metastealer | 79d7036b030dcaaec258637b01dbc4f9786d6777afe85f6fe397d6034e2f4806

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libcrypto-1_1-x64.dll
Size

2.1MB
MD5

e37cf85193275925afdb82a266069174
SHA1

8027ca74a08e02dc096a9a3f92081bd5a7a20c67
SHA256

307ec11b5a2a83aa2787b8f3cbecb4ea93868a3b3982ebbd5392f3efe9141c78
SHA512

16db460c1872711a9e84cbe60d587adf56750ff0720b50c992b749bf3f3e8f50d76af9976742aaf933bcded4ab663c6134dec8593b5d071af8eb0050f1285418
SSDEEP

49152:onej4p8c8PFouXSgeAx7rRJHULSn17x95XsjRDFtEMawsusXxQ61CPwDv3uFfJ7:Ks+uXh7LUq17TWdDFtEUx61CPwDv3uFZ

Score

10^/10

metastealer discovery execution spyware stealer

Malware Config

Extracted

Family

metastealer

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz

Attributes

dga_seed
21845
domain_length
16
num_dga_domains
10000
port
443

Signatures

Meta Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

MetaStealer payload 1 IoCs

resource	yara_rule
behavioral5/memory/3016-70-0x0000000010000000-0x000000001072E000-memory.dmp	family_metastealer

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
1132	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe
2644	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
992	ICACLS.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\f76fb30.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76fb30.msi	msiexec.exe
File created	C:\Windows\Installer\f76fb33.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1308	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2780	msiexec.exe
2780	msiexec.exe
2732	powershell.exe
3016	setup.exe
3016	setup.exe
3016	setup.exe
3016	setup.exe
3016	setup.exe
3016	setup.exe
1132	powershell.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeSecurityPrivilege	2780	msiexec.exe
Token: SeCreateTokenPrivilege	2248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2248	msiexec.exe
Token: SeLockMemoryPrivilege	2248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2248	msiexec.exe
Token: SeMachineAccountPrivilege	2248	msiexec.exe
Token: SeTcbPrivilege	2248	msiexec.exe
Token: SeSecurityPrivilege	2248	msiexec.exe
Token: SeTakeOwnershipPrivilege	2248	msiexec.exe
Token: SeLoadDriverPrivilege	2248	msiexec.exe
Token: SeSystemProfilePrivilege	2248	msiexec.exe
Token: SeSystemtimePrivilege	2248	msiexec.exe
Token: SeProfSingleProcessPrivilege	2248	msiexec.exe
Token: SeIncBasePriorityPrivilege	2248	msiexec.exe
Token: SeCreatePagefilePrivilege	2248	msiexec.exe
Token: SeCreatePermanentPrivilege	2248	msiexec.exe
Token: SeBackupPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2248	msiexec.exe
Token: SeShutdownPrivilege	2248	msiexec.exe
Token: SeDebugPrivilege	2248	msiexec.exe
Token: SeAuditPrivilege	2248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2248	msiexec.exe
Token: SeChangeNotifyPrivilege	2248	msiexec.exe
Token: SeRemoteShutdownPrivilege	2248	msiexec.exe
Token: SeUndockPrivilege	2248	msiexec.exe
Token: SeSyncAgentPrivilege	2248	msiexec.exe
Token: SeEnableDelegationPrivilege	2248	msiexec.exe
Token: SeManageVolumePrivilege	2248	msiexec.exe
Token: SeImpersonatePrivilege	2248	msiexec.exe
Token: SeCreateGlobalPrivilege	2248	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2248	2072	rundll32.exe	30
PID 2072 wrote to memory of 2248	2072	rundll32.exe	30
PID 2072 wrote to memory of 2248	2072	rundll32.exe	30
PID 2072 wrote to memory of 2248	2072	rundll32.exe	30
PID 2072 wrote to memory of 2248	2072	rundll32.exe	30
PID 2780 wrote to memory of 2644	2780	msiexec.exe	32
PID 2780 wrote to memory of 2644	2780	msiexec.exe	32
PID 2780 wrote to memory of 2644	2780	msiexec.exe	32
PID 2780 wrote to memory of 2644	2780	msiexec.exe	32
PID 2780 wrote to memory of 2644	2780	msiexec.exe	32
PID 2780 wrote to memory of 2644	2780	msiexec.exe	32
PID 2780 wrote to memory of 2644	2780	msiexec.exe	32
PID 2644 wrote to memory of 992	2644	MsiExec.exe	33
PID 2644 wrote to memory of 992	2644	MsiExec.exe	33
PID 2644 wrote to memory of 992	2644	MsiExec.exe	33
PID 2644 wrote to memory of 992	2644	MsiExec.exe	33
PID 2644 wrote to memory of 2768	2644	MsiExec.exe	35
PID 2644 wrote to memory of 2768	2644	MsiExec.exe	35
PID 2644 wrote to memory of 2768	2644	MsiExec.exe	35
PID 2644 wrote to memory of 2768	2644	MsiExec.exe	35
PID 2644 wrote to memory of 3016	2644	MsiExec.exe	37
PID 2644 wrote to memory of 3016	2644	MsiExec.exe	37
PID 2644 wrote to memory of 3016	2644	MsiExec.exe	37
PID 2644 wrote to memory of 3016	2644	MsiExec.exe	37
PID 2644 wrote to memory of 3016	2644	MsiExec.exe	37
PID 2644 wrote to memory of 3016	2644	MsiExec.exe	37
PID 2644 wrote to memory of 3016	2644	MsiExec.exe	37
PID 3016 wrote to memory of 2732	3016	setup.exe	38
PID 3016 wrote to memory of 2732	3016	setup.exe	38
PID 3016 wrote to memory of 2732	3016	setup.exe	38
PID 3016 wrote to memory of 2732	3016	setup.exe	38
PID 3016 wrote to memory of 1308	3016	setup.exe	40
PID 3016 wrote to memory of 1308	3016	setup.exe	40
PID 3016 wrote to memory of 1308	3016	setup.exe	40
PID 3016 wrote to memory of 1308	3016	setup.exe	40
PID 3016 wrote to memory of 1132	3016	setup.exe	44
PID 3016 wrote to memory of 1132	3016	setup.exe	44
PID 3016 wrote to memory of 1132	3016	setup.exe	44
PID 3016 wrote to memory of 1132	3016	setup.exe	44

