Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 22:45

General

  • Target

    40651e3f874b6ae3a26dfaa48dcc364b9233768c2520829e9e5932b6a5396d7f.exe

  • Size

    1.8MB

  • MD5

    2a6e124b92eb398f7d93996b388fcd4e

  • SHA1

    1d29f7093ba8d3688e64e8f28cc810e245a6de53

  • SHA256

    40651e3f874b6ae3a26dfaa48dcc364b9233768c2520829e9e5932b6a5396d7f

  • SHA512

    6865060b3b366b5c0cec287e68ff8dd619699fff625945cd4e35ca36efce8a7a41edd9430ac9f420bdd640698968bab3464d469a1959d5ed6cdc8b588f5009ec

  • SSDEEP

    24576:/3vLRdVhZBK8NogWYO09LOGi9JbBodjwC/hR:/3d5ZQ1BxJ+

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

1.15.12.73:4567

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40651e3f874b6ae3a26dfaa48dcc364b9233768c2520829e9e5932b6a5396d7f.exe
    "C:\Users\Admin\AppData\Local\Temp\40651e3f874b6ae3a26dfaa48dcc364b9233768c2520829e9e5932b6a5396d7f.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Users\Admin\AppData\Local\Temp\40651e3f874b6ae3a26dfaa48dcc364b9233768c2520829e9e5932b6a5396d7f.exe
      "C:\Users\Admin\AppData\Local\Temp\40651e3f874b6ae3a26dfaa48dcc364b9233768c2520829e9e5932b6a5396d7f.exe" Admin
      2⤵
      • Drops file in Drivers directory
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f6dfa8aacd335bcd23d544d403fa3ee1

    SHA1

    3104b56a75ad6a7f6e9ecad1d75c1bf0f5204164

    SHA256

    7df2bff6efde6c84f6d9062fef78d372996c8e70b395701453bdd7625059db44

    SHA512

    4b66f327ba55ec6c8519d3b525a29638aad0a72914ec942b6bec19666d84cf8a82777ea7d037afd68ff51a15e88b0ec538d1d60c8f4a896493144f90d3ac902a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dd07aadeaed8e840316c23b454f4913c

    SHA1

    1eaec461eb0c2befe76d049d8fc968d622d0c285

    SHA256

    7f386e854d98218fc91e03eb77ea1c7639f0b2a7e22eb3b5c213e6de3e5e4615

    SHA512

    eedee53c10cb0b5bdb2b9c91ac1238244689926f4d7fee7ed8c6a1290034d049109d63b1913ad34d3657b2bfd12a35bf1dc0b88080b0cfed333f21e0c9a01e7f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    98d4a15ca9b89f03f43ec0a2a5592474

    SHA1

    8dada216dc7abaf30f236c32ccd4adf695e607ec

    SHA256

    54753cf1084670fab719b8b022bbb94acd8f7e7e1d3d9af61b4b317e6456cc99

    SHA512

    9bc8604a3fb7f3e7341ff5665a65d5fbe0db341a163f5268648ff4e09f59769e63e00bd04d0f2c57aa652f444ad2f48e839e2aa4e920c32c458d9b2e6ac03e09

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    cf64afbe6a9ad658af9cdc86f7a9a164

    SHA1

    9b3f51e76b63f0f7c034c92d925d6a594344599a

    SHA256

    0d9be72e3a221bbf3d8e4ec6f182bbb2219870a069e1ae57e793629373afd882

    SHA512

    041b5b422dab94ceb3747dc8b46b901d5dd547ad8bd8c8406abf1fa3e8905bfb8047886fd311e7363605cca73e91cba48ad5f82f64af03d2c70aeb7774e3caa8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    3a31963bd36c2ae0ce10b6b85f9117a9

    SHA1

    ff5ae63282d7c4ecec8db6727c27c810b786bcd7

    SHA256

    edf71ae85f10de42ac977c91aa008b819f601f07cefcd462cecda7bd205300c2

    SHA512

    ae72c136988b80c66d2aea91d087ab022d77e4281cb17137f7be60a3199776a9d38e20d54f9c8ecdb3ae099b8333ce8035a7c406857bc3f74662f709a0869ce0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1c338e66d06fe6bba12af1dc6d6741ec

