Overview

overview

10

Static

static

1

setup.msi

windows7-x64

10

setup.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    979s
  • max time network
    981s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/02/2025, 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.msi

  • Size

    2.0MB

  • MD5

    341c2c8230d4056c4ff31a589f54cd1e

  • SHA1

    9fbde5b47c8d34b20b4b7581bfe127de01ca025e

  • SHA256

    c27665e59d0de94be2e5ddf1ca8b2415e8c75d623762a9757411f3e1b9734af9

  • SHA512

    4950f54ec9a0e6f53126b0a3c4d2e5ac57341cecb80d0271780e10aa4c4989fa8e2d8bc8262e7bc9b4098496f9be7a535ea33c3f51bb645ebc3f65c16592fe6f

  • SSDEEP

    24576:ft9cpVDhY65fAUdXh8T7ZbkSZ6GbVDR3C5OD8lxsPvQpiKzxv8T:IpRh15fAyXWXdL5CIOxZiK+

Score
10/10
metastealerdiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

metastealer

C2

kagkimuoakomksww.xyz

cwikwiiisuyqymso.xyz

qgimwqowkmuicoos.xyz

kuueskmwqmwoocuq.xyz

eaeueussigokssqg.xyz

eoyqkgcyoesysssk.xyz

ocmmqamiyucswwik.xyz

eimemucysaammomg.xyz

iwomsoekyisuymws.xyz

mqykiccmwokeumes.xyz

iqqcgqqseysecuum.xyz

iqmoyikmqymsmcwm.xyz

aseuqoqgaueaymyo.xyz

wycuamkomemmigmy.xyz

ceiyeqaoscmsamim.xyz

skcqkaykccckqyam.xyz

kaycmqwocuyyuqyg.xyz

mqssyaeoeeucegqy.xyz

ywqamawcqumaqiyq.xyz

skscsegicyqikqww.xyz
Attributes
  • dga_seed

    12914

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • MetaStealer payload 1 IoCs
  • Metastealer family
    metastealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2840
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:456
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 081A9BDFEB87DC949B34BB336AF72894
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4236
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f064e1d8-401b-4176-b14d-43c4e0711bd7\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:4356
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3096
      • C:\Users\Admin\AppData\Local\Temp\MW-f064e1d8-401b-4176-b14d-43c4e0711bd7\files\setupxe.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-f064e1d8-401b-4176-b14d-43c4e0711bd7\files\setupxe.exe" /VERYSILENT /VERYSILENT
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4188
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\search.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2992
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:3820
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Privilege Escalation

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Defense Evasion

File and Directory Permissions Modification

1
T1222

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-f064e1d8-401b-4176-b14d-43c4e0711bd7\files.cab
    Filesize

    1.7MB

    MD5

    90e9268b465de442f072c05931d25d79

    SHA1

    57a3be757b7b870ebf39a2d662b410e0954c47ae

    SHA256

    3d31c5e8de2addbce8dae8472b180abdce649e5b69f9f55ca2df12cf499163f6

    SHA512

    4f94a3b93f2f3cf339692653da254145a4e65f687bcf9364c1ac5b814cbeee2e89c9db337fb0c2cefb548244356e6672f2aa6013b402eaeeccfe97678f00706c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-f064e1d8-401b-4176-b14d-43c4e0711bd7\msiwrapper.ini
    Filesize

    344B

    MD5

    2399fa4ecf68e376f13cdc3341488144

    SHA1

    2a63290486b000ec289082b522ffffbdd2681b61

    SHA256

    cefc79a598e592a6003a9ec2cf9f8e481ea179021bd4140c81405e5b19445bd3

    SHA512

    9850a4064657ece412edf204032cafc8f6e0896266d81c4e25c15b164e828b6e8835187a8f84bbd7aa6c13ea1bb87d9bd832d78bc1a3ce077eee0a13e9953aa4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-f064e1d8-401b-4176-b14d-43c4e0711bd7\msiwrapper.ini
    Filesize

