Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2024 11:29

General

  • Target

    510286.msi

  • Size

    1.8MB

  • MD5

    66b16b0e40121de05fc889765a9a2f54

  • SHA1

    72bbd8cda91693a0f655c67b0e2e9f86efaecc73

  • SHA256

    e158310cb13d1a48304d68dfd83447c4208f27e03f4f13d6a2184364a7c174e4

  • SHA512

    0bddd047a67d76bba80514138ee591f4b3b47ffc7240b2bbf5f2260c34e0c333f7c4a8a967ae76631187ef4988e4aa9a0af9c585c0202c1534c2144779456c33

  • SSDEEP

    24576:wt9cpVDhnsV2kDzeOahNZVtRIGE6czXkTXqH:vpRhnlazeOahNZVtaGPcx

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz

Attributes
  • dga_seed

    21845

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

  • MetaStealer payload 1 IoCs
  • Metastealer family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Modifies file permissions 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 54 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\510286.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2868
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2120
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A73C5ECE639159C2E9F11847B2209FF8
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b565d5f8-7c20-4393-9fe0-bb91c7585c9a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:672
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:1916
      • C:\Users\Admin\AppData\Local\Temp\MW-b565d5f8-7c20-4393-9fe0-bb91c7585c9a\files\piovbar.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-b565d5f8-7c20-4393-9fe0-bb91c7585c9a\files\piovbar.exe" /VERYSILENT /VERYSILENT
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\systemtask.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:880
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:2180
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2564
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000005D0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-b565d5f8-7c20-4393-9fe0-bb91c7585c9a\files.cab

    Filesize

    1.5MB

    MD5

    a5bb958f9fc3480a53e0e11069a295ae

    SHA1

    b7711d41344c19c8f08a5be0ac2aa0581d685b18

    SHA256

    63be86007d54161303371b93113af3847f5611ef8b689450dc87d95acd130f70

    SHA512

    d611691f786c53ac80c0d1377630702b587ad00306e6ffb4468db254bee24389c584d8aab26ace4e635a44a2bf46b64d48c118c31a424343df5f10c5dbe9d94c

  • C:\Users\Admin\AppData\Local\Temp\MW-b565d5f8-7c20-4393-9fe0-bb91c7585c9a\msiwrapper.ini

    Filesize

    384B

    MD5

    0a4239281b48bd20c3538e8a687698f3

    SHA1

    6fc1d5e40326692fbcf77281144a9f6b433fc11a

    SHA256

    81539e7a6bd21edecb2620e8c78f19bc45d476bf8ac4044378d0c16fbbed7ffe

    SHA512

    109cfbc7303dbbb2e2e48025851e73b0964b60d1e94fb55b7c30cd047ce9cbd9b52c130cc780ed8ff15cbbd10860d52bd1bba9995baff9dc395674d74338a555

  • C:\Users\Admin\AppData\Local\Temp\MW-b565d5f8-7c20-4393-9fe0-bb91c7585c9a\msiwrapper.ini

    Filesize

    1KB

    MD5

    a1430b595908f3d07d6c8a462a9094bf

    SHA1

    fb278f637204e97c8d2673caafcdf0b61de25406

    SHA256

    6876039ef3d042bda0579a15b2c6bd24007ee9401a83a3d180215b24637dca5c

    SHA512

    58814cec13d1615302b1425d6fb51d347288c4747b8ade43482afdcf7823605dd08cd7e6c963c2df99013f2f189e37d049bfde48f7e7499b961e71017067055b

  • C:\Windows\Installer\MSIA8CD.tmp

    Filesize

    208KB

    MD5

    0c8921bbcc37c6efd34faf44cf3b0cb5

    SHA1

    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

    SHA256

    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

    SHA512

    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

  • memory/1768-82-0x0000000010000000-0x0000000010731000-memory.dmp

    Filesize

    7.2MB