462ce81eab98fedfa917addcdadac870755201de81ca28dacb2208fcac3cddbd6b50199c8a09ead3119d557d3d661445d1496a3cb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    f09c49308ed5c7225d46629822c35ce1

    SHA1

    21c8b0f295d484dd45c973280f23173751456646

    SHA256

    74ae9908adad03eef0bd11bf80fe27969430da87be6ff82ad61cc182b669e16c

    SHA512

    3928b1211f3b803a6666aa828bdbf69593eb3c11daa16da41b3e1e6768844e30f062146f95c84c7af4aaf43931a0558d6fda0472343fa75928a8b1b1275e9da0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    49b654a72cd5d5e69d0020e7c66e1948

    SHA1

    4bb8a3de162d69e1d823760ce8c6445c20896b90

    SHA256

    5ced1f2d9cfecd723d48d0038e293931d4cca958ebced2f0c10ed47d1490f3e1

    SHA512

    3acc42c2ef7462810fe70b79aea898d49fce00719ac70efa73eb877dbcbed8a0038712a0f4650ba32e17da9e1111f102b1a66aca5ad817b1f947a210cc8c0f27

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    330e70e10511cc3b44fb2f486691c49a

    SHA1

    5129ff54a9ffa88eeb38ff847e33e0b640ea617e

    SHA256

    9e394e21a23b0cc363154a2b82d20c7da76d78c987aec0fa98a6f476512b911e

    SHA512

    d6d304692ed77d7f00e42b1e32b4ef0f03580e02670d1d4bd05847406f14c3325e2b53fe8762816bbfa90029abf42babd03637ac3e9e25c21d86e059fe994bb7

  • C:\Users\Admin\AppData\Local\Temp\CabC05.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\TarC66.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

  • memory/2928-8-0x00000000038E0000-0x0000000003ACC000-memory.dmp
    Filesize

    1.9MB

  • memory/2928-0-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2928-3-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2928-2-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2928-11-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2928-1-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2928-4-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2928-5-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

  • memory/2928-6-0x0000000000220000-0x0000000000221000-memory.dmp
    Filesize

    4KB

  • memory/2928-7-0x00000000002B0000-0x00000000002B1000-memory.dmp
    Filesize

    4KB

  • memory/2932-18-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

  • memory/2932-16-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2932-15-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2932-14-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2932-13-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2932-12-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2932-21-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB

  • memory/2932-23-0x0000000000400000-0x00000000005EC000-memory.dmp
    Filesize

    1.9MB