9fbb3f1a3f4cf7a01bc02094d167c8eab3466bcce5a2560641e5a5f83441ffec

General

Target

6ec521aa59097a51d3f5d67d8ec7fa50N.exe
Size

1.4MB
MD5

6ec521aa59097a51d3f5d67d8ec7fa50
SHA1

eaf4a112d7c2b0f5960384895f4815bbad277b89
SHA256

9fbb3f1a3f4cf7a01bc02094d167c8eab3466bcce5a2560641e5a5f83441ffec
SHA512

ed9176ed02b0c02008b96566e5569e2b5e4bfb689d786eea5f4ff03522b009be48f88e85a015b6a6da7060aa96167c6091dde4b1b9372f5994ce33b7661493b8
SSDEEP

24576:IaQn/WuTXlr8Ieb+GF/xZxSj5nyMU7Lio18K8XwLhO2cDpp0WrcTkJM+:IakOGh8I4F345ydWo18BXwNO2cDpaWQ0

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2052	~3iqsl8g9y0.tmp

Loads dropped DLL 1 IoCs

pid	Process
2508	6ec521aa59097a51d3f5d67d8ec7fa50N.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2268	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ec521aa59097a51d3f5d67d8ec7fa50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~3iqsl8g9y0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2268	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2268	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2268	MSIEXEC.EXE
2268	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2052	2508	6ec521aa59097a51d3f5d67d8ec7fa50N.exe	29
PID 2508 wrote to memory of 2052	2508	6ec521aa59097a51d3f5d67d8ec7fa50N.exe	29
PID 2508 wrote to memory of 2052	2508	6ec521aa59097a51d3f5d67d8ec7fa50N.exe	29
PID 2508 wrote to memory of 2052	2508	6ec521aa59097a51d3f5d67d8ec7fa50N.exe	29
PID 2508 wrote to memory of 2052	2508	6ec521aa59097a51d3f5d67d8ec7fa50N.exe	29
PID 2508 wrote to memory of 2052	2508	6ec521aa59097a51d3f5d67d8ec7fa50N.exe	29
PID 2508 wrote to memory of 2052	2508	6ec521aa59097a51d3f5d67d8ec7fa50N.exe	29
PID 2052 wrote to memory of 2268	2052	~3iqsl8g9y0.tmp	30
PID 2052 wrote to memory of 2268	2052	~3iqsl8g9y0.tmp	30
PID 2052 wrote to memory of 2268	2052	~3iqsl8g9y0.tmp	30
PID 2052 wrote to memory of 2268	2052	~3iqsl8g9y0.tmp	30
PID 2052 wrote to memory of 2268	2052	~3iqsl8g9y0.tmp	30
PID 2052 wrote to memory of 2268	2052	~3iqsl8g9y0.tmp	30
PID 2052 wrote to memory of 2268	2052	~3iqsl8g9y0.tmp	30

C:\Users\Admin\AppData\Local\Temp\6ec521aa59097a51d3f5d67d8ec7fa50N.exe
"C:\Users\Admin\AppData\Local\Temp\6ec521aa59097a51d3f5d67d8ec7fa50N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\~3iqsl8g9y0.tmp
  "C:\Users\Admin\AppData\Local\Temp\~3iqsl8g9y0.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://clatz.fileslldl.eu/client/pkgs/winpalace/WinPalace20150703054556.msi" DDC_DID=7291213 DDC_RTGURL=http://www.filecdn.eu/dl/TrackSetup/TrackSetup.aspx?DID=7291213%26filename=WinPalace%2Eexe%26CASINONAME=winpalace DDC_DOWNLOAD_AFFID=48734 DDC_UPDATESTATUSURL=http://190.4.91.3:8080/winpalace/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.91.3:8080/winpalace/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=redirectAsData CUSTOMVALUE02=1 CUSTOMNAME03=remoteIP CUSTOMVALUE03=162.158.68.113 CUSTOMNAME04=name CUSTOMNAME05=email CUSTOMNAME06=redirect CUSTOMNAME07=version CUSTOMVALUE07=100 CUSTOMNAME08=camefrom CUSTOMNAME09=adid CUSTOMVALUE09=NULL CUSTOMNAME10=affreferrer SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~3iqsl8g9y0.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is3AB5.tmp

Filesize
1KB

MD5
4dfe609709d5f317951f408c3addbffe

SHA1
86f8bfb803f29f7925569467b10ee4899ad83793

SHA256
317beb9c7d05e265d10a638f3c936153cff98f4528158b3adcae40c4d9f140d2

SHA512
ebcbc4936c275babc02df99071a902d553ac0da4760cfc95d9db520f2b8faeae7f0177bbbfee626ee4d1aa45a120957ea743a597342e5015278e5e5223822e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8EC5AD18-31F2-418A-B94D-B548EDDBBF03}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8EC5AD18-31F2-418A-B94D-B548EDDBBF03}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3AA2.tmp

Filesize
6KB

MD5
c059efb57b4d74f1eb62dc736758b5d6

SHA1
c96ea0259e312a88c3c1e5a31f8c6d3ce4988aff

SHA256
dfbb0aec195e6da5cd12e775e2b563ab8f9fc4c53cecfec0f971f8fa4e0b4ec8

SHA512
a7987d5e7aef0da43f3bd0477aa8e8d3747a30ee23245bbd03ce272a92bc9b3687bba534fb984c5924525ca0f4fe2f7bbb9966fc6e8019062fe8f3b25e21933a

Download Submit
\Users\Admin\AppData\Local\Temp\~3iqsl8g9y0.tmp

Filesize
1.2MB

MD5
82b932d241834e498fc8dd538483ab94

SHA1
e14ce571752620204195b5cc365aca340250fd9e

SHA256
5045c44db6945fb257e3e187bdf082952127037d0dc52011b15eb6fbd7e7e60d

SHA512
418ca6b07216459c1fb1e902fd4a6eed75988b7f2e42fe3829029942184b5cfd0f33d6b9ab995d77d4fb21b19029b0e0125e29d3b3b9534cb51a804fb5a51cad

Download Submit

Analysis

Sharing