c00a511d31ef49a72dd155e44bf81e5e667999ad05028720867d088f9147334e

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 19:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.134122a3ab4b755f1c970b2aad8449f0.exe
Size

350KB
MD5

134122a3ab4b755f1c970b2aad8449f0
SHA1

83629fd0a3ffb0f33a5701f878f357561d03391f
SHA256

c00a511d31ef49a72dd155e44bf81e5e667999ad05028720867d088f9147334e
SHA512

53290d26fdb3588ffbeec1c4c57bd8db2ad06ab7f680170ee037b924f63cf1e0c7766598873a1573a855067a7349fed123e3ed5a9d4c418f6d14f5cf41218e57
SSDEEP

3072:BtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdO5lqwDwy0HKVqkNOXsOq+bL6:7uj8NDF3OR9/Qe2HdezwXuOXsOP6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2952	casino_extensions.exe
2616	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2996	casino_extensions.exe
2996	casino_extensions.exe
2944	casino_extensions.exe
2944	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2616	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2372	NEAS.134122a3ab4b755f1c970b2aad8449f0.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2996	2372	NEAS.134122a3ab4b755f1c970b2aad8449f0.exe	28
PID 2372 wrote to memory of 2996	2372	NEAS.134122a3ab4b755f1c970b2aad8449f0.exe	28
PID 2372 wrote to memory of 2996	2372	NEAS.134122a3ab4b755f1c970b2aad8449f0.exe	28
PID 2372 wrote to memory of 2996	2372	NEAS.134122a3ab4b755f1c970b2aad8449f0.exe	28
PID 2996 wrote to memory of 2952	2996	casino_extensions.exe	29
PID 2996 wrote to memory of 2952	2996	casino_extensions.exe	29
PID 2996 wrote to memory of 2952	2996	casino_extensions.exe	29
PID 2996 wrote to memory of 2952	2996	casino_extensions.exe	29
PID 2952 wrote to memory of 2944	2952	casino_extensions.exe	30
PID 2952 wrote to memory of 2944	2952	casino_extensions.exe	30
PID 2952 wrote to memory of 2944	2952	casino_extensions.exe	30
PID 2952 wrote to memory of 2944	2952	casino_extensions.exe	30
PID 2944 wrote to memory of 2616	2944	casino_extensions.exe	31
PID 2944 wrote to memory of 2616	2944	casino_extensions.exe	31
PID 2944 wrote to memory of 2616	2944	casino_extensions.exe	31
PID 2944 wrote to memory of 2616	2944	casino_extensions.exe	31
PID 2616 wrote to memory of 2584	2616	LiveMessageCenter.exe	34
PID 2616 wrote to memory of 2584	2616	LiveMessageCenter.exe	34
PID 2616 wrote to memory of 2584	2616	LiveMessageCenter.exe	34
PID 2616 wrote to memory of 2584	2616	LiveMessageCenter.exe	34
PID 2584 wrote to memory of 2808	2584	casino_extensions.exe	33
PID 2584 wrote to memory of 2808	2584	casino_extensions.exe	33
PID 2584 wrote to memory of 2808	2584	casino_extensions.exe	33
PID 2584 wrote to memory of 2808	2584	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\NEAS.134122a3ab4b755f1c970b2aad8449f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.134122a3ab4b755f1c970b2aad8449f0.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2616
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2584

C:\Windows\SysWOW64\cmd.exe
cmd /c $$2028~1.BAT
1⤵
- Deletes itself
PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
354KB

MD5
5e6f3238785d44ffd64ba5ec43119682

SHA1
e764455fd10bf4000bb8f5d7671709551aac9e06

SHA256
43ec9493c0cf9697892f2cc2fd0ca69fa5ccda0e95b1631256e3bfe377a93d25

SHA512
0b1da46e7f1894a1a8801668e45b4a32451a2a5d46ac3c6c834acf644d3494c446dd066d13954ded1aca30058b0fc548db27f6e5b94c5c75812be36e21a600a2

