0b0c6853d206d79b61bcd4e9e77354fc35e488d97eac85c922379ce255f74061

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.6ba342f2c4e4d4dd340e31cdec53bf5c_JC.exe
Size

344KB
MD5

6ba342f2c4e4d4dd340e31cdec53bf5c
SHA1

b2a53296661fb66d9e887cd94f2de7690d6af65b
SHA256

0b0c6853d206d79b61bcd4e9e77354fc35e488d97eac85c922379ce255f74061
SHA512

15bbdff2ddba5b2478fe48f1f424859a3dd68afe36858f7d55b4839e1b78eb770d4d4be2674a97ad209046f341746be46829a65e5af7795077217f53a5065103
SSDEEP

3072:WtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQBlZJZE+Xj:Kuj8NDF3OR9/Qe2HdklrBHJZEYj

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1260	casino_extensions.exe
2248	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2200	casino_extensions.exe
2200	casino_extensions.exe
1324	casino_extensions.exe
1324	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2248	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1208	NEAS.6ba342f2c4e4d4dd340e31cdec53bf5c_JC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2200	1208	NEAS.6ba342f2c4e4d4dd340e31cdec53bf5c_JC.exe	28
PID 1208 wrote to memory of 2200	1208	NEAS.6ba342f2c4e4d4dd340e31cdec53bf5c_JC.exe	28
PID 1208 wrote to memory of 2200	1208	NEAS.6ba342f2c4e4d4dd340e31cdec53bf5c_JC.exe	28
PID 1208 wrote to memory of 2200	1208	NEAS.6ba342f2c4e4d4dd340e31cdec53bf5c_JC.exe	28
PID 2200 wrote to memory of 1260	2200	casino_extensions.exe	29
PID 2200 wrote to memory of 1260	2200	casino_extensions.exe	29
PID 2200 wrote to memory of 1260	2200	casino_extensions.exe	29
PID 2200 wrote to memory of 1260	2200	casino_extensions.exe	29
PID 1260 wrote to memory of 1324	1260	casino_extensions.exe	30
PID 1260 wrote to memory of 1324	1260	casino_extensions.exe	30
PID 1260 wrote to memory of 1324	1260	casino_extensions.exe	30
PID 1260 wrote to memory of 1324	1260	casino_extensions.exe	30
PID 1324 wrote to memory of 2248	1324	casino_extensions.exe	34
PID 1324 wrote to memory of 2248	1324	casino_extensions.exe	34
PID 1324 wrote to memory of 2248	1324	casino_extensions.exe	34
PID 1324 wrote to memory of 2248	1324	casino_extensions.exe	34
PID 2248 wrote to memory of 2772	2248	LiveMessageCenter.exe	31
PID 2248 wrote to memory of 2772	2248	LiveMessageCenter.exe	31
PID 2248 wrote to memory of 2772	2248	LiveMessageCenter.exe	31
PID 2248 wrote to memory of 2772	2248	LiveMessageCenter.exe	31
PID 2772 wrote to memory of 3036	2772	casino_extensions.exe	33
PID 2772 wrote to memory of 3036	2772	casino_extensions.exe	33
PID 2772 wrote to memory of 3036	2772	casino_extensions.exe	33
PID 2772 wrote to memory of 3036	2772	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.6ba342f2c4e4d4dd340e31cdec53bf5c_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.6ba342f2c4e4d4dd340e31cdec53bf5c_JC.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2248

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd /c $$2028~1.BAT
  2⤵
  - Deletes itself
  PID:3036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
354KB

MD5
d5077c0c535276007597f7c55b3a8a57

SHA1
ddd12210bf2317dae0beb60fd767ac9f134fbfe3

SHA256
05bf97ddfe6501b2d3fa62783d91c60f9eb63d08651750fb03c599ab1610666b

SHA512
bfbb4807ad26817695168e2ef0d47e6ab8d31bc4b85a267824b4d445c2c6ab392d4c8128172df7d4b5ae14bbece443494cf393d6331865822baae22ed54d0fbb

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
354KB

MD5
d5077c0c535276007597f7c55b3a8a57

SHA1
ddd12210bf2317dae0beb60fd767ac9f134fbfe3

SHA256
05bf97ddfe6501b2d3fa62783d91c60f9eb63d08651750fb03c599ab1610666b

SHA512
bfbb4807ad26817695168e2ef0d47e6ab8d31bc4b85a267824b4d445c2c6ab392d4c8128172df7d4b5ae14bbece443494cf393d6331865822baae22ed54d0fbb

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
356KB

MD5
b45f5fc9af50756efbd009275063c9bd

SHA1
a8256899f383146608eeddf292ccd0b281ac379f

SHA256
5c992ed9eff7d71f305009b0ed803fb50e414a9c7def289acbc6fb7dcef2d1da

SHA512
fd566d00d0a06e196bf44ce3fbc78faa7086097fe13076746132cd799423dacd1d7a850e876b2859125de91a4009737223277406922c18164d416e59c57782d5

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
356KB

MD5
b45f5fc9af50756efbd009275063c9bd

SHA1
a8256899f383146608eeddf292ccd0b281ac379f

SHA256
5c992ed9eff7d71f305009b0ed803fb50e414a9c7def289acbc6fb7dcef2d1da

SHA512
fd566d00d0a06e196bf44ce3fbc78faa7086097fe13076746132cd799423dacd1d7a850e876b2859125de91a4009737223277406922c18164d416e59c57782d5

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
354KB

MD5
d5077c0c535276007597f7c55b3a8a57

SHA1
ddd12210bf2317dae0beb60fd767ac9f134fbfe3

SHA256
05bf97ddfe6501b2d3fa62783d91c60f9eb63d08651750fb03c599ab1610666b

SHA512
bfbb4807ad26817695168e2ef0d47e6ab8d31bc4b85a267824b4d445c2c6ab392d4c8128172df7d4b5ae14bbece443494cf393d6331865822baae22ed54d0fbb

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
354KB

MD5
d5077c0c535276007597f7c55b3a8a57

SHA1
ddd12210bf2317dae0beb60fd767ac9f134fbfe3

SHA256
05bf97ddfe6501b2d3fa62783d91c60f9eb63d08651750fb03c599ab1610666b

SHA512
bfbb4807ad26817695168e2ef0d47e6ab8d31bc4b85a267824b4d445c2c6ab392d4c8128172df7d4b5ae14bbece443494cf393d6331865822baae22ed54d0fbb

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
356KB

MD5
b45f5fc9af50756efbd009275063c9bd

SHA1
a8256899f383146608eeddf292ccd0b281ac379f

SHA256
5c992ed9eff7d71f305009b0ed803fb50e414a9c7def289acbc6fb7dcef2d1da

SHA512
fd566d00d0a06e196bf44ce3fbc78faa7086097fe13076746132cd799423dacd1d7a850e876b2859125de91a4009737223277406922c18164d416e59c57782d5

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
356KB

MD5
b45f5fc9af50756efbd009275063c9bd

SHA1
a8256899f383146608eeddf292ccd0b281ac379f

SHA256
5c992ed9eff7d71f305009b0ed803fb50e414a9c7def289acbc6fb7dcef2d1da

SHA512
fd566d00d0a06e196bf44ce3fbc78faa7086097fe13076746132cd799423dacd1d7a850e876b2859125de91a4009737223277406922c18164d416e59c57782d5

Download Submit