Analysis

  • max time kernel
    119s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    23-06-2024 00:43

General

  • Target

    e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe

  • Size

    1.8MB

  • MD5

    840c93941e368fd34f36831978802dd3

  • SHA1

    37e026bf535f70f684d08684f154db2bfed1c9b7

  • SHA256

    e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696

  • SHA512

    84444443767e244a00d1a3a05f1a0f35a16f223718a1715c7e1074ae6a8f2921828f5dfe70f5f4c311f9cb3920043d83aecde8503a2114493bbdd0e506aa0a8f

  • SSDEEP

    24576:/3vLRdVhZBK8NogWYO093OGi9JbBodjwC/hR:/3d5ZQ11xJ+

Malware Config

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

C2

1.15.12.73:4567

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe
    "C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2464
    • C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe
      "C:\Users\Admin\AppData\Local\Temp\e2e49f95a4e18d83e958acdc799d37e2043d0b5e9eded030f71668c86cdff696.exe" Admin
      2⤵
      • Drops file in Drivers directory
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.178stu.com/my.htm
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e321d5eeff79770733b7bb6e9506a6bc

    SHA1

    f9c0eaaadfe373a784a0bd4f0ab3168ac44b9381

    SHA256

    e47c5d867303cfec1a02b3db5593d2f12c95664a66ca72554524c207ad5c8955

    SHA512

    52919e83b7035582d720e8573cf872d46128c3536c44e39fc99c3621874829bd51fb128fa5fbf37411a74ffd6fb9c7a8d1d0ebcb3bd1715d68151fe6bd8d8e3a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    67aa9fd7ca95ccea20fe1a0fb826fefd

    SHA1

    17f9db8f2aeeec168423e4f18247bc863d128775

    SHA256

    202ca2f59cfe45834e1dfbf86a23cc384df9d48892d67578e1c8f2c14ca5ca7c

    SHA512

    b08680f536d11fd2b36358471d5c022e9197614996a1dea85e7bc6e17535baf5d806d7eb0f57c49eb72aa0a1bdefad4cbf75a51cafe65a0d424394530ff3412e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cb39ab0bbc8a5893bab0409fb5aefa2a

    SHA1

    a0e743f6bd32d057b4e51fdd508568cf068e9d54

    SHA256

    1e9bc5bbc1b6e70f79efc9906406f1e51554c8735fb3b3d5f56b00478f79a846

    SHA512

    4683eddb0b624031487758d62f086492719ce8b5f91a75e313c4f7f7f32c75ffe43a56f417f21f8fb31b8f04c8f77a5050537022417ecb46825901de7a5fa3c7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    375480c9f46b18c0e76073c4733754a0

    SHA1

    e5d11cfb8dab460ce128c1b3f1a88e090688ff58

    SHA256

    474fbee630dbb9069a7a95e63627bc405e4faff38714bcd4fe087a9edaed4bee

    SHA512

    e1ab11c19bb5e179f48df63172b4142672488afa0c6e28b7b83f8d31664e906f691dd0f5a3d8ba3db67e8bcf2273a33ba353ad2a9251cec69d0267b639f95950

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    84c6050054db1f8596b0e9037cf541c6

    SHA1

    f180b7805b84d72c016e3301f5abf8ce89e56ee6

    SHA256

    cbd72ff878fb197f76e5f83f19c776eeb14c2fd8303ccfe2f5f61d78581cfa63

    SHA512

    223a561b4cd45a2c10ea254e991609b7948e7b6021c9b089b79eab70a4baa06a8e9ca45f53391035fd858a1db4a7f36895fe9ec164c5fdd54f9cdcb8a757d3d3

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2d8c6475b593576476cc07f90b7d5e59

    SHA1

    38f3d66eac33fe8a33e286eb70aa78063a07bc36

    SHA256

    de1de33bad49d7baa25bacf965068943ba0cd8194b16b034702782a3cece213a

    SHA512

    f1325620e85d9a3e598aa3e770064e1bc37c1dc8845fc83379301006559f2368bea218f3d724d48b96c247f5122535e44dcc97a2d9d218717685926092f76e26