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
354KB

MD5
5e6f3238785d44ffd64ba5ec43119682

SHA1
e764455fd10bf4000bb8f5d7671709551aac9e06

SHA256
43ec9493c0cf9697892f2cc2fd0ca69fa5ccda0e95b1631256e3bfe377a93d25

SHA512
0b1da46e7f1894a1a8801668e45b4a32451a2a5d46ac3c6c834acf644d3494c446dd066d13954ded1aca30058b0fc548db27f6e5b94c5c75812be36e21a600a2

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
353KB

MD5
fab1bab9e8cfa3231e5cb54183455279

SHA1
2276642f3fcdf0da1e4dc7ecd05c5c3a422e482c

SHA256
13b3b5070d5e65d604a14522a213e1994521b01e0fe7c5d3b72be7edda8afa05

SHA512
52e90d780ba5eaee2984f6a881d1869648a4f8eeff6b3be2713ed5bcf744551ced8c0c7741147220d1fd2a0ef08c08bd695cacb9dc8e1ee6865f575fe2df68f0

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
353KB

MD5
fab1bab9e8cfa3231e5cb54183455279

SHA1
2276642f3fcdf0da1e4dc7ecd05c5c3a422e482c

SHA256
13b3b5070d5e65d604a14522a213e1994521b01e0fe7c5d3b72be7edda8afa05

SHA512
52e90d780ba5eaee2984f6a881d1869648a4f8eeff6b3be2713ed5bcf744551ced8c0c7741147220d1fd2a0ef08c08bd695cacb9dc8e1ee6865f575fe2df68f0

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
354KB

MD5
5e6f3238785d44ffd64ba5ec43119682

SHA1
e764455fd10bf4000bb8f5d7671709551aac9e06

SHA256
43ec9493c0cf9697892f2cc2fd0ca69fa5ccda0e95b1631256e3bfe377a93d25

SHA512
0b1da46e7f1894a1a8801668e45b4a32451a2a5d46ac3c6c834acf644d3494c446dd066d13954ded1aca30058b0fc548db27f6e5b94c5c75812be36e21a600a2

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
354KB

MD5
5e6f3238785d44ffd64ba5ec43119682

SHA1
e764455fd10bf4000bb8f5d7671709551aac9e06

SHA256
43ec9493c0cf9697892f2cc2fd0ca69fa5ccda0e95b1631256e3bfe377a93d25

SHA512
0b1da46e7f1894a1a8801668e45b4a32451a2a5d46ac3c6c834acf644d3494c446dd066d13954ded1aca30058b0fc548db27f6e5b94c5c75812be36e21a600a2

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
353KB

MD5
fab1bab9e8cfa3231e5cb54183455279

SHA1
2276642f3fcdf0da1e4dc7ecd05c5c3a422e482c

SHA256
13b3b5070d5e65d604a14522a213e1994521b01e0fe7c5d3b72be7edda8afa05

SHA512
52e90d780ba5eaee2984f6a881d1869648a4f8eeff6b3be2713ed5bcf744551ced8c0c7741147220d1fd2a0ef08c08bd695cacb9dc8e1ee6865f575fe2df68f0

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
353KB

MD5
fab1bab9e8cfa3231e5cb54183455279

SHA1
2276642f3fcdf0da1e4dc7ecd05c5c3a422e482c

SHA256
13b3b5070d5e65d604a14522a213e1994521b01e0fe7c5d3b72be7edda8afa05

SHA512
52e90d780ba5eaee2984f6a881d1869648a4f8eeff6b3be2713ed5bcf744551ced8c0c7741147220d1fd2a0ef08c08bd695cacb9dc8e1ee6865f575fe2df68f0

Download Submit
memory/2372-30-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-32-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2372-1-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2584-33-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2584-42-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2616-43-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2616-41-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2616-31-0x00000000001B0000-0x00000000001D5000-memory.dmp

Filesize
148KB

Download
memory/2616-28-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2944-18-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2944-22-0x0000000000330000-0x0000000000355000-memory.dmp

Filesize
148KB

Download
memory/2952-29-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2952-19-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download
memory/2952-14-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2996-5-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2996-7-0x0000000000220000-0x0000000000245000-memory.dmp

Filesize
148KB

Download