Overview

overview

10

Static

static

1

setup538.msi

windows7-x64

7

setup538.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/02/2025, 21:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup538.msi

  • Size

    1.8MB

  • MD5

    ed9c9eadb586f513e9b4d2da285c5c0f

  • SHA1

    a7beaa235b8bf96c8e28722704a78aea6dfe79b6

  • SHA256

    1734883d606ca520a119602419e1dca96649f7b56b38fb9649323788b8499524

  • SHA512

    5e9042ff9dfb69abe85b0d2aecfdc7286b021cb74ede6c301cf2b49d73f942cab03869a5caaf55748a1d158a9f25fb082aa89d6bfde499cbf1598b5e0125bec0

  • SSDEEP

    24576:Tt9cpVDhX6v0UYzNm+/Y10rAWR32bBNLG:spRhK8LzNmEYuv32bz6

Score
10/10
metastealerdiscoveryexecutionpersistenceprivilege_escalationstealer

Malware Config

Extracted

Family

metastealer

C2

kagkimuoakomksww.xyz

cwikwiiisuyqymso.xyz

qgimwqowkmuicoos.xyz

kuueskmwqmwoocuq.xyz

eaeueussigokssqg.xyz

eoyqkgcyoesysssk.xyz

ocmmqamiyucswwik.xyz

eimemucysaammomg.xyz

iwomsoekyisuymws.xyz

mqykiccmwokeumes.xyz

iqqcgqqseysecuum.xyz

iqmoyikmqymsmcwm.xyz

aseuqoqgaueaymyo.xyz

wycuamkomemmigmy.xyz

ceiyeqaoscmsamim.xyz

skcqkaykccckqyam.xyz

kaycmqwocuyyuqyg.xyz

mqssyaeoeeucegqy.xyz

ywqamawcqumaqiyq.xyz

skscsegicyqikqww.xyz
Attributes
  • dga_seed

    12914

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

    stealermetastealer
  • MetaStealer payload 1 IoCs
  • Metastealer family
    metastealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup538.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1240
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:412
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4328
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 3293E41B28C0EE1701C01B8321F8044F
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2076
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e5463c1c-76d4-4b19-bc97-34764cb51214\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        • System Location Discovery: System Language Discovery
        PID:2868
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3092
      • C:\Users\Admin\AppData\Local\Temp\MW-e5463c1c-76d4-4b19-bc97-34764cb51214\files\setup538.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-e5463c1c-76d4-4b19-bc97-34764cb51214\files\setup538.exe" /VERYSILENT /VERYSILENT
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\search.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1868
        • C:\Windows\SysWOW64\systeminfo.exe
          systeminfo
          4⤵
          • System Location Discovery: System Language Discovery
          • Gathers system information
          PID:2584
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\MW-e5463c1c-76d4-4b19-bc97-34764cb51214\files.cab
    Filesize

    1.5MB

    MD5

    53a430d7f3bd7ff3867cef169cad6d09

    SHA1

    4e79b50079fad9f0b16fb439ca35eeec73f5e058

    SHA256

    4c467c1285fa6b327093504db05f052cea5b4adc2716a8c2bd9fae3647b5338d

    SHA512

    9f0518145a24f6e61658b3eb8e3badbee7b22580a90befb5d79208acef0488298ac5bdc1abb322d1b7d9405ccfb42ca0e7bb591df1c8bb0cd3d7e5724004a891

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MW-e5463c1c-76d4-4b19-bc97-34764cb51214\msiwrapper.ini
    Filesize

    1KB

    MD5

    b6152ec196f356564d9fb6b59866dea0

    SHA1

    410d5c5ae4a1af52d89d0b5009d41c49ca8e2bf6

    SHA256

    c8576d618dda75ca957ec94b6773d580371246bbdadec7099c7ee9f524c15883

    SHA512

    f0d835c5051c027f51002f95ea358812ce6239cd85966bc9de72697d4b1692b0acaef252fce5bdc4c01a3a9c6f1f9cc12015fbe853f03396180648f5de019328

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxrt5ste.xck.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\Installer\MSI3E0E.tmp
    Filesize

    208KB

    MD5

    0c8921bbcc37c6efd34faf44cf3b0cb5

    SHA1

    dcfa71246157edcd09eecaf9d4c5e360b24b3e49

    SHA256

    fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

    SHA512

    ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    24.1MB

    MD5

    66bd55356fa37b44002aa4702920c1ff

    SHA1

    1251461d41df806fc13e02a255aa81084e4f5f8b

    SHA256

    bd9a917a29b882f32b9ea06270e47ae8899dd91b997d77cb9bae36144676e1f5

    SHA512

    cb3ef1e43ce7648df980327515a129d5cb2e603c89f72c313000025060c81628697255e059712a8aeb73dfdc4fbf8b860509e714eb0aae37ea8b79734ff8014d

    Download Submit

  • \??\Volume{24b92e62-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{99604bf5-837b-4057-8840-036457edd361}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    008f89db6bf998254b5fbf3c4b2b9ba5

    SHA1

    6cfe778eca5ec1f8f14f64fe34496e3425312cdd

    SHA256

    34704048b550cd1485a5b0074304e015581029d76930f8c9f00eca54b5e4cb06

    SHA512

    2e456f7dcd11bafaaff9b202194c8980dc2916a9be9ac397b2a6f31eee3150cfd02ed6bc98c4e845bb2623b704ea0d19b7f98551adee347193cab208ab7dba3e

    Download Submit

  • memory/1868-99-0x0000000006260000-0x00000000062AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1868-111-0x0000000006800000-0x000000000681E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1868-85-0x0000000005300000-0x0000000005322000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1868-86-0x0000000005A90000-0x0000000005AF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1868-87-0x0000000005B70000-0x0000000005BD6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1868-83-0x0000000002880000-0x00000000028B6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1868-97-0x0000000005D20000-0x0000000006074000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1868-98-0x0000000006210000-0x000000000622E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1868-121-0x00000000077D0000-0x00000000077D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1868-100-0x00000000071E0000-0x0000000007212000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1868-101-0x000000006F220000-0x000000006F26C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1868-84-0x00000000053B0000-0x00000000059D8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1868-112-0x0000000007420000-0x00000000074C3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1868-113-0x0000000007B90000-0x000000000820A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1868-114-0x0000000007550000-0x000000000756A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1868-115-0x00000000075B0000-0x00000000075BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1868-116-0x00000000077E0000-0x0000000007876000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1868-117-0x0000000007750000-0x0000000007761000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1868-118-0x0000000007780000-0x000000000778E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1868-119-0x0000000007790000-0x00000000077A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1868-120-0x00000000078A0000-0x00000000078BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5036-78-0x0000000010000000-0x0000000010738000-memory.dmp

    Filesize

    7.2MB

    Download