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    bc9d53b00d4db394d98c5b9caf3516a8

    SHA1

    1cb7561f57f77f7685d81a9ff451c7198f120e11

    SHA256

    42635570f5281eb804cd540b029f06437bf0683d68ce865b701b2cddd79d0712

    SHA512

    d5aa1675e63988718a3fe85ea1ca1a7f12f7693ac47390ec3dde3044466dd474ce449758f28c68d5c53ae1ed9f49a5d0bc2845405fda64e3c7e22d2572269900

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b5437495251d61d05fb364f003de5d9a

    SHA1

    2c60ae70f1280e640f78686a1e718fa930f766e5

    SHA256

    cacb414dfbda0493613c86daa2413a3be97f25e40b4046e17b579f0a68684c58

    SHA512

    f85fc03d848cf7f751d3925984dcf30e6ae1cb3afc4effdec5c2e633e273f8edef9b21b4a43c40257a7a3b8fc6e57c401f25a6c9b9a21a556deb9fe147734f40

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1d8e7722c1b7a0b6bde3adf0434f1eef

    SHA1

    fcacdb0f0a70154c45f19bd7f456ed8785e24201

    SHA256

    22a3c211bdaad9d07754b774c1ba8c998c1e76cd2dcfc1f5904a1a686c6c9162

    SHA512

    9b897ca5ed65b925e7cc8539799112be408fd8d080239305464dc6fb71710829bddb293f2a851df890989a5b5e653684e432eaaf0c5b2057ce448417f1eef97c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    494c6cd912f522a08f7fab3d3f86968d

    SHA1

    dd5c465d905b8703f97fd7388e5ce053d6e9a5f7

    SHA256

    0203ba70520352e31038d394b9415a4f0f4235189a4f6138444547400b0249de

    SHA512

    0c0cf355fe30fb9a24ae7bb8310d9ac40d7b7bebcc6c7ffeb58f11e51f282367f36ae57f94f8b7b2955717b68eba3f7d13e70e295f1a13443535b7ba3ae4f178

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c299d11f4ccaea5eaf78b3db4e5fb150

    SHA1

    2405a889dc4e60961884ce49aea667270b07659f

    SHA256

    1a2963264ac7acf36f924c0119b03ceb65cebb0ba8857b9a2deb739c5318ff22

    SHA512

    dfaf198a8cc0b1c00b379edeb616189d78106bbecc7972d08cd5e4280374a051f819a81f48fcf91bd48f8f741c24d14ec10843e6c20f423f0a74f87e1ee8f0a4

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2b22c527d93bf8b2854be4b8117e5bdd

    SHA1

    8e0567f529e7098e851b26e65340a8828c74ccba

    SHA256

    86cf8e0e03688c8c016f3fdcdde76011badefba00f6763cb34535de19d901a78

    SHA512

    b6af97462f97153c69eb071cff3e4e7cb83c77cd001f736d6d56120fbee18d5679407af344edf6c21e209e8b58da819e168550f868fdae76aeeed9e7abb66861

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    eb81778215678dae8092d043abdf71cd

    SHA1

    477abe19b7503b17a718e72072ad6e089d6efac8

    SHA256

    b451306e5d590a3feb5835586ba9c83d9bdf61780da95a95eabbbd8098a973a5

    SHA512

    8963b4f276fd3b3adaca6fdb515c8f6e0fb1b8ec273ec86117d35df98877a2b5b54d019860bde80bcb863c128cbd982df64fb5c6bd774710da92568fe27a2851

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    59067e11446d2845cadff2ee44e38b6a

