Malware Analysis Report

2025-08-05 15:15

Sample ID 240825-hwe2na1flc
Target ecb85d95c4aca1202e34c2b125a2c250N.exe
SHA256 65ec76bf52dbdb94fa4fb5d83b6445f910c33a5288f618e7d91385be660f17eb
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

65ec76bf52dbdb94fa4fb5d83b6445f910c33a5288f618e7d91385be660f17eb

Threat Level: Shows suspicious behavior

The file ecb85d95c4aca1202e34c2b125a2c250N.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Use of msiexec (install) with remote resource

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 07:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 07:04

Reported

2024-08-25 07:07

Platform

win7-20240708-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe N/A

Use of msiexec (install) with remote resource

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1928 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
PID 1928 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
PID 1928 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
PID 1928 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
PID 1928 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
PID 1928 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
PID 1928 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp C:\Windows\SysWOW64\MSIEXEC.EXE
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp C:\Windows\SysWOW64\MSIEXEC.EXE
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp C:\Windows\SysWOW64\MSIEXEC.EXE
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp C:\Windows\SysWOW64\MSIEXEC.EXE
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp C:\Windows\SysWOW64\MSIEXEC.EXE
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp C:\Windows\SysWOW64\MSIEXEC.EXE
PID 1444 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp C:\Windows\SysWOW64\MSIEXEC.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe

"C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe"

C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp

"C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp"

C:\Windows\SysWOW64\MSIEXEC.EXE

MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/allstar/All Star Slots20160209125305.msi" DDC_DID=1454323 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=1454323 DDC_UPDATESTATUSURL=http://190.4.94.65:8080/allstar/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.65:8080/allstar/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~pcicvvgipa.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pliuht.cdnpckgs.eu udp

Files

\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp

MD5 b805b8500a08be1317384b954ae0acff
SHA1 091521daaf9d208b4fad59d1bec273779cebbae8
SHA256 f03dcb8a1c3099081cb9fec98369c4c55840b0ecae421b670c5b5cdaf64f0bea
SHA512 b543f30ec61f2d1d6a9400af585576cdb69709eec9b51c14534fc89382fde945b9d0353393a66afc29f935a87ea4523bc044a7a51e1895253398eba676d5bad7

C:\Users\Admin\AppData\Local\Temp\~B57C.tmp

MD5 b988e8eaf0e2b9e295ba59d624190f34
SHA1 3e74acee428150c0bf1d0444a3a2dc5fc22a6307
SHA256 4c77c6717782314118d016fd6cba0d355cc64bbcf5a0d7aaf7284e5591d660a8
SHA512 5236d29a8cd49fb59a786af0b9b2151a639d9e3675fe1ae9ac6ba17660340bca905ff2e37667a1db02092a35175b1e5423e4deebfcbc46ed61458dbf9c339c87

C:\Users\Admin\AppData\Local\Temp\_isB59E.tmp

MD5 7517b9e0ebd0104cc79ba81384274cdb
SHA1 c5427d7b52d533deabb4902641eeb6e2bf2c865e
SHA256 038bf4e17f9344d1eaa5d2de9a41fa4ebd771efeaf0779765fa428b8105b9c93
SHA512 a51b53e72ad13baa1f1cfd845af8fde96f4afec4065119c2a597313c1dc8c67043c8375ca54601035d22d84b50cc73f9d884cd85180cdeaa2f21805c1bee20d0

C:\Users\Admin\AppData\Local\Temp\{0C0E2779-9CB7-4920-A437-37A84C0F3098}\0x0409.ini

MD5 be345d0260ae12c5f2f337b17e07c217
SHA1 0976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256 e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA512 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

C:\Users\Admin\AppData\Local\Temp\{0C0E2779-9CB7-4920-A437-37A84C0F3098}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 07:04

Reported

2024-08-25 07:07

Platform

win10v2004-20240802-en

Max time kernel

102s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp N/A

Use of msiexec (install) with remote resource

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A
N/A N/A C:\Windows\SysWOW64\MSIEXEC.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe

"C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe"

C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp

"C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp"

C:\Windows\SysWOW64\MSIEXEC.EXE

MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/allstar/All Star Slots20160209125305.msi" DDC_DID=1454323 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=1454323 DDC_UPDATESTATUSURL=http://190.4.94.65:8080/allstar/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.65:8080/allstar/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~lgc27oj5xy.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 pliuht.cdnpckgs.eu udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp

MD5 b805b8500a08be1317384b954ae0acff
SHA1 091521daaf9d208b4fad59d1bec273779cebbae8
SHA256 f03dcb8a1c3099081cb9fec98369c4c55840b0ecae421b670c5b5cdaf64f0bea
SHA512 b543f30ec61f2d1d6a9400af585576cdb69709eec9b51c14534fc89382fde945b9d0353393a66afc29f935a87ea4523bc044a7a51e1895253398eba676d5bad7

C:\Users\Admin\AppData\Local\Temp\~B98E.tmp

MD5 b988e8eaf0e2b9e295ba59d624190f34
SHA1 3e74acee428150c0bf1d0444a3a2dc5fc22a6307
SHA256 4c77c6717782314118d016fd6cba0d355cc64bbcf5a0d7aaf7284e5591d660a8
SHA512 5236d29a8cd49fb59a786af0b9b2151a639d9e3675fe1ae9ac6ba17660340bca905ff2e37667a1db02092a35175b1e5423e4deebfcbc46ed61458dbf9c339c87

C:\Users\Admin\AppData\Local\Temp\_isB9A0.tmp

MD5 7517b9e0ebd0104cc79ba81384274cdb
SHA1 c5427d7b52d533deabb4902641eeb6e2bf2c865e
SHA256 038bf4e17f9344d1eaa5d2de9a41fa4ebd771efeaf0779765fa428b8105b9c93
SHA512 a51b53e72ad13baa1f1cfd845af8fde96f4afec4065119c2a597313c1dc8c67043c8375ca54601035d22d84b50cc73f9d884cd85180cdeaa2f21805c1bee20d0

C:\Users\Admin\AppData\Local\Temp\{FE9E4952-90CB-413D-8CE4-5A34DBACBFAB}\0x0409.ini

MD5 be345d0260ae12c5f2f337b17e07c217
SHA1 0976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256 e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA512 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

C:\Users\Admin\AppData\Local\Temp\{FE9E4952-90CB-413D-8CE4-5A34DBACBFAB}\_ISMSIDEL.INI

MD5 db9af7503f195df96593ac42d5519075
SHA1 1b487531bad10f77750b8a50aca48593379e5f56
SHA256 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA512 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b