Analysis

  • max time kernel
    24s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-09-2024 20:15

General

  • Target

    57fa3407e7b7665468a76a5214741360N.exe

  • Size

    1.4MB

  • MD5

    57fa3407e7b7665468a76a5214741360

  • SHA1

    5508bbc7e1926dd1a29f847cf4a2a5652b8a6208

  • SHA256

    2e2dde198571e0cc38f33333b6f4c0f041433ec2da0216350afe254852d835fb

  • SHA512

    e43c59a28b8a09aa811f03f6d27dad309565b71caa6d74ddc7b57111826a4bb6695a63d301ae3b39c882f64c79a3652022d949948b29e822b368d43de048c91b

  • SSDEEP

    24576:JaQMMENl3yEw9yQzgHzRRZpyCFqIvpkbsSyyVingoXhr5kFUMr:JaZ5lDlaQv2fVigo5vMr

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Use of msiexec (install) with remote resource 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57fa3407e7b7665468a76a5214741360N.exe
    "C:\Users\Admin\AppData\Local\Temp\57fa3407e7b7665468a76a5214741360N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\~7w3cyrq1j6.tmp
      "C:\Users\Admin\AppData\Local\Temp\~7w3cyrq1j6.tmp"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\MSIEXEC.EXE
        MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/highnoon/Highnoon Casino20161011034629.msi" DDC_DID=1703205 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=1703205 DDC_UPDATESTATUSURL=http://190.4.95.114:8080/highnoon/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.95.114:8080/highnoon/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~7w3cyrq1j6.tmp"
        3⤵
        • Use of msiexec (install) with remote resource
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_is81E2.tmp

    Filesize

    1KB

    MD5

    e69ad5a5b5275a6a979bd471ae77f48b

    SHA1

    67854e93e7f1efe1964bc9de51814da5e4925d05

    SHA256

    387bee0b1101e59ea898d300b8580b5dc2f663476d90556257854d8e2816e9ff

    SHA512

    331f45479f03ff823b6c6d9bcd84840fbea04b969017b969c0c48646ed66ae9dcfd2d13839001808d715e8b8f8c23df03c2c61a8ef82bb2c97009cefabf86990

  • C:\Users\Admin\AppData\Local\Temp\{264E193A-7692-4BDE-B3C5-1C3212F7BFAF}\0x0409.ini

    Filesize

    21KB

    MD5

    be345d0260ae12c5f2f337b17e07c217

    SHA1

    0976ba0982fe34f1c35a0974f6178e15c238ed7b

    SHA256

    e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

    SHA512

    77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

  • C:\Users\Admin\AppData\Local\Temp\{264E193A-7692-4BDE-B3C5-1C3212F7BFAF}\_ISMSIDEL.INI

    Filesize

    20B

    MD5

    db9af7503f195df96593ac42d5519075

    SHA1

    1b487531bad10f77750b8a50aca48593379e5f56

    SHA256

    0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

    SHA512

    6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

  • C:\Users\Admin\AppData\Local\Temp\~81DF.tmp

    Filesize

    5KB

    MD5

    0b269e9568b7a60ee6e50cbf4abb0187

    SHA1

    bb792789179ba1e93d7846d2b2805af03222de91

    SHA256

    409b2f77c32748a01103542c7c3c0be2a1593d0a0adaf13e7000e44973858b36

    SHA512

    15b3bc325583f856e51fa03ae37b6fa31c57d5ed20c98680f0f5cffffb9ec0d0206049d50d63c35c4a224e73b9d4deb93f745fd245e7cd90943281e5c669eeaa

  • \Users\Admin\AppData\Local\Temp\~7w3cyrq1j6.tmp

    Filesize

    1.2MB

    MD5

    90772c4c353f5ceb32071658ffa49c18

    SHA1

    6662f14b74869a3f0509325ce129cae8a1c8958b

    SHA256

    343ae9bf12f45bdc16b0195ffbd0dd3d84a1777d287193c6d46c368735382add

    SHA512

    8e3cbc754e2fac763bdc55973db764494c42251ce1a9b21be8cf89d7c11c14297c07741bbf73ba18b444a585f27f61e080d98c928c70131e4a7b84c2edf8599e