    SHA1

    ae6948b35ded86f2cab9b05567192e9730c9b131

    SHA256

    0fec158016a87375b560e47484030ba26e4a8edcf4867fae2da47c9eed27587d

    SHA512

    f15f503dcaa65d829d9b8f1ff76b2602f2da56aafb0437378cc9d12790a0af8a10e36157fe134f997169c38765c6e245b2f3c7ef9ac7fd7b6a8b314d798de575

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    341d24e24c5e3000cebb23d3866399c3

    SHA1

    6b505cbfa1cda2289fcd1c3e38099d0dca563496

    SHA256

    bbf87f1fdca33808620d8fe9f9b0478d617049971fd42f1caba677cc8b631cc5

    SHA512

    8665e5cc6b40d97afa4dbb2f1bfec26094cb78ab85fd44082af7472afe7743525ce0b124baa2d3a9414c0a5229074b164f3b5497979b86b5fbf128199a92d5bc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f79f861d98b3f67bd458ec2b04ca02c5

    SHA1

    6ad100d625bf535fe6429d36210ce2b6ea51259c

    SHA256

    c1d2aef9556749811fafde04e03a02c1da9bc6023bb2005aba601bc2096326fb

    SHA512

    b8908aad81ef72051597bc165fde48f8c48133457b8ce0e823108a083498b1296cc7ded80695e99732a179a8d2cf999e80aa4e129677a0634a296f14b621d6e7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0923978c6c8cda19d01db73f3f932f40

    SHA1

    5a9abda7b8ae467ac1fc40b4c7d512b6803ba809

    SHA256

    b6519fcb832debfccc7ef601d40a1854e0d5099b761e77038c6d58ee5ae2bae2

    SHA512

    0fd03922d480df46aa8ebd4a4b38edcaa108e35b8623230b1c646fab0e1df9b8ff54cfb0050a2f08ecc07ae5e98bb6d1097c95d04d7a4f2fa08ec1d9909d2f35

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3670e6434f8e557d1917261c927260e7

    SHA1

    6ce20157a71b221e780824b750ed5930a2182f9e

    SHA256

    ada3fe3a22139dfc11bb85ee72cf64ffd50ccf35d2bf5cee1e06bb36141e3d3d

    SHA512

    0600109c74ca4e019ea41161501477188c365bb6cfcaf227e658d88d9bc2620c7454978cd90c5b4c6c3a1fa4954236aef2f0dc44fed6f9de18d59ee70a30b4c9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    784deb8b83478cf36e84530120c8f126

    SHA1

    e61102be356e7b8f2226143e0c2037a2dd99fd16

    SHA256

    c6b64727c74eaa94c2506b5498b17038f0b057bfd0be70f2c321f25c70b22575

    SHA512

    481d42aed64ae4624bebcefb48a0a6db98a384669d827496c798a09bc1bd76747aacaf158363164d3f709923822585b6694b56abc1918a56dfff4c636567ef13

  • C:\Users\Admin\AppData\Local\Temp\Cab40.tmp

    Filesize

    67KB

    MD5

    2d3dcf90f6c99f47e7593ea250c9e749

    SHA1

    51be82be4a272669983313565b4940d4b1385237

    SHA256

    8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

    SHA512

    9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

  • C:\Users\Admin\AppData\Local\Temp\Tar105.tmp

    Filesize

    160KB

    MD5

    7186ad693b8ad9444401bd9bcd2217c2

    SHA1

    5c28ca10a650f6026b0df4737078fa4197f3bac1

    SHA256

    9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

    SHA512

    135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

  • memory/1912-9-0x0000000000400000-0x00000000005E5000-memory.dmp

    Filesize

    1.9MB

  • memory/1912-6-0x00000000002F0000-0x00000000002F1000-memory.dmp

    Filesize

    4KB

  • memory/1912-11-0x0000000000400000-0x00000000005E5000-memory.dmp

    Filesize

    1.9MB

  • memory/2464-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2464-1-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2464-2-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

  • memory/2464-4-0x0000000000400000-0x00000000005E5000-memory.dmp

    Filesize

    1.9MB