    1KB

    MD5

    6a24e019117f06bdab139110d00284a9

    SHA1

    11b1498903ef415ec6bea9f6bf4d16b45fdca5e8

    SHA256

    358c39abd5fb5ca566a59080c27ebe29816bc06eaff8264bfd7e1156ce65c409

    SHA512

    6f7367cfe27aad64bc91678d6e9ed9cf71aeeac42fac80e590e9785972a3baa9054acbb757e5324a65cf42fcedfc2f293c143842f392a830cc26ab3e0c1d39ad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-f064e1d8-401b-4176-b14d-43c4e0711bd7\msiwrapper.ini
    Filesize

    1KB

    MD5

    18c0bf6f8383910ee70dcc498a34c481

    SHA1

    7e0b454742cbec70bb4837ef1798c542207c91bf

    SHA256

    ffc38810bedb15ff3b363b26c843345a963ff67375182678711ffcadd838b0e3

    SHA512

    00af91a81340c05867b9284ecd2fbf22ba689271408f9b8384e68f382d62f0ffe91017a451f8447b393575673947864610437232b7e07f61fa8d07715720c172

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yo5dkdl4.qlj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\Installer\MSIBB8F.tmp
    Filesize

    208KB

    MD5

    0c8921bbcc37c6efd34faf44cf3b0cb5

    SHA1

    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

    SHA256

    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

    SHA512

    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    24.1MB

    MD5

    4a3f812b861c2b18070a9396020d7813

    SHA1

    b0d95a57402f7c6954b20703b277c55e9039e779

    SHA256

    f3de3d6809a47f66e96845f7291e0eb13a9487e3f51edc9e984f4f77752d27da

    SHA512

    a3dabf0bd2f1259254cb40eeb5a17ef6ea8266f8a35eb3ca74f6759d7150ac4e1de539800ce79745295b2f7886a0fcb4f964ad44d7ded6e55ccc6b472abb5a52

    Download Submit

  • \??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{98bf54fa-1af1-4e92-944c-f6be603e3d47}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    9d7da977dbc050e4c03dac7aa8b494d8

    SHA1

    3e511287893170124d1078a4726fd234bcaee3d9

    SHA256

    38bf4a7978cc9079525a2ae84b0c8a1c2e61bda2d9923ac3d40e1834f87c9273

    SHA512

    b05711054a62ca998f19fccd79bf72052cbbca5195d857e5002b644d8f25241c7e5880c2df5fe79eea2cfe9de0e8ae3770fd81b22a3d05f2de139017633536a4

    Download Submit

  • memory/2992-114-0x0000000008010000-0x000000000868A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2992-112-0x0000000006BC0000-0x0000000006BDE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2992-85-0x00000000056B0000-0x00000000056D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2992-86-0x0000000005FB0000-0x0000000006016000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2992-87-0x0000000006020000-0x0000000006086000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2992-83-0x0000000002D70000-0x0000000002DA6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2992-97-0x00000000062B0000-0x0000000006604000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2992-99-0x0000000006660000-0x000000000667E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2992-100-0x00000000066A0000-0x00000000066EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2992-102-0x000000006EA40000-0x000000006EA8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2992-101-0x0000000006B80000-0x0000000006BB2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2992-84-0x0000000005850000-0x0000000005E78000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2992-113-0x00000000076E0000-0x0000000007783000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2992-122-0x0000000007C10000-0x0000000007C18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2992-115-0x0000000007990000-0x00000000079AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2992-116-0x00000000079F0000-0x00000000079FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2992-117-0x0000000007C20000-0x0000000007CB6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2992-118-0x0000000007B90000-0x0000000007BA1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2992-119-0x0000000007BC0000-0x0000000007BCE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2992-120-0x0000000007BD0000-0x0000000007BE4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2992-121-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4188-79-0x0000000010000000-0x0000000010738000-memory.dmp

    Filesize

    7.2MB

    Download