Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
05/04/2024, 11:48
Static task
static1
Behavioral task
behavioral1
Sample
Meeting.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Meeting.exe
Resource
win10v2004-20240226-en
General
-
Target
Meeting.exe
-
Size
349KB
-
MD5
69189ee9e0d6cd3eeb75e421fa891b54
-
SHA1
568ac576f6890ce99fe3c96d321ffd6f3022772b
-
SHA256
bf3222f0a64dc1776abaf9c4f27ed8f54be66ca8568efc9280089cfcb599ec5f
-
SHA512
b54f850a58192c22440887597b065a3248518e0e4bebfa69a101afcbb23851588419f1149364a36af52a45f71aeb9c736a07801747a778dbe99461493dc8702d
-
SSDEEP
6144:RtH/xNLaAOvIBd7lAAxWS1elIoSNOFLqtN96CyPnbLTFahn2:RtH5NLaAdDhAAEIFwFWtr6CyDNahn2
Malware Config
Extracted
metasploit
windows/reverse_tcp
193.117.208.148:7800
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Executes dropped EXE 1 IoCs
pid Process 3024 Icon.exe -
Loads dropped DLL 5 IoCs
pid Process 2860 Meeting.exe 2860 Meeting.exe 2860 Meeting.exe 2860 Meeting.exe 2860 Meeting.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2508 DllHost.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2860 wrote to memory of 3024 2860 Meeting.exe 28 PID 2860 wrote to memory of 3024 2860 Meeting.exe 28 PID 2860 wrote to memory of 3024 2860 Meeting.exe 28 PID 2860 wrote to memory of 3024 2860 Meeting.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Meeting.exe"C:\Users\Admin\AppData\Local\Temp\Meeting.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe"2⤵
- Executes dropped EXE
PID:3024
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD507c3f866071fa6c05b07dd62b21a94f7
SHA1a92d6b70dad831863033ab8ecf90e5d235480c5c
SHA256d049a8773cba295f918cc2460533f43eaf1b60af5502d569f4e4d07285068883
SHA5129d965b0c68db6cc6652c3b3a5f60a20bd0f77901ba33659111c8fd8f7d48c46cc082137bcbc4ca53c93d9a9b99863b8bc0250dff5758ae0e131265d3e7d6038a
-
Filesize
72KB
MD5cc79ce1c49a908b75e19a6a10817a7ad
SHA1aea878dece0144cd8b3463d3011c5956a9a4051b
SHA256195c81b348da3fef8109f1ff11dae6b12a828d3361b92ec2f1b5f1bb66bfba17
SHA512b14bada0ec92abc3e5f4248b16c6607959bcbb9a5f53c3a38c3957f8fe6b598c61fb17a17b1898231b89852e908eae9e21ce13af2cc17de8f13f653a8e8cede3