Analysis

  • max time kernel
    140s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 11:48

General

  • Target

    Meeting.exe

  • Size

    349KB

  • MD5

    69189ee9e0d6cd3eeb75e421fa891b54

  • SHA1

    568ac576f6890ce99fe3c96d321ffd6f3022772b

  • SHA256

    bf3222f0a64dc1776abaf9c4f27ed8f54be66ca8568efc9280089cfcb599ec5f

  • SHA512

    b54f850a58192c22440887597b065a3248518e0e4bebfa69a101afcbb23851588419f1149364a36af52a45f71aeb9c736a07801747a778dbe99461493dc8702d

  • SSDEEP

    6144:RtH/xNLaAOvIBd7lAAxWS1elIoSNOFLqtN96CyPnbLTFahn2:RtH5NLaAdDhAAEIFwFWtr6CyDNahn2

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_tcp

C2

193.117.208.148:7800

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Meeting.exe
    "C:\Users\Admin\AppData\Local\Temp\Meeting.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe"
      2⤵
      • Executes dropped EXE
      PID:4152
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5136 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2320

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe

            Filesize

            72KB

            MD5

            cc79ce1c49a908b75e19a6a10817a7ad

            SHA1

            aea878dece0144cd8b3463d3011c5956a9a4051b

            SHA256

            195c81b348da3fef8109f1ff11dae6b12a828d3361b92ec2f1b5f1bb66bfba17

            SHA512

            b14bada0ec92abc3e5f4248b16c6607959bcbb9a5f53c3a38c3957f8fe6b598c61fb17a17b1898231b89852e908eae9e21ce13af2cc17de8f13f653a8e8cede3

          • memory/4152-16-0x0000000000490000-0x0000000000491000-memory.dmp

            Filesize

            4KB