ebea0eac27e2e912b1d7143acf8d8b48bee4ebdfa4924a9f85d7516d5b405f34

Analysis

max time kernel
93s
max time network
139s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250218-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07/03/2025, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MeetUS-main/PluginRequirements.exe
Size

2.1MB
MD5

84c58be6112011e6860c706301d83871
SHA1

2b6e53925abae1aa97a8942089a83cef50164bf0
SHA256

624549cb8753f6b430a101eae87f6c5d1d06feab7faa904e89783aae4cc2144a
SHA512

2738661041ab45308c84ba750e1144c030992ce14c0e83735ebcfab6e49244fb99a74398f33c217cc58047cc45858d75ec9096dd3ce911412e3cf3b330ca8a63
SSDEEP

49152:EMSESjawGl5KwBPmeX6Pdu87Druno10It5:EEjhc0Kv13t5

Score

5^/10

discovery

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
5000	tasklist.exe
3968	tasklist.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	tasklist.exe
Token: SeDebugPrivilege	3968	tasklist.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 5000	1600	PluginRequirements.exe	89
PID 1600 wrote to memory of 5000	1600	PluginRequirements.exe	89
PID 1600 wrote to memory of 3968	1600	PluginRequirements.exe	91
PID 1600 wrote to memory of 3968	1600	PluginRequirements.exe	91
PID 1600 wrote to memory of 2148	1600	PluginRequirements.exe	93
PID 1600 wrote to memory of 2148	1600	PluginRequirements.exe	93

C:\Users\Admin\AppData\Local\Temp\MeetUS-main\PluginRequirements.exe
"C:\Users\Admin\AppData\Local\Temp\MeetUS-main\PluginRequirements.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\system32\tasklist.exe
  "tasklist" /fi "IMAGENAME eq pluginmeet.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\system32\tasklist.exe
  "tasklist" /fi "IMAGENAME eq pluginmeet.exe"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\system32\cmd.exe
  cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Admin\AppData\Local\Temp\pluginmeet_launcher.bat""
  2⤵
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pluginmeet.exe

Filesize
4KB

MD5
3acd9b76299b4df811bc1ed96cc03117

SHA1
b02baac62ae23a4b59186755c2dcbddd36377b02

SHA256
8cd38ed3ade213f85811989bfd4dde1857f2426528830464464df53f4288c257

SHA512
995027ecf23f64838692322f8adc0f0b7d468a9009050748808915442d3e4b17c1887399366b5faed61621e084e91f70887db371cdbb19d5f0d631c0dc35fc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\pluginmeet_launcher.bat

Filesize
70B

MD5
37204fea479a506b12ac448451df118a

SHA1
8f69bb863eddfd4cb5e4fb7cb41ae9f0d821ed68

SHA256
20701a382c83c70491f603039dee65d2f22f19ff0f491255444a033d6bf9841b

SHA512
125d3807a8b94eb5e2a2922062bb473abd098c47adab4d8f6d2a8aad4cb13b3c00a7d84c2b110974d27909a2321bf2b9df901564ccfc82e5bad81eb4ac035c67

Download Submit