    SHA1

    03a5eeffaf98c1c73e2a64c96caa0dbebdef1cb6

    SHA256

    f916440c872d4f9b629108f3686243c24d1edd01e2132a77d94f32d19f75fa07

    SHA512

    1cd170e108d24412d1aaffbb63655fef3d8282b1a77c2699842ca99b50f0b8d8e98774203c99fcdf1dd078cf95d85022ebb7f85ea40f7b2848df63102cd21dcd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    15dca4924a49b7916209ab0326b516e8

    SHA1

    dcf92b5eb3e9ab86b1b9a46404e70ea66ba9abdb

    SHA256

    876fe424cea26ed135e88534e6de2e73c6bfc2a5f8c9688789765011ca67b946

    SHA512

    ef287051617f794d6daeb24bb63bdd58929ae9ee7813bdbf168cbf83e41ea35c9a563dabd30e029720fecc0adc471c4df12ab2249de921059c07066ea8c203e4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b8744fbe63acd499128e35c2141f8bed

    SHA1

    35bf48efd3aa667c34c814085deaf7ba081ca352

    SHA256

    d924a9d30ff23be505cc6425269de1a6bf47a3dcba82d12c0155fb5ed39f273f

    SHA512

    e2fd55f3e7a97a1459bb47bc644e2ca3f87d9457feab47b710a1dfda5a1ca2cce291e344c03eefab360821ed8d222b7fd590a2f61fa7f25fa15fd499d97157cb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    832f86e021caf79ef5253531f93a4a5c

    SHA1

    f99ee84c6fbe64889a19844fe4daf44fa99b430a

    SHA256

    00de663389176d85f554a60f56d56eaf8e22b0d7b423e0cfaa191ee69ad3b2fd

    SHA512

    6dcb934909b6d40e2f7db121afa4ded321d2df69ba273a1b981ef6c5eb56ea31415eddc723827960ce20936bc593fbd2d9c3ab41e56cf58b9b646fd5828c46c8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    ef1ff0cee8820d206e12179bd6b28b38

    SHA1

    ffd4df9424baadd6b7a17e4db9d3bb43d9f65131

    SHA256

    3033d2f37487551d64611685675e0a444685e2b495b2d6c35f35df1ef953f92c

    SHA512

    8cb48cc0131f6cb17558da167d610ba63ab04400b96c5559d62deaa17366355e395633704a0ce73d128fd07496122a1c2746aee31f2aa5bd39ff2204acfbcd73

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    131b9ce87cc8f9b0966b627708d42433

    SHA1

    4e797be6acf2413d943d7522773e25974ec29487

    SHA256

    32f6e878e74e11cee80cac043258ca3ea2a172b188a7e74a1b792c2e7965585c

    SHA512

    5f3be5836f41229e1cfe7a0ddc53a5c38f4484ac42cf6e77da8d14c81af361a85642c1be9968b71d7c6e95586f1f705915b45ded11704cba58ef5a8e0b777f09

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    905964f7682d12b77ec810e751e0c652

    SHA1

    f63521fd8d4a9cc38b1c832df0d64575aaea5190

    SHA256

    e777ad1194749741e97de85ff1dc5dd29bf42590b840ed3e0c4d72f184362403

    SHA512

    d8e726294d7e6745bcb900548d83a5e912e8ec8860a07358742d32e5e7671158f3a70b7ac633f303c55a58fc6e0aaa0177a3a3f1d2d972cec30dd0925d870ff7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a1ef47065587757498f0bd896f79be66

    SHA1

    dad41c13b36ed7fd245094e803ecf9ca2b87c13b

    SHA256

    d4d8cd0e7b9a8050eaa43299e2b763fb6b4eed6094c203a3c4b702cc9d631cc3

    SHA512

    6fda890037e88682946420cb0fffee3e1fde795e4c7296b2261dfb7f27318df543f5e37491a792de6dab4130622ee23b610629f4c99840ce3f3aa7e8e818256d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5e2bee66b76fb2c1cdaecbb6fb47382d

