ec0b06a409304d7c95ecfff230701973915ec4986190b40fa276fae549eea3e5

Analysis

max time kernel
117s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 22:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6e21a5f633a45165de4ed8d29755c2a0_JC.exe
Size

487KB
MD5

6e21a5f633a45165de4ed8d29755c2a0
SHA1

d721feed83cbbb24aa0ce04df9a2db667d660d98
SHA256

ec0b06a409304d7c95ecfff230701973915ec4986190b40fa276fae549eea3e5
SHA512

c0d582f9578bfd7109527869ebb5a14fafa447c77f71c7a64862aaecd2f61a567e1a04e44140c33fe1f08c91b8dcfadc41e08ef887c3807607b60dc0bf66a8c9
SSDEEP

3072:vtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvteJ2i1po08hZT/vucOoX:luj8NDF3OR9/Qe2HdJf0no08h1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1724	casino_extensions.exe
2660	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2804	casino_extensions.exe
2804	casino_extensions.exe
1188	casino_extensions.exe
1188	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2660	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2212	6e21a5f633a45165de4ed8d29755c2a0_JC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2804	2212	6e21a5f633a45165de4ed8d29755c2a0_JC.exe	27
PID 2212 wrote to memory of 2804	2212	6e21a5f633a45165de4ed8d29755c2a0_JC.exe	27
PID 2212 wrote to memory of 2804	2212	6e21a5f633a45165de4ed8d29755c2a0_JC.exe	27
PID 2212 wrote to memory of 2804	2212	6e21a5f633a45165de4ed8d29755c2a0_JC.exe	27
PID 2804 wrote to memory of 1724	2804	casino_extensions.exe	28
PID 2804 wrote to memory of 1724	2804	casino_extensions.exe	28
PID 2804 wrote to memory of 1724	2804	casino_extensions.exe	28
PID 2804 wrote to memory of 1724	2804	casino_extensions.exe	28
PID 1724 wrote to memory of 1188	1724	casino_extensions.exe	29
PID 1724 wrote to memory of 1188	1724	casino_extensions.exe	29
PID 1724 wrote to memory of 1188	1724	casino_extensions.exe	29
PID 1724 wrote to memory of 1188	1724	casino_extensions.exe	29
PID 1188 wrote to memory of 2660	1188	casino_extensions.exe	30
PID 1188 wrote to memory of 2660	1188	casino_extensions.exe	30
PID 1188 wrote to memory of 2660	1188	casino_extensions.exe	30
PID 1188 wrote to memory of 2660	1188	casino_extensions.exe	30
PID 2660 wrote to memory of 2736	2660	LiveMessageCenter.exe	31
PID 2660 wrote to memory of 2736	2660	LiveMessageCenter.exe	31
PID 2660 wrote to memory of 2736	2660	LiveMessageCenter.exe	31
PID 2660 wrote to memory of 2736	2660	LiveMessageCenter.exe	31
PID 2736 wrote to memory of 2624	2736	casino_extensions.exe	32
PID 2736 wrote to memory of 2624	2736	casino_extensions.exe	32
PID 2736 wrote to memory of 2624	2736	casino_extensions.exe	32
PID 2736 wrote to memory of 2624	2736	casino_extensions.exe	32

C:\Users\Admin\AppData\Local\Temp\6e21a5f633a45165de4ed8d29755c2a0_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6e21a5f633a45165de4ed8d29755c2a0_JC.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
504KB

MD5
b9622f36303bf7c53efca2fb4d80d20a

SHA1
151d5f5d64ee37ffa3cd019b8d474cbd32bfac90

SHA256
d51ac27bb76cc6d5dcad12b57981f760c39059e1208171c781624dfad906a9cd

SHA512
8532acd8a843a142aa4bd1d6482a05a38403ecbb6cdede7959b49ef94262b758f7950964e45f74df8276755889df97e9d572a53011c669541b83a58a58cc9d02

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
504KB

MD5
b9622f36303bf7c53efca2fb4d80d20a

SHA1
151d5f5d64ee37ffa3cd019b8d474cbd32bfac90

SHA256
d51ac27bb76cc6d5dcad12b57981f760c39059e1208171c781624dfad906a9cd

SHA512
8532acd8a843a142aa4bd1d6482a05a38403ecbb6cdede7959b49ef94262b758f7950964e45f74df8276755889df97e9d572a53011c669541b83a58a58cc9d02

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
492KB

MD5
4fe83aeb8feb61c0baf374eada3fdba3

SHA1
f1c5ce651f47189d5f7c1583c5858a5cbd5e4e2d

SHA256
abcd61d9319c77b36ba8851acfe3d9427c775251b739b69ebecad05014c52cd3

SHA512
b1974281664b76633175f8561875670d225c8723e2083b33329cb760ff7fba04e06aa29aac0f681e9baa3ee59345c4ac576c6f7181ea5438b8ca3995451eff19

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
492KB

MD5
4fe83aeb8feb61c0baf374eada3fdba3

SHA1
f1c5ce651f47189d5f7c1583c5858a5cbd5e4e2d

SHA256
abcd61d9319c77b36ba8851acfe3d9427c775251b739b69ebecad05014c52cd3

SHA512
b1974281664b76633175f8561875670d225c8723e2083b33329cb760ff7fba04e06aa29aac0f681e9baa3ee59345c4ac576c6f7181ea5438b8ca3995451eff19

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
504KB

MD5
b9622f36303bf7c53efca2fb4d80d20a

SHA1
151d5f5d64ee37ffa3cd019b8d474cbd32bfac90

SHA256
d51ac27bb76cc6d5dcad12b57981f760c39059e1208171c781624dfad906a9cd

SHA512
8532acd8a843a142aa4bd1d6482a05a38403ecbb6cdede7959b49ef94262b758f7950964e45f74df8276755889df97e9d572a53011c669541b83a58a58cc9d02

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
504KB

MD5
b9622f36303bf7c53efca2fb4d80d20a

SHA1
151d5f5d64ee37ffa3cd019b8d474cbd32bfac90

SHA256
d51ac27bb76cc6d5dcad12b57981f760c39059e1208171c781624dfad906a9cd

SHA512
8532acd8a843a142aa4bd1d6482a05a38403ecbb6cdede7959b49ef94262b758f7950964e45f74df8276755889df97e9d572a53011c669541b83a58a58cc9d02

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
492KB

MD5
4fe83aeb8feb61c0baf374eada3fdba3

SHA1
f1c5ce651f47189d5f7c1583c5858a5cbd5e4e2d

SHA256
abcd61d9319c77b36ba8851acfe3d9427c775251b739b69ebecad05014c52cd3

SHA512
b1974281664b76633175f8561875670d225c8723e2083b33329cb760ff7fba04e06aa29aac0f681e9baa3ee59345c4ac576c6f7181ea5438b8ca3995451eff19

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
492KB

MD5
4fe83aeb8feb61c0baf374eada3fdba3

SHA1
f1c5ce651f47189d5f7c1583c5858a5cbd5e4e2d

SHA256
abcd61d9319c77b36ba8851acfe3d9427c775251b739b69ebecad05014c52cd3

SHA512
b1974281664b76633175f8561875670d225c8723e2083b33329cb760ff7fba04e06aa29aac0f681e9baa3ee59345c4ac576c6f7181ea5438b8ca3995451eff19

Download Submit