4557da39d1eddbad9574b3ac0cba36a808bab06457181f5e150a7d10e0655edc

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
06/10/2023, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.da355416688b7885a2646597d4134ad9exe_JC.exe
Size

370KB
MD5

da355416688b7885a2646597d4134ad9
SHA1

9653a81785ccb39dcd9ac3b3c492e13712db7dde
SHA256

4557da39d1eddbad9574b3ac0cba36a808bab06457181f5e150a7d10e0655edc
SHA512

caf2c4e7f8248b6a35a8a2adf7b9872bfd24a4c3d7f8ef464ca6a525d7879fc7205e52227050386c2a737c73f8dc43e5a7c11dc232fa924219bf0003e16ef0cc
SSDEEP

3072:AtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdO5lqwDwy0HKfqsmt:Auj8NDF3OR9/Qe2HdezwXE7mt

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
804	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
3032	casino_extensions.exe
2904	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2964	casino_extensions.exe
2964	casino_extensions.exe
2776	casino_extensions.exe
2776	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2904	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1940	NEAS.da355416688b7885a2646597d4134ad9exe_JC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2964	1940	NEAS.da355416688b7885a2646597d4134ad9exe_JC.exe	28
PID 1940 wrote to memory of 2964	1940	NEAS.da355416688b7885a2646597d4134ad9exe_JC.exe	28
PID 1940 wrote to memory of 2964	1940	NEAS.da355416688b7885a2646597d4134ad9exe_JC.exe	28
PID 1940 wrote to memory of 2964	1940	NEAS.da355416688b7885a2646597d4134ad9exe_JC.exe	28
PID 2964 wrote to memory of 3032	2964	casino_extensions.exe	29
PID 2964 wrote to memory of 3032	2964	casino_extensions.exe	29
PID 2964 wrote to memory of 3032	2964	casino_extensions.exe	29
PID 2964 wrote to memory of 3032	2964	casino_extensions.exe	29
PID 3032 wrote to memory of 2776	3032	casino_extensions.exe	30
PID 3032 wrote to memory of 2776	3032	casino_extensions.exe	30
PID 3032 wrote to memory of 2776	3032	casino_extensions.exe	30
PID 3032 wrote to memory of 2776	3032	casino_extensions.exe	30
PID 2776 wrote to memory of 2904	2776	casino_extensions.exe	31
PID 2776 wrote to memory of 2904	2776	casino_extensions.exe	31
PID 2776 wrote to memory of 2904	2776	casino_extensions.exe	31
PID 2776 wrote to memory of 2904	2776	casino_extensions.exe	31
PID 2904 wrote to memory of 2520	2904	LiveMessageCenter.exe	32
PID 2904 wrote to memory of 2520	2904	LiveMessageCenter.exe	32
PID 2904 wrote to memory of 2520	2904	LiveMessageCenter.exe	32
PID 2904 wrote to memory of 2520	2904	LiveMessageCenter.exe	32
PID 2520 wrote to memory of 804	2520	casino_extensions.exe	34
PID 2520 wrote to memory of 804	2520	casino_extensions.exe	34
PID 2520 wrote to memory of 804	2520	casino_extensions.exe	34
PID 2520 wrote to memory of 804	2520	casino_extensions.exe	34

C:\Users\Admin\AppData\Local\Temp\NEAS.da355416688b7885a2646597d4134ad9exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.da355416688b7885a2646597d4134ad9exe_JC.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:804

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
385KB

MD5
1fbb119ddcf7772e1b8f56f32bcb6c6c

SHA1
5962cd7f2949d1108d04a12d1090f56e48030d68

SHA256
8c379ad0f538f96c175a042846648adc732bf4194a5b00a8baf6543747a21b4d

SHA512
d2233c4fea0b69086729bbb9901de4c44091c26e44ee3bb98ffa6abff5e37ea00925f6aa3092e2e8fa6417ffcf641c64be7e86e56e89eef22f861507ca3110e6

