e6bd419ac8863f37c0b92430c8b94b1d413b5809699683463917f3f8cd8faecc

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

752136ab66c661a356a7dfe583a4e093.exe
Size

1.2MB
MD5

752136ab66c661a356a7dfe583a4e093
SHA1

9192374b0469ac82ec245b447fbd3606e162ffc9
SHA256

e6bd419ac8863f37c0b92430c8b94b1d413b5809699683463917f3f8cd8faecc
SHA512

a9629d4edea2259440743eb16d9654ccf885621ad032a59f2634c58cbbc5b68af2c33f04ed01ac88c09e7aac8894f60d919870bc71b3a9fa4bcb9d90010e7bd8
SSDEEP

24576:aGGn++MsJsATY9wouMGSkK2gp+R0JF2g6sI7kDJFcRgzGV0I6qWHpZzdaulDut:aj/MysATHpSkOziQ8B03qWJZzdVlDu

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2872	casino.exe
2952	blocker.exe

Loads dropped DLL 18 IoCs

pid	Process
2188	752136ab66c661a356a7dfe583a4e093.exe
2188	752136ab66c661a356a7dfe583a4e093.exe
2188	752136ab66c661a356a7dfe583a4e093.exe
2188	752136ab66c661a356a7dfe583a4e093.exe
2188	752136ab66c661a356a7dfe583a4e093.exe
2188	752136ab66c661a356a7dfe583a4e093.exe
2872	casino.exe
2872	casino.exe
2872	casino.exe
2188	752136ab66c661a356a7dfe583a4e093.exe
2188	752136ab66c661a356a7dfe583a4e093.exe
2188	752136ab66c661a356a7dfe583a4e093.exe
2188	752136ab66c661a356a7dfe583a4e093.exe
2952	blocker.exe
2952	blocker.exe
2952	blocker.exe
2872	casino.exe
2872	casino.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	752136ab66c661a356a7dfe583a4e093.exe
File opened (read-only)	\??\A:	752136ab66c661a356a7dfe583a4e093.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2872	2188	752136ab66c661a356a7dfe583a4e093.exe	28
PID 2188 wrote to memory of 2872	2188	752136ab66c661a356a7dfe583a4e093.exe	28
PID 2188 wrote to memory of 2872	2188	752136ab66c661a356a7dfe583a4e093.exe	28
PID 2188 wrote to memory of 2872	2188	752136ab66c661a356a7dfe583a4e093.exe	28
PID 2188 wrote to memory of 2872	2188	752136ab66c661a356a7dfe583a4e093.exe	28
PID 2188 wrote to memory of 2872	2188	752136ab66c661a356a7dfe583a4e093.exe	28
PID 2188 wrote to memory of 2872	2188	752136ab66c661a356a7dfe583a4e093.exe	28
PID 2188 wrote to memory of 2952	2188	752136ab66c661a356a7dfe583a4e093.exe	29
PID 2188 wrote to memory of 2952	2188	752136ab66c661a356a7dfe583a4e093.exe	29
PID 2188 wrