a9a3f15f17780e40578c3c344825fa8738f2231aa4f167793abddb2d1d96f51f

General

Target

3345e3d28364c1d9704768c8d900cd00N.exe
Size

1.4MB
MD5

3345e3d28364c1d9704768c8d900cd00
SHA1

eb474b0236488c50305e318ab7f82e5d86b4214e
SHA256

a9a3f15f17780e40578c3c344825fa8738f2231aa4f167793abddb2d1d96f51f
SHA512

bcd16ca277ed6015b7c0abba4b0ef0e2e3200067e796f6f2d159e65ed54e476fae71c9339c8fcff1b9949ea6d7b66a88ca5c3d7f22bf6ac42120e544493f16d3
SSDEEP

24576:AaQqNqgNMu8zSnnUgV33d0d25QDLzQQ6sC1VZyM9:AajNJSLMjnSHklsM9

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	~03m2sivsp1.tmp

Loads dropped DLL 1 IoCs

pid	Process
2672	3345e3d28364c1d9704768c8d900cd00N.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2716	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3345e3d28364c1d9704768c8d900cd00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~03m2sivsp1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2716	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2716	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2716	MSIEXEC.EXE
2716	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2688	2672	3345e3d28364c1d9704768c8d900cd00N.exe	30
PID 2672 wrote to memory of 2688	2672	3345e3d28364c1d9704768c8d900cd00N.exe	30
PID 2672 wrote to memory of 2688	2672	3345e3d28364c1d9704768c8d900cd00N.exe	30
PID 2672 wrote to memory of 2688	2672	3345e3d28364c1d9704768c8d900cd00N.exe	30
PID 2672 wrote to memory of 2688	2672	3345e3d28364c1d9704768c8d900cd00N.exe	30
PID 2672 wrote to memory of 2688	2672	3345e3d28364c1d9704768c8d900cd00N.exe	30
PID 2672 wrote to memory of 2688	2672	3345e3d28364c1d9704768c8d900cd00N.exe	30
PID 2688 wrote to memory of 2716	2688	~03m2sivsp1.tmp	31
PID 2688 wrote to memory of 2716	2688	~03m2sivsp1.tmp	31
PID 2688 wrote to memory of 2716	2688	~03m2sivsp1.tmp	31
PID 2688 wrote to memory of 2716	2688	~03m2sivsp1.tmp	31
PID 2688 wrote to memory of 2716	2688	~03m2sivsp1.tmp	31
PID 2688 wrote to memory of 2716	2688	~03m2sivsp1.tmp	31
PID 2688 wrote to memory of 2716	2688	~03m2sivsp1.tmp	31

C:\Users\Admin\AppData\Local\Temp\3345e3d28364c1d9704768c8d900cd00N.exe
"C:\Users\Admin\AppData\Local\Temp\3345e3d28364c1d9704768c8d900cd00N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\~03m2sivsp1.tmp
  "C:\Users\Admin\AppData\Local\Temp\~03m2sivsp1.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/virtual/Virtual Casino20171209041515.msi" DDC_DID=4951870 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=4951870%26CASINONAME=virtualcasino DDC_UPDATESTATUSURL=http://190.4.94.37:8080/virtual/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.94.37:8080/virtual/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~03m2sivsp1.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is259F.tmp

Filesize
1KB

MD5
6efe8348bd3a9359d8343be0f548f68a

SHA1
57b54a6bcba02e575e229e473c421fa23261c6d7

SHA256
d1d09f95c4396f22abb3fb6adf5cee21124c04c774ff40dce5dab3c21d88f720

SHA512
24d2768430b5f5a80b64ab560d5c93f77f784e7cf79e408cef2300c6f386f8edd25234173c306e768374be128533d75c9de91be0585563ebd4426021273f2572

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F2F3B78E-A0E5-42A1-8724-A947CCA9F219}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F2F3B78E-A0E5-42A1-8724-A947CCA9F219}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~03m2sivsp1.tmp

Filesize
1.2MB

MD5
0aa5b466056f3d1d1a45c865733c9fcb

SHA1
dc4761f8d4290ba510a367f1e5486ce4099a444a

SHA256
774470cad648293e3e2b9533d080d651892b15ad84cc6123fe81e9ce38348e16

SHA512
140bc40d21959678b4b8be4ce759cfc0e8837ee35d24fc4e40baa06d92fc9c157450796720628ad96ca160bca138dd72c4806bf09f90995ef3e312b890017741

Download Submit
C:\Users\Admin\AppData\Local\Temp\~259C.tmp

Filesize
5KB

MD5
975fa7c866caa86c06018ec4fab13d32

SHA1
14dee8979f6626d7f1e51939bf4db2ff53d8bac3

SHA256
81460fa02e5bde6a4112743341670d23633ff827b20139fb87705718574ad2d6

SHA512
6c489383777a2f88791f59a8e88a77d1efc1fefd9d338628f571dc180f235be622e667c50d2ceaa15092d5423377394a166a624bf900ceb219e1c05ab1e69dc7

Download Submit

Analysis

Sharing