Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 03:35

General

  • Target

    f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe

  • Size

    1.8MB

  • MD5

    099acfcd2789c4d20e57dd7d36033197

  • SHA1

    9c13c62eea4c87121057edac53320af2fedd0949

  • SHA256

    f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432

  • SHA512

    ce7ea891bf9b7da04d60186a9b9d2153068f0f1f6d919f204eecda342378eb980b5ade1a1b86b633bbd6afd5b8d7143d7c6b3da8833a02e11e7b3e579cbb6ed4

  • SSDEEP

    24576:R3vL762VhZBJ905EmMyPnQxhe4a27l9BoUj3QC/hR:R3P6UZTHOW

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

1.15.12.73:4567

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe
    "C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe
      "C:\Users\Admin\AppData\Local\Temp\f47455b83feb4935fecb2df5241f4e212c000336371c79dde839857e053c4432.exe" Admin
      2⤵
      • Drops file in Drivers directory
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2416
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2396

Network

MITRE ATT&CK Matrix ATT&CK v13

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    67440313499d903aabc601617228812e

    SHA1

    b7c0c122301bc4e9e821bbda10aecaaac6eb8601

    SHA256

    4d002266b35e39e4756de37577ed9e4fcb053e72726b6950d9d393b9cda63113

    SHA512

    a6b112cefa2447f2909b6c73eccff0bbb9a0646ecbccd3a2da9523443cdbafe91b5d56f3f7aff4f383241ef80df8fd13857d6933cf875fa77909b5ab6356b638

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6960f8addfe3645b5dbe756fbdfb8c40

    SHA1

    0ca930125985272a6c712fc6c2d7cff4de3a0fc6

    SHA256

    85bdc0298f2b815b2fa6b475d0bc9aca1b0ce2e0a4d35c123b2998594e654762

    SHA512

    ecd8bcbf7e32e5a97b03f8c9859cd46badbc90c98778544cee05292b27ba46ba2c0f9d1d72e47af58d82769b0b7507405d9ff6d29fe1494d50761300580f8144

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b8276e49626afcc582e8dddcba22bfe8

    SHA1

    ac455c43b1ff2e84488b4f38fafc58c1ab273433

    SHA256

    da45ce791d22e2706a19aa4b5354e64222b3c6845cfe543d8d6e396e7a581657

    SHA512

    731b7a00c9f866c0f0b20d0407185412f271ecea7e8f5c503c1dcff33058e81c97f6b769c44dd751cfe39a5662c3207e8d6db0790fe2a8d7ea37dcaa1a381eef

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2d293af22050fa258187c8e566e0f005

    SHA1

    ec15fa744866a5ad26ff6c2c991b472082634eb3

    SHA256

    881cd383db29b98b9dbbb4850e2bd665a67550c50aacfe4fb95e4472e6fe0c79

    SHA512

    27fdaaa056aa776ec2ed5b33d504d60051cc92fe76d9ecc73ada6d82972dc0ce9cb30a3ac476121b6036aa1b28a7d9a90993baf1aa07d6f45699cd73e26d0a9b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9dd2ca58124ca2cf5c7470b2fc967c7f

    SHA1

    a039b9ee2e78b17e560ace30b7b594a463d1f099

    SHA256

    8033158c95dd30f04a87877f7832b39c7e87c6fbc22601046ad48ff1f07ff9c7

    SHA512

    a1221114528fa8ebab7e228d74b427b340e5eb49f203533531b5ec97818b28fba55ffd758090e50d9984c54480e36c8a0b6e94068c7bdb2673400bc2ab6a3a3a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    02aea08e219c9c9da398a496a2ec94e8

    SHA1

    7b7c1ae9ffa5371a2f7765c56f0034ce28b65dd9

    SHA256

    93d0bfd75875c987fe585d59d740ac8dc5a20fb91d203cf99e468b1c24ce2283

    SHA512

    e0239360bcb5ab79d41c0c49d65af408387af48085b4dbee851d49367eae764e5c408a5d64993cc319e344f8896ba8c12166565253d0ff3c248374c6361da8a9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    34cd15528052e63d8ef9decbba7f7781