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\libcrypto-1_1-x64.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\system32\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi" /Qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 24DB8638B7DB85DCF8AD99819F57FCDD
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8c478490-427b-4e56-93a9-cbfb6dee7280\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:992
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\MW-8c478490-427b-4e56-93a9-cbfb6dee7280\files\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-8c478490-427b-4e56-93a9-cbfb6dee7280\files\setup.exe" /VERYSILENT /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\systemtask.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2732
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1308
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Add-MpPreference -ExclusionPath "$env:LOCALAPPDATA\Microsoft\windows\systemtask.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\windrv.msi

Filesize
1.6MB

MD5
24cbbd2c70efbb75845548513114317e

SHA1
bd13f38e7301648b8cea6135a851b8691fda2c27

SHA256
b31e366ae13a960eb0efbfb5074b0abd1f300151289833d7dfa1a9382bea1855

SHA512
b7b0e4fa57e17b0da21a85f56f29a711ff226c8a9e95ca59721e4f20e32b9cbd8a5fdf69010e79f8452df5457a055cc2a41f2ad773eaf692680bc39cb8e50ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8c478490-427b-4e56-93a9-cbfb6dee7280\files.cab

Filesize
1.3MB

MD5
57c5b54337af1acd54c65c5abae694b2

SHA1
87b6b5eebf8fa70a42bd2cf192740b7130a521a2

SHA256
ead264b457fd74737f51a2c4bf5d4679d7e1dcdd1547aca6fe3bf7e117c9d0d8

SHA512
af10bdc86a45d59d6e46b5cfa942348360c3ac4312d122bf80783673c448861621811a2c3f4446355037b98a67f642cb8ae27945619d0cd32aaeff9656c0982e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8c478490-427b-4e56-93a9-cbfb6dee7280\msiwrapper.ini

Filesize
1KB

MD5
b7f099d62c59872a745fd69ccc9941e7

SHA1
156a375bb71e46ad5fb99c177dc164cb299210c9

SHA256
ba5da424fc9f7f621ef4979fc88a89bc9a97bd627d6e331a2cf1d291ac0c8d4c

SHA512
b99197b82b6c5167f353ac8a25fef5f0dccc670824bd55d40428adccadd1957d3d3ea344e477cf0371e0680f698fd57e7674fe68b364fc2127e539daabcdd5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8c478490-427b-4e56-93a9-cbfb6dee7280\msiwrapper.ini

Filesize
1KB

MD5
b2e67a09b342b2b68a307ab2a5f23fd1

SHA1
97d9ace2fe81d244a5c349501a530a84d9364f10

SHA256
31f8df669699f7c691704a7fa513395064a9fe1cd4578f9c8981590416f00f2c

SHA512
fd8a809d4a42ba989ff4982cde9e43ce47de136b84506ba04e5883c66a9dd6dc35895fcd11f52d7f2e53724d7ab5fee6ff19015d0d4b6469d99d705e89684b92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6bac546c53f88cb2ae168aea71ed04e0

SHA1
7a92d9e9b41f9ee1644ecd0595233eb86146c4d0

SHA256
72aea6379b7fe169dd277c4657080e347bf67c117bf6ffd8d045df20c3285379

SHA512
42873826a059bc9d32027c57032284710d2cb187e3d0637c3eb7ffd495ae5a979bce312f33469be258e419a468baf41708b0426ec4a5d4d6c8e54363e3fc32ab

Download Submit
C:\Windows\Installer\MSIFCC6.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
memory/3016-70-0x0000000010000000-0x000000001072E000-memory.dmp

Filesize
7.2MB

Download