e318f6dfef755a731564a054cee28c6686b8db23905e1e9f4e5591b9e529e956

General

Target

b79d3517d59a6170cbe96cc419e7df1a.exe
Size

1.1MB
MD5

b79d3517d59a6170cbe96cc419e7df1a
SHA1

508d17ca9236758e9adbc28d5b43d43bdb53248d
SHA256

e318f6dfef755a731564a054cee28c6686b8db23905e1e9f4e5591b9e529e956
SHA512

7d59cbd3237309175f3c12d37f0f6ead90cf1aaf6e9aca9f9ae1452ba738e8a102924250e4d81826f2388bbc7056417a02e1dd1e206d403199ab7db9dbebdbfe
SSDEEP

24576:Ej+cmZgFd6BmqBbQW05RHVu8jvDbHopSDizaaW86b:k9mZCABmMQW0E8jvDbIpSDg8b

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2936	~

Loads dropped DLL 2 IoCs

pid	Process
2880	b79d3517d59a6170cbe96cc419e7df1a.exe
2880	b79d3517d59a6170cbe96cc419e7df1a.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2716	MSIEXEC.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2880 set thread context of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2716	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2716	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2716	MSIEXEC.EXE
2716	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28
PID 2880 wrote to memory of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28
PID 2880 wrote to memory of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28
PID 2880 wrote to memory of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28
PID 2880 wrote to memory of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28
PID 2880 wrote to memory of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28
PID 2880 wrote to memory of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28
PID 2880 wrote to memory of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28
PID 2880 wrote to memory of 2936	2880	b79d3517d59a6170cbe96cc419e7df1a.exe	28
PID 2936 wrote to memory of 2716	2936	~	29
PID 2936 wrote to memory of 2716	2936	~	29
PID 2936 wrote to memory of 2716	2936	~	29
PID 2936 wrote to memory of 2716	2936	~	29
PID 2936 wrote to memory of 2716	2936	~	29
PID 2936 wrote to memory of 2716	2936	~	29
PID 2936 wrote to memory of 2716	2936	~	29

C:\Users\Admin\AppData\Local\Temp\b79d3517d59a6170cbe96cc419e7df1a.exe
"C:\Users\Admin\AppData\Local\Temp\b79d3517d59a6170cbe96cc419e7df1a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\~
  C:\Users\Admin\AppData\Local\Temp\~
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://setup.realtimegaming.com/36175/cdn/slotsjungle/Slots Jungle Casino20101209071529.msi" DDC_DID=290909 DDC_RTGURL=http://69.59.134.122/dl/TrackSetup/TrackSetup.aspx?DID=290909%26filename=SlotsJungle%2Eexe SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~"
    3⤵
    - Use of msiexec (install) with remote resource
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{374CE5EA-0702-4D6B-8706-A81870D16F3D}\0x0409.ini

Filesize
20KB

MD5
36affbd6ff77d1515cfc1c5e998fbaf9

SHA1
950d00ecc2e7fd2c48897814029e8eedf6397838

SHA256
fccc7f79d29318d8ae78850c262bac762c28858709a6e6cf3b62bcd2729a61e3

SHA512
2f29de86d486db783872581a43a834e5064d1488bc3f085ddc5a3287eb9ee8a4ce93d66f7b4965cafb3c4f06b38d4b0fcfdc0fcb1f99d61331a808e5d6011808

Download Submit
C:\Users\Admin\AppData\Local\Temp\{374CE5EA-0702-4D6B-8706-A81870D16F3D}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~

Filesize
197KB

MD5
ab47dc27914c41e01cdf728afa10b0aa

SHA1
ccd41a3c7121fa2ab77a0fda9f979a0ce57b81a0

SHA256
6dce08f54ddd41a285ab7f6f40dbf7f088dc1598de897b8ec0f0883000d8ce99

SHA512
6d7c106e3a9a3cd80145c2b9327ba73d30a1a0450826db9b9911624132e5d0cd8fc1fac4d6643e6b006018ded6a77f1b1eac0c6c67b37eebca0e5d08540a18c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~

Filesize
644KB

MD5
46ad665a59d454e6235518c95c677040

SHA1
a7b55632b476d73b59e3e3bd2397d520ab38947f

SHA256
aa1f169664d2902560ccc7fbea4357482fa144252f6b3716975ee9846ef0c07d

SHA512
2344d831d106cc9b568ea1c6e04a4d16c494e65c2f56652fb784c7937b9fafa0ddb436089d83cb90743808a9b061f6cfe72859cf212e94e19129016ff70211ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\~1872.tmp

Filesize
5KB

MD5
171060839dfb9e03054f8919003ca73f

SHA1
c30b60268233c4248251b0876268f6c56e61351f

SHA256
69512c88c9c93e72423814e7675ffc1e1711d88a3215668d46663c3fb9b52ff5

SHA512
640abd0cd4022151b5c8ac705ddd7772152ed0393fb9dea50c3ff41b0c44b951dfc4ed2b12fc674189ceb804a929ee93ac663e5ee012d098d83db0f92721b6bc

Download Submit
\Users\Admin\AppData\Local\Temp\~

Filesize
904KB

MD5
acb18f74d32b5702411337eafe278e20

SHA1
994b313e12f0e0cb4d458563e550694234d55e52

SHA256
64f8b872c3769d0d9c7f89fce033b21428c4a4ab8a9fe1f17fa5976057839f19

SHA512
ab840e179b1ba591cd35c2746b7aafd467df33788ba361d5d0ec851ae618ec679b66c2791f24c9282dca0773dca355e2f1bf34bb081e33ad2edd03adde8d96cf

Download Submit
memory/2936-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2936-56-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing