Analysis
-
max time kernel
24s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-09-2024 20:15
Static task
static1
Behavioral task
behavioral1
Sample
57fa3407e7b7665468a76a5214741360N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
57fa3407e7b7665468a76a5214741360N.exe
Resource
win10v2004-20240802-en
General
-
Target
57fa3407e7b7665468a76a5214741360N.exe
-
Size
1.4MB
-
MD5
57fa3407e7b7665468a76a5214741360
-
SHA1
5508bbc7e1926dd1a29f847cf4a2a5652b8a6208
-
SHA256
2e2dde198571e0cc38f33333b6f4c0f041433ec2da0216350afe254852d835fb
-
SHA512
e43c59a28b8a09aa811f03f6d27dad309565b71caa6d74ddc7b57111826a4bb6695a63d301ae3b39c882f64c79a3652022d949948b29e822b368d43de048c91b
-
SSDEEP
24576:JaQMMENl3yEw9yQzgHzRRZpyCFqIvpkbsSyyVingoXhr5kFUMr:JaZ5lDlaQv2fVigo5vMr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1788 ~7w3cyrq1j6.tmp -
Loads dropped DLL 1 IoCs
pid Process 1032 57fa3407e7b7665468a76a5214741360N.exe -
Use of msiexec (install) with remote resource 1 IoCs
pid Process 3032 MSIEXEC.EXE -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57fa3407e7b7665468a76a5214741360N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ~7w3cyrq1j6.tmp -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 3032 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3032 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3032 MSIEXEC.EXE 3032 MSIEXEC.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1788 1032 57fa3407e7b7665468a76a5214741360N.exe 28 PID 1032 wrote to memory of 1788 1032 57fa3407e7b7665468a76a5214741360N.exe 28 PID 1032 wrote to memory of 1788 1032 57fa3407e7b7665468a76a5214741360N.exe 28 PID 1032 wrote to memory of 1788 1032 57fa3407e7b7665468a76a5214741360N.exe 28 PID 1032 wrote to memory of 1788 1032 57fa3407e7b7665468a76a5214741360N.exe 28 PID 1032 wrote to memory of 1788 1032 57fa3407e7b7665468a76a5214741360N.exe 28 PID 1032 wrote to memory of 1788 1032 57fa3407e7b7665468a76a5214741360N.exe 28 PID 1788 wrote to memory of 3032 1788 ~7w3cyrq1j6.tmp 29 PID 1788 wrote to memory of 3032 1788 ~7w3cyrq1j6.tmp 29 PID 1788 wrote to memory of 3032 1788 ~7w3cyrq1j6.tmp 29 PID 1788 wrote to memory of 3032 1788 ~7w3cyrq1j6.tmp 29 PID 1788 wrote to memory of 3032 1788 ~7w3cyrq1j6.tmp 29 PID 1788 wrote to memory of 3032 1788 ~7w3cyrq1j6.tmp 29 PID 1788 wrote to memory of 3032 1788 ~7w3cyrq1j6.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\57fa3407e7b7665468a76a5214741360N.exe"C:\Users\Admin\AppData\Local\Temp\57fa3407e7b7665468a76a5214741360N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\~7w3cyrq1j6.tmp"C:\Users\Admin\AppData\Local\Temp\~7w3cyrq1j6.tmp"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\MSIEXEC.EXEMSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/highnoon/Highnoon Casino20161011034629.msi" DDC_DID=1703205 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=1703205 DDC_UPDATESTATUSURL=http://190.4.95.114:8080/highnoon/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.95.114:8080/highnoon/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~7w3cyrq1j6.tmp"3⤵
- Use of msiexec (install) with remote resource
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3032
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e69ad5a5b5275a6a979bd471ae77f48b
SHA167854e93e7f1efe1964bc9de51814da5e4925d05
SHA256387bee0b1101e59ea898d300b8580b5dc2f663476d90556257854d8e2816e9ff
SHA512331f45479f03ff823b6c6d9bcd84840fbea04b969017b969c0c48646ed66ae9dcfd2d13839001808d715e8b8f8c23df03c2c61a8ef82bb2c97009cefabf86990
-
Filesize
21KB
MD5be345d0260ae12c5f2f337b17e07c217
SHA10976ba0982fe34f1c35a0974f6178e15c238ed7b
SHA256e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
SHA51277040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
5KB
MD50b269e9568b7a60ee6e50cbf4abb0187
SHA1bb792789179ba1e93d7846d2b2805af03222de91
SHA256409b2f77c32748a01103542c7c3c0be2a1593d0a0adaf13e7000e44973858b36
SHA51215b3bc325583f856e51fa03ae37b6fa31c57d5ed20c98680f0f5cffffb9ec0d0206049d50d63c35c4a224e73b9d4deb93f745fd245e7cd90943281e5c669eeaa
-
Filesize
1.2MB
MD590772c4c353f5ceb32071658ffa49c18
SHA16662f14b74869a3f0509325ce129cae8a1c8958b
SHA256343ae9bf12f45bdc16b0195ffbd0dd3d84a1777d287193c6d46c368735382add
SHA5128e3cbc754e2fac763bdc55973db764494c42251ce1a9b21be8cf89d7c11c14297c07741bbf73ba18b444a585f27f61e080d98c928c70131e4a7b84c2edf8599e