Malware Analysis Report

2025-06-16 03:32

Sample ID 240405-nyrq5aba5v
Target Meeting.exe
SHA256 bf3222f0a64dc1776abaf9c4f27ed8f54be66ca8568efc9280089cfcb599ec5f
Tags
metasploit backdoor trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf3222f0a64dc1776abaf9c4f27ed8f54be66ca8568efc9280089cfcb599ec5f

Threat Level: Known bad

The file Meeting.exe was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor trojan

MetaSploit

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 11:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 11:48

Reported

2024-04-05 11:51

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Meeting.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Meeting.exe

"C:\Users\Admin\AppData\Local\Temp\Meeting.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

Network

Country Destination Domain Proto
GB 193.117.208.148:7800 tcp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe

MD5 cc79ce1c49a908b75e19a6a10817a7ad
SHA1 aea878dece0144cd8b3463d3011c5956a9a4051b
SHA256 195c81b348da3fef8109f1ff11dae6b12a828d3361b92ec2f1b5f1bb66bfba17
SHA512 b14bada0ec92abc3e5f4248b16c6607959bcbb9a5f53c3a38c3957f8fe6b598c61fb17a17b1898231b89852e908eae9e21ce13af2cc17de8f13f653a8e8cede3

memory/3024-22-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2860-23-0x0000000000E80000-0x0000000000E82000-memory.dmp

memory/2508-24-0x0000000000160000-0x0000000000162000-memory.dmp

memory/2508-25-0x00000000004F0000-0x00000000004F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pdf.png

MD5 07c3f866071fa6c05b07dd62b21a94f7
SHA1 a92d6b70dad831863033ab8ecf90e5d235480c5c
SHA256 d049a8773cba295f918cc2460533f43eaf1b60af5502d569f4e4d07285068883
SHA512 9d965b0c68db6cc6652c3b3a5f60a20bd0f77901ba33659111c8fd8f7d48c46cc082137bcbc4ca53c93d9a9b99863b8bc0250dff5758ae0e131265d3e7d6038a

memory/2508-29-0x00000000004F0000-0x00000000004F1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 11:48

Reported

2024-04-05 11:51

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Meeting.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Meeting.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Meeting.exe

"C:\Users\Admin\AppData\Local\Temp\Meeting.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5136 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
GB 193.117.208.148:7800 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 136.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Icon.exe

MD5 cc79ce1c49a908b75e19a6a10817a7ad
SHA1 aea878dece0144cd8b3463d3011c5956a9a4051b
SHA256 195c81b348da3fef8109f1ff11dae6b12a828d3361b92ec2f1b5f1bb66bfba17
SHA512 b14bada0ec92abc3e5f4248b16c6607959bcbb9a5f53c3a38c3957f8fe6b598c61fb17a17b1898231b89852e908eae9e21ce13af2cc17de8f13f653a8e8cede3

memory/4152-16-0x0000000000490000-0x0000000000491000-memory.dmp