Analysis Overview
SHA256
65ec76bf52dbdb94fa4fb5d83b6445f910c33a5288f618e7d91385be660f17eb
Threat Level: Shows suspicious behavior
The file ecb85d95c4aca1202e34c2b125a2c250N.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Use of msiexec (install) with remote resource
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 07:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 07:04
Reported
2024-08-25 07:07
Platform
win7-20240708-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe | N/A |
Use of msiexec (install) with remote resource
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe
"C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe"
C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
"C:\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp"
C:\Windows\SysWOW64\MSIEXEC.EXE
MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/allstar/All Star Slots20160209125305.msi" DDC_DID=1454323 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=1454323 DDC_UPDATESTATUSURL=http://190.4.94.65:8080/allstar/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.65:8080/allstar/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~pcicvvgipa.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pliuht.cdnpckgs.eu | udp |
Files
\Users\Admin\AppData\Local\Temp\~pcicvvgipa.tmp
| MD5 | b805b8500a08be1317384b954ae0acff |
| SHA1 | 091521daaf9d208b4fad59d1bec273779cebbae8 |
| SHA256 | f03dcb8a1c3099081cb9fec98369c4c55840b0ecae421b670c5b5cdaf64f0bea |
| SHA512 | b543f30ec61f2d1d6a9400af585576cdb69709eec9b51c14534fc89382fde945b9d0353393a66afc29f935a87ea4523bc044a7a51e1895253398eba676d5bad7 |
C:\Users\Admin\AppData\Local\Temp\~B57C.tmp
| MD5 | b988e8eaf0e2b9e295ba59d624190f34 |
| SHA1 | 3e74acee428150c0bf1d0444a3a2dc5fc22a6307 |
| SHA256 | 4c77c6717782314118d016fd6cba0d355cc64bbcf5a0d7aaf7284e5591d660a8 |
| SHA512 | 5236d29a8cd49fb59a786af0b9b2151a639d9e3675fe1ae9ac6ba17660340bca905ff2e37667a1db02092a35175b1e5423e4deebfcbc46ed61458dbf9c339c87 |
C:\Users\Admin\AppData\Local\Temp\_isB59E.tmp
| MD5 | 7517b9e0ebd0104cc79ba81384274cdb |
| SHA1 | c5427d7b52d533deabb4902641eeb6e2bf2c865e |
| SHA256 | 038bf4e17f9344d1eaa5d2de9a41fa4ebd771efeaf0779765fa428b8105b9c93 |
| SHA512 | a51b53e72ad13baa1f1cfd845af8fde96f4afec4065119c2a597313c1dc8c67043c8375ca54601035d22d84b50cc73f9d884cd85180cdeaa2f21805c1bee20d0 |
C:\Users\Admin\AppData\Local\Temp\{0C0E2779-9CB7-4920-A437-37A84C0F3098}\0x0409.ini
| MD5 | be345d0260ae12c5f2f337b17e07c217 |
| SHA1 | 0976ba0982fe34f1c35a0974f6178e15c238ed7b |
| SHA256 | e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3 |
| SHA512 | 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff |
C:\Users\Admin\AppData\Local\Temp\{0C0E2779-9CB7-4920-A437-37A84C0F3098}\_ISMSIDEL.INI
| MD5 | db9af7503f195df96593ac42d5519075 |
| SHA1 | 1b487531bad10f77750b8a50aca48593379e5f56 |
| SHA256 | 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13 |
| SHA512 | 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 07:04
Reported
2024-08-25 07:07
Platform
win10v2004-20240802-en
Max time kernel
102s
Max time network
110s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp | N/A |
Use of msiexec (install) with remote resource
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4140 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe | C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp |
| PID 4140 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe | C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp |
| PID 4140 wrote to memory of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe | C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp |
| PID 4456 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp | C:\Windows\SysWOW64\MSIEXEC.EXE |
| PID 4456 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp | C:\Windows\SysWOW64\MSIEXEC.EXE |
| PID 4456 wrote to memory of 5024 | N/A | C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp | C:\Windows\SysWOW64\MSIEXEC.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe
"C:\Users\Admin\AppData\Local\Temp\ecb85d95c4aca1202e34c2b125a2c250N.exe"
C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp
"C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp"
C:\Windows\SysWOW64\MSIEXEC.EXE
MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/allstar/All Star Slots20160209125305.msi" DDC_DID=1454323 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=1454323 DDC_UPDATESTATUSURL=http://190.4.94.65:8080/allstar/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.65:8080/allstar/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~lgc27oj5xy.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pliuht.cdnpckgs.eu | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\~lgc27oj5xy.tmp
| MD5 | b805b8500a08be1317384b954ae0acff |
| SHA1 | 091521daaf9d208b4fad59d1bec273779cebbae8 |
| SHA256 | f03dcb8a1c3099081cb9fec98369c4c55840b0ecae421b670c5b5cdaf64f0bea |
| SHA512 | b543f30ec61f2d1d6a9400af585576cdb69709eec9b51c14534fc89382fde945b9d0353393a66afc29f935a87ea4523bc044a7a51e1895253398eba676d5bad7 |
C:\Users\Admin\AppData\Local\Temp\~B98E.tmp
| MD5 | b988e8eaf0e2b9e295ba59d624190f34 |
| SHA1 | 3e74acee428150c0bf1d0444a3a2dc5fc22a6307 |
| SHA256 | 4c77c6717782314118d016fd6cba0d355cc64bbcf5a0d7aaf7284e5591d660a8 |
| SHA512 | 5236d29a8cd49fb59a786af0b9b2151a639d9e3675fe1ae9ac6ba17660340bca905ff2e37667a1db02092a35175b1e5423e4deebfcbc46ed61458dbf9c339c87 |
C:\Users\Admin\AppData\Local\Temp\_isB9A0.tmp
| MD5 | 7517b9e0ebd0104cc79ba81384274cdb |
| SHA1 | c5427d7b52d533deabb4902641eeb6e2bf2c865e |
| SHA256 | 038bf4e17f9344d1eaa5d2de9a41fa4ebd771efeaf0779765fa428b8105b9c93 |
| SHA512 | a51b53e72ad13baa1f1cfd845af8fde96f4afec4065119c2a597313c1dc8c67043c8375ca54601035d22d84b50cc73f9d884cd85180cdeaa2f21805c1bee20d0 |
C:\Users\Admin\AppData\Local\Temp\{FE9E4952-90CB-413D-8CE4-5A34DBACBFAB}\0x0409.ini
| MD5 | be345d0260ae12c5f2f337b17e07c217 |
| SHA1 | 0976ba0982fe34f1c35a0974f6178e15c238ed7b |
| SHA256 | e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3 |
| SHA512 | 77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff |
C:\Users\Admin\AppData\Local\Temp\{FE9E4952-90CB-413D-8CE4-5A34DBACBFAB}\_ISMSIDEL.INI
| MD5 | db9af7503f195df96593ac42d5519075 |
| SHA1 | 1b487531bad10f77750b8a50aca48593379e5f56 |
| SHA256 | 0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13 |
| SHA512 | 6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b |