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
385KB

MD5
1fbb119ddcf7772e1b8f56f32bcb6c6c

SHA1
5962cd7f2949d1108d04a12d1090f56e48030d68

SHA256
8c379ad0f538f96c175a042846648adc732bf4194a5b00a8baf6543747a21b4d

SHA512
d2233c4fea0b69086729bbb9901de4c44091c26e44ee3bb98ffa6abff5e37ea00925f6aa3092e2e8fa6417ffcf641c64be7e86e56e89eef22f861507ca3110e6

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
371KB

MD5
74d658ee6691d2a7017841e02ff940d1

SHA1
e14a2bfb68c970c1562facda085bed05c00f6f72

SHA256
f2a6f122a2c026eb56a2bf566b5d7dfc888b7011dd548edcf6e0745a99cb635d

SHA512
4f1cea9b75b211641ff0017865a0125cccb2566d591932b67d58596b846d2ba653e45f2d158dba61c0f035d39eb1592567f664cabb59073452c9e79c715041f8

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
371KB

MD5
74d658ee6691d2a7017841e02ff940d1

SHA1
e14a2bfb68c970c1562facda085bed05c00f6f72

SHA256
f2a6f122a2c026eb56a2bf566b5d7dfc888b7011dd548edcf6e0745a99cb635d

SHA512
4f1cea9b75b211641ff0017865a0125cccb2566d591932b67d58596b846d2ba653e45f2d158dba61c0f035d39eb1592567f664cabb59073452c9e79c715041f8

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
385KB

MD5
1fbb119ddcf7772e1b8f56f32bcb6c6c

SHA1
5962cd7f2949d1108d04a12d1090f56e48030d68

SHA256
8c379ad0f538f96c175a042846648adc732bf4194a5b00a8baf6543747a21b4d

SHA512
d2233c4fea0b69086729bbb9901de4c44091c26e44ee3bb98ffa6abff5e37ea00925f6aa3092e2e8fa6417ffcf641c64be7e86e56e89eef22f861507ca3110e6

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
385KB

MD5
1fbb119ddcf7772e1b8f56f32bcb6c6c

SHA1
5962cd7f2949d1108d04a12d1090f56e48030d68

SHA256
8c379ad0f538f96c175a042846648adc732bf4194a5b00a8baf6543747a21b4d

SHA512
d2233c4fea0b69086729bbb9901de4c44091c26e44ee3bb98ffa6abff5e37ea00925f6aa3092e2e8fa6417ffcf641c64be7e86e56e89eef22f861507ca3110e6

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
371KB

MD5
74d658ee6691d2a7017841e02ff940d1

SHA1
e14a2bfb68c970c1562facda085bed05c00f6f72

SHA256
f2a6f122a2c026eb56a2bf566b5d7dfc888b7011dd548edcf6e0745a99cb635d

SHA512
4f1cea9b75b211641ff0017865a0125cccb2566d591932b67d58596b846d2ba653e45f2d158dba61c0f035d39eb1592567f664cabb59073452c9e79c715041f8

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
371KB

MD5
74d658ee6691d2a7017841e02ff940d1

SHA1
e14a2bfb68c970c1562facda085bed05c00f6f72

SHA256
f2a6f122a2c026eb56a2bf566b5d7dfc888b7011dd548edcf6e0745a99cb635d

SHA512
4f1cea9b75b211641ff0017865a0125cccb2566d591932b67d58596b846d2ba653e45f2d158dba61c0f035d39eb1592567f664cabb59073452c9e79c715041f8

Download Submit
memory/1940-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1940-31-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1940-1-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2520-39-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2776-22-0x00000000003C0000-0x00000000003E5000-memory.dmp

Filesize
148KB

Download
memory/2776-19-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2904-29-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2904-30-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2904-40-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2964-7-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2964-5-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3032-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3032-18-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/3032-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download