e7551dadcd1543c0db56ac7eb53dd0238ca53de50abcc1d2b3481a20bfaddc45

General

Target

21e570a76208ef1b4c870d8164209cb0N.exe
Size

1.4MB
MD5

21e570a76208ef1b4c870d8164209cb0
SHA1

ed874da4a7ee8fc74ac8924fbc123826a8eae626
SHA256

e7551dadcd1543c0db56ac7eb53dd0238ca53de50abcc1d2b3481a20bfaddc45
SHA512

8a49c8ed59e234e870ff6b27880908f8e6d433ef40bc388ca22ee34898817aebf6c9613f37aa1a5011c5708e452842a0e5f30fd6277e069284a29dd4bdc32d56
SSDEEP

24576:haQ0JboEx/1w9VMU+SZT+Nkdgwxi5KrKVHabhwlRFcyKlrifMf:haLov9eQEkdgeiB6bilRFylrcMf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2820	~1sup004qq2.tmp

Loads dropped DLL 1 IoCs

pid	Process
2756	21e570a76208ef1b4c870d8164209cb0N.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2552	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~1sup004qq2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21e570a76208ef1b4c870d8164209cb0N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2552	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2552	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2552	MSIEXEC.EXE
2552	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2820	2756	21e570a76208ef1b4c870d8164209cb0N.exe	30
PID 2756 wrote to memory of 2820	2756	21e570a76208ef1b4c870d8164209cb0N.exe	30
PID 2756 wrote to memory of 2820	2756	21e570a76208ef1b4c870d8164209cb0N.exe	30
PID 2756 wrote to memory of 2820	2756	21e570a76208ef1b4c870d8164209cb0N.exe	30
PID 2756 wrote to memory of 2820	2756	21e570a76208ef1b4c870d8164209cb0N.exe	30
PID 2756 wrote to memory of 2820	2756	21e570a76208ef1b4c870d8164209cb0N.exe	30
PID 2756 wrote to memory of 2820	2756	21e570a76208ef1b4c870d8164209cb0N.exe	30
PID 2820 wrote to memory of 2552	2820	~1sup004qq2.tmp	31
PID 2820 wrote to memory of 2552	2820	~1sup004qq2.tmp	31
PID 2820 wrote to memory of 2552	2820	~1sup004qq2.tmp	31
PID 2820 wrote to memory of 2552	2820	~1sup004qq2.tmp	31
PID 2820 wrote to memory of 2552	2820	~1sup004qq2.tmp	31
PID 2820 wrote to memory of 2552	2820	~1sup004qq2.tmp	31
PID 2820 wrote to memory of 2552	2820	~1sup004qq2.tmp	31

C:\Users\Admin\AppData\Local\Temp\21e570a76208ef1b4c870d8164209cb0N.exe
"C:\Users\Admin\AppData\Local\Temp\21e570a76208ef1b4c870d8164209cb0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\~1sup004qq2.tmp
  "C:\Users\Admin\AppData\Local\Temp\~1sup004qq2.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/clubworldcasinos/Club World Casinos20160226123325.msi" DDC_DID=3588453 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=3588453 DDC_UPDATESTATUSURL=http://aux.web01.clubworldgroup.com:8080/clubworld/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://aux.web01.clubworldgroup.com:8080/clubworld/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~1sup004qq2.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_isF2FB.tmp

Filesize
1KB

MD5
d239eb94b2cf2c4552f78325724b3d11

SHA1
1eae7ae9fce2db2345bdc3385217ff2f0dd8b7ee

SHA256
c03d4b975a9efb1ccbce62a5e674afad3686907f19611f57c0ecb2a5ddb63ed2

SHA512
eeb94e6b81de1b24eee8e25016956156dde15a49058b3c68586155b671bda8d427aad0dd2ab6875d0115633197657ac2eb94a8467cc061093465ce433111e268

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D19FFD96-A88B-4F70-A360-82EA345EFDD0}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D19FFD96-A88B-4F70-A360-82EA345EFDD0}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~F2F8.tmp

Filesize
5KB

MD5
74fdc974eeaf6874972af59ead56e57e

SHA1
24f6a37943a4e2be7179e8ba03f8a23c3a21f642

SHA256
cd466ebe7d4712f46a6abf0e432b24440195cb9077c7075917189b8b738a2ad5

SHA512
b9481752b696acade362d93700a6d906a0322a52e6fefb5404058f349d20d826cfe3ca366dd31e2979406cccb7c3153d04ac1f48d2025335fdb2e7f3e7e7343c

Download Submit
\Users\Admin\AppData\Local\Temp\~1sup004qq2.tmp

Filesize
1.2MB

MD5
4786565278f70d77cb81215b0407867d

SHA1
21248be99ce692a24f0419591e5f05a372e3bd00

SHA256
7cc2fa51f88c75cab0173ff56ae161bbc5dcf5e710b39446bb365d968066e58b

SHA512
75114b6932cfe9acf97ad8f7ba90c2d7ad7429cf5d5b1064a31682460c94785a95dd2cfeee3963a42010b67a794832ff4bcf92b4d7ca96101847c0cf06244833

Download Submit

Analysis

Sharing