    SHA1

    fbb88133e56e3da18326538bfdfb7a089eb3162e

    SHA256

    4ad9dc5772d47ea5489bc409ddb4e898bbb1a56328209e1e217b1ef42eafcc96

    SHA512

    51d9f13b6e3f4db2e868210d10feed232de6ba7c457b84e4a071e5c8eca7a06ec46a5492f67de0150d537ea210e991cc8d0f02895879c92a3d99103e51ca5f2c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    26b0794dc28f20cac8fc584b0a1f3e07

    SHA1

    c4997a87594c5d02a7526041b5afa5b22f2246e4

    SHA256

    56e19a4d0592f77c3d48fd34454f126f9622509caceaf1ff1e5a802a455a0ddc

    SHA512

    a9897560e021da08342c34e4bb30cfe03d347ef2b2963ec2bf99fe7fe80fe6f1df87bf40512d13663842b9be835749be24946bb3e6967de9fdb13696c46bfc1d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    96244ceacb195a1e73ff13cedae03d11

    SHA1

    c14d94f304026e1f8ce16bf3714cbee5ca3ddb55

    SHA256

    8a010996b2ae3a4be554838d5545c6e1a49fdbaf8253fb7eae311e40747456c5

    SHA512

    d5cb359a62f6b951fb91a60bb7d037cde2cde1b688b4d0ee89426eccb5c5ead2cc91e016947c87160d6cc5f05073da9ff3d416b347b259027f0b5792dc67a6a7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    fcc6568e2847a3bf0f1c14297eaeb31d

    SHA1

    61f5787b159f8a12fe7619408313be35393b3e32

    SHA256

    922dfafc04735b272a89ebe525ffc22785eeb9dcf000e1b3d65522ab39d2d279

    SHA512

    6f3fb01bbc2d819daf5b5295793cd0e0d9386d8a5ba90573cd201a362ccc8550dfeee2650052f5b7e24a9e7a043b906a7f2bdbcc909ec86d5e0f651052666729

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    077fccbf5f486f5fec644bda3a1134db

    SHA1

    a4307010e49f644e0cd7a8fc0aaa71a4b40de208

    SHA256

    65171d49c6efacfe714d71830b19d897040eff7618fd90efe426ffa7d152e6d0

    SHA512

    87e111c74485d9187c702952f225e943f72210f41accd3e6660eea3ff00a9e140a83fee9b4a3b9128d3d1a9bb29aef972de326487777c6d3903c112048b4abd9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c0f5db150318320e24640108bea4ff3c

    SHA1

    753214a1b427e311f42c469d800e714a86f36e32

    SHA256

    3a84cd2d834553ad4e21bc7033a0400cbb7c48feb47f2061f34ffefee0a8ab1a

    SHA512

    11962bae780b618585032d02b7faf3313db836c8dc562cdc09570c0bcdd9a5eb7aa7a6171daf9d5d651ed69dbe527fcbc9bef5f4bd3b1893236388506c2c1314

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    2d64a71b63b11dbf7d4e6d895b5d481c

    SHA1

    de778db9ea7170ecf98c19bb4ce2885c8ace8d80

    SHA256

    a16d826f38e6aa2e673c33709942e8664b94c9768d101cfa80febfff32171b84

    SHA512

    31e9a0cb8705cf36bfd646d548211578ffb00d372075486050747ef5cba682c42eecee143477885d22d259ea6fc3ca936b62c990f8a24de720c06bbcea440dd0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1baaf06ce48014430d9cf4c12e756711