    SHA1

    35ee1a779711298748508064f71b461c43745d1b

    SHA256

    aac0f8c085604a328f5d328860a1b965e1ad1628afc4c21642466c3c27ce57d9

    SHA512

    00be4c0410201f90305ceb67999ec7c5a31a63806bdfdd02088e14a80da93f4a85713f71ffe2f36c2afc4335bbf51f74162b6d87c86870019862ebd1e46ec6f7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    5bfdca0ed08ff592b1d03245e099cff8

    SHA1

    07531d32612e6a7d380fdfc97dd6feced4f80566

    SHA256

    86c141cf206173a6c427feec223faae98ea88114e8e81e3495e0913136acc341

    SHA512

    d04a52fbf79fddd406cafb1ec1c8100be1fa9ffd9cc96da77938b219c3c8805636c5cc885598d06363ce05eb5ecba8047c1de084f99f2bace99748dfdd8de996

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c6f3f9ebb6bc5a176c3ecb29b510139b

    SHA1

    8ad96760fc2f1a271b38971ba20eab4db45233d2

    SHA256

    3a8094de896a9167155555891a6bf20c0d6fd27f7a9038fb65e3cb7a81133657

    SHA512

    edf1bb021b6c4350d7cc6427766657422471d9166c1efd7087e71c2f51542bf46801bf2a31e2b61e70c626f7db970dda7dcffb82f8a0ded5d36485c0159fe518

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dc0ad0dd32276d8fbb5bc020185577da

    SHA1

    69ee4dab2595263ec1c6b45081b5b7ca5ef7eff1

    SHA256

    f90bf51ceebb7f821f4dcb5603dc3dfa65b1e8f96ee5f7c87b5e1f131ff770d5

    SHA512

    4a8e29a6d12d4f242def01541ec1284ab3a02cb68555cd1cac32f70e2a20b1a81ccd50a776026f401cdc1cb331ce38fc2009cddb6172f654dba14b1d588fff14

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bd45d63d82c62985fe4a6a7860f3e87c

    SHA1

    39064e042ffe23e620edb5ca1b31af3b4e66872f

    SHA256

    439f6e55f9343f27eb4ea2427bfbe21a51bca20dbd0430ddee778a04283ff1d1

    SHA512

    579a41990569905b87227412939f4408a28a0ae9d411717677bc4b6a5a5ebfe33172ba95502b6dc1ada7aa19bb7c0d718e1ff0aef97da520e30e8a836f46b919

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    a4f768f8295109f3effc2fb0006d248f

    SHA1

    bddc0e353c27d1f79c68c14834825d2635e173a5

    SHA256

    d5a0509a99b999ea7429787b1cca6527d8af5af8094f6c64cd007117f7aeb7ca

    SHA512

    25e4fcb0af39b9aba3233b2aaeeb7759b76a2a1726b09fe9ebea0cc21cc01cd3756e2913c3b134273204e555a9ade06726a69adde6dd8a6f20f1983ae81bac24

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    805a65eb73453552d5b671bb0cb3091e

    SHA1

    50622477b2ae360ba8f276f88820cb1763110af7

    SHA256

    e767bc2d85e1befe183ec51f3a9b7b328974d859fb37c6de8ab11008d6d383de

    SHA512

    f91eddadae789ae8cd4756d4b194a48a599563ddff5d7f195e5176757ee291946249e1af55b7bf3d41b6f5a9071c0068b6d311981e6d3e016c19eaacf1653290

  • C:\Users\Admin\AppData\Local\Temp\Cab9CCE.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Cab9D8C.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar9E2D.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2084-12-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

  • memory/2084-6-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

  • memory/2084-9-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

  • memory/2084-10-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

  • memory/2168-4-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

  • memory/2168-2-0x0000000000270000-0x0000000000271000-memory.dmp
    Filesize

    4KB

  • memory/2168-0-0x0000000000260000-0x0000000000261000-memory.dmp
    Filesize

    4KB

  • memory/2168-1-0x0000000000260000-0x0000000000261000-memory.dmp
    Filesize

    4KB