Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:17
Static task
static1
Behavioral task
behavioral1
Sample
74f34c3e1552bf43f022980bf004a189.exe
Resource
win7-20231215-en
General
-
Target
74f34c3e1552bf43f022980bf004a189.exe
-
Size
1.4MB
-
MD5
74f34c3e1552bf43f022980bf004a189
-
SHA1
780d691ffdbd7862e1a5e1f21728a1743c8a8faf
-
SHA256
238566fb0529aec665f541b834c35cfdae07a8c7947f1460c82d46775268b45e
-
SHA512
dc245473913e9a39c368927df216eeb08c125788c2b0a90a12b353119f54709500c7ea73ed60785e9328175ce9d541cb8da6856133b1284f783ec2f2e86ca4fe
-
SSDEEP
24576:MaQPI4OCa++/AmvCbEVoqG/5T1XCxMbwSPcocLCcnlUVy5vwDHl/nMM:MaeOCRTzvmMJf/kF5IlvMM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
~rnfrmf8032.tmppid process 2520 ~rnfrmf8032.tmp -
Loads dropped DLL 1 IoCs
Processes:
74f34c3e1552bf43f022980bf004a189.exepid process 1728 74f34c3e1552bf43f022980bf004a189.exe -
Use of msiexec (install) with remote resource 1 IoCs
Processes:
MSIEXEC.EXEpid process 2396 MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MSIEXEC.EXEdescription pid process Token: SeShutdownPrivilege 2396 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2396 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
MSIEXEC.EXEpid process 2396 MSIEXEC.EXE 2396 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
74f34c3e1552bf43f022980bf004a189.exe~rnfrmf8032.tmpdescription pid process target process PID 1728 wrote to memory of 2520 1728 74f34c3e1552bf43f022980bf004a189.exe ~rnfrmf8032.tmp PID 1728 wrote to memory of 2520 1728 74f34c3e1552bf43f022980bf004a189.exe ~rnfrmf8032.tmp PID 1728 wrote to memory of 2520 1728 74f34c3e1552bf43f022980bf004a189.exe ~rnfrmf8032.tmp PID 1728 wrote to memory of 2520 1728 74f34c3e1552bf43f022980bf004a189.exe ~rnfrmf8032.tmp PID 1728 wrote to memory of 2520 1728 74f34c3e1552bf43f022980bf004a189.exe ~rnfrmf8032.tmp PID 1728 wrote to memory of 2520 1728 74f34c3e1552bf43f022980bf004a189.exe ~rnfrmf8032.tmp PID 1728 wrote to memory of 2520 1728 74f34c3e1552bf43f022980bf004a189.exe ~rnfrmf8032.tmp PID 2520 wrote to memory of 2396 2520 ~rnfrmf8032.tmp MSIEXEC.EXE PID 2520 wrote to memory of 2396 2520 ~rnfrmf8032.tmp MSIEXEC.EXE PID 2520 wrote to memory of 2396 2520 ~rnfrmf8032.tmp MSIEXEC.EXE PID 2520 wrote to memory of 2396 2520 ~rnfrmf8032.tmp MSIEXEC.EXE PID 2520 wrote to memory of 2396 2520 ~rnfrmf8032.tmp MSIEXEC.EXE PID 2520 wrote to memory of 2396 2520 ~rnfrmf8032.tmp MSIEXEC.EXE PID 2520 wrote to memory of 2396 2520 ~rnfrmf8032.tmp MSIEXEC.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\74f34c3e1552bf43f022980bf004a189.exe"C:\Users\Admin\AppData\Local\Temp\74f34c3e1552bf43f022980bf004a189.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\~rnfrmf8032.tmp"C:\Users\Admin\AppData\Local\Temp\~rnfrmf8032.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/viplounge/RubySlots20141207074451.msi" DDC_DID=2714691 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=2714691 DDC_DOWNLOAD_AFFID=3952 DDC_UPDATESTATUSURL=http://190.4.94.34:8080/vip/Lobby.WebServices/Installer.asmx CUSTOMNAME02=trackingID CUSTOMVALUE02=VIPL510109445b5bfef11a530307181dc86a SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~rnfrmf8032.tmp"3⤵
- Use of msiexec (install) with remote resource
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2396
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\_is3FB4.tmpFilesize
1KB
MD5c0cd17bb2a0ee8e7f04b9be37d3b655e
SHA1226158b0fe0b9f43934db00c3de55124817bb576
SHA256d505674bb93449b64b35407881dd291c19eee951fac46b281820a9cdc448b741
SHA51241d9d87d66606e7e79746111ad512b992a396c8fc6b73ef490c4b910ec1f77b2c52f4ac639870533d33b50bd464688817702bb04340d3872c66ad7f9b7bd8293
-
C:\Users\Admin\AppData\Local\Temp\{00F2C5A9-5B89-45E3-A7EA-D42B53DD4692}\0x0409.iniFilesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
C:\Users\Admin\AppData\Local\Temp\{00F2C5A9-5B89-45E3-A7EA-D42B53DD4692}\_ISMSIDEL.INIFilesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
C:\Users\Admin\AppData\Local\Temp\~3F72.tmpFilesize
5KB
MD581d935c8c9c2b9246d9a06653bc7aa1f
SHA1473dc10a9bccaa6b408501ea88b83a0a18ee6d68
SHA256d8845bb14ab2f37edadd7059d61ffa8774e8c0178da9032671af88ab4e6f3d47
SHA512cb06e0e233e2de609c4bb8680a8fc580d3bee96d864e603398484574d2e4b1b40f5b68db17c8ed90643fb9873e136d15fa3aac797b9300c378036644ce7323bb
-
\Users\Admin\AppData\Local\Temp\~rnfrmf8032.tmpFilesize
1.2MB
MD55a410730532bae4283535aed4bb9786a
SHA1c7d86402ea6794b6c3b45c1a4842df7435f96d5a
SHA2567c3fa3f12528d4676b941a5b72130e69de821b8a3c89dc8a8679b74c0aa8c9df
SHA512254b7f2c923c08f5a3965f093f5700ffdf78c2d84fc3fe39dba653c9d6b6716d6c85df1f9ed8d4561cc3e03c202b625209ea607c5a3dc78c64cdb9885d44d4ca