    SHA1

    427f082fed7227b7c415271a1df58cea4fb37b0b

    SHA256

    c976fe1d1f38e6ee48eac026f699a6dd638e43f3bf057848afff04b6a92dd2f6

    SHA512

    04421241ead955897b84500d2548a36ec464f9c6cd36aefde2f5702e8f5d55ff846a0fff93ccd05cb7cc1793ca213ebab77276501a86af3fa7ca634b6535864b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    76a9c2ccde2b39a04258e1d9dec6d6dd

    SHA1

    9e09d76b7f9cb50c6773b41c9b57ff5d48a37f27

    SHA256

    e4a5c9a30748d0542c65da3bfeef6e8d80ef727e0ee5e48f0ce7154e8fd440e8

    SHA512

    5e3daa9a858211414b337a12b61a216ddaa1fde8ef564f09fdfa07959c0c97465f5e7ade47c7809a82a8651ba5bff65a92381a785f42bb7947ffb6032610de44

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    dd9a52b7af8ba92ae9ba6c1e1bd3ca2f

    SHA1

    db41344a99a60c45464743114f6305a355ddefb9

    SHA256

    29f977de54e068c158b424ed949e0608a77b5ada98cc049214bd5a2eeb7fb48d

    SHA512

    3371c5cf6ec275e94f29f3e32380ab573798bccd07fb3590c8023a4fae89c60534e46d7a524cb40dc975ab6741faaec197d9c44b8da3c534a66bfc81907d74d4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    8701bfa60d28c0cb67df4d908e6f0402

    SHA1

    72a5956cc86b0b6ad69846fd6bfa3fcdaa2382b5

    SHA256

    3b4476044a19f1834eb60329192794869551bcde6c8f9d9cfe299abbe0c00872

    SHA512

    a53e9070c87a722c03cda6fb44fe09c6aa2dc536a2cf99f8b9cb09c62ddf1e10e66ce3f569481c85836fd2f93cab023e6d6e6ac9cd72b47c3e5a5201bb2d4ee6

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6b50797a2e2982d48510be55f0be8f3a

    SHA1

    d21109a580715bcd16054d8da4c63c5ff6048e3b

    SHA256

    9e76f1549cbcdb0dc31d0bdb682009487cc554985001915b2649ac492da9eb2f

    SHA512

    cb2eaba38cc4d0bf92d1c375671acb0150209597b18e7aeff1efe250178afbb1e6b69ce9b44f40dd019c59b7f1445a9b988bb92ef57b8d8361f8b25f0c39328c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f03e759ba7d0439e044be706ff51afe1

    SHA1

    db181bc3a164f31755b05250490043959fe49499

    SHA256

    820a29755460316093943bf0c5a32cb86dc3271abb57db1e6c3a7976f30d0811

    SHA512

    ba0f5dbb544fa122915a5ef75eef27249846d5e69c7044e69fdd030a34bfdfe1a9b10650ec1d4c8f59f7be1ccb80923485145d3040b59804cf941126c15e6b03

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    1b2a0f3c2791309f0bf6c48502d5ac63

    SHA1

    ee4e74e069ad0aa606e51e6afd1620bfeb40341b

    SHA256

    90b3583276d03a71d5d8fa0c6d05bff199a7d83b7cab49b0b2cd018d5161f5c1

    SHA512

    da4fb38f6d17f90b843a43fdfd1fa161b89e14e81d61c0b217be2f42551afd311a6708be7e277fccd4b54ea686aad3d6b06dcaada2ae6b445bbd8feb4e499e1e

  • C:\Users\Admin\AppData\Local\Temp\Cab76A8.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar7796.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/2208-1-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

  • memory/2208-0-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

  • memory/2208-2-0x0000000000280000-0x0000000000281000-memory.dmp
    Filesize

    4KB

  • memory/2208-4-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

  • memory/2404-6-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

  • memory/2404-9-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

  • memory/2404-10-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB

  • memory/2404-12-0x0000000000400000-0x00000000005E5000-memory.dmp
    Filesize

    1.9MB