Analysis
-
max time kernel
140s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 11:48
Static task
static1
Behavioral task
behavioral1
Sample
Meeting.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Meeting.exe
Resource
win10v2004-20240226-en
General
-
Target
Meeting.exe
-
Size
349KB
-
MD5
69189ee9e0d6cd3eeb75e421fa891b54
-
SHA1
568ac576f6890ce99fe3c96d321ffd6f3022772b
-
SHA256
bf3222f0a64dc1776abaf9c4f27ed8f54be66ca8568efc9280089cfcb599ec5f
-
SHA512
b54f850a58192c22440887597b065a3248518e0e4bebfa69a101afcbb23851588419f1149364a36af52a45f71aeb9c736a07801747a778dbe99461493dc8702d
-
SSDEEP
6144:RtH/xNLaAOvIBd7lAAxWS1elIoSNOFLqtN96CyPnbLTFahn2:RtH5NLaAdDhAAEIFwFWtr6CyDNahn2
Malware Config
Extracted
metasploit
windows/reverse_tcp
193.117.208.148:7800
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Meeting.exe -
Executes dropped EXE 1 IoCs
pid Process 4152 Icon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2004 wrote to memory of 4152 2004 Meeting.exe 93 PID 2004 wrote to memory of 4152 2004 Meeting.exe 93 PID 2004 wrote to memory of 4152 2004 Meeting.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\Meeting.exe"C:\Users\Admin\AppData\Local\Temp\Meeting.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe"2⤵
- Executes dropped EXE
PID:4152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5136 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵PID:2320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72KB
MD5cc79ce1c49a908b75e19a6a10817a7ad
SHA1aea878dece0144cd8b3463d3011c5956a9a4051b
SHA256195c81b348da3fef8109f1ff11dae6b12a828d3361b92ec2f1b5f1bb66bfba17
SHA512b14bada0ec92abc3e5f4248b16c6607959bcbb9a5f53c3a38c3957f8fe6b598c61fb17a17b1898231b89852e908eae9e21ce13af2cc17de8f13f653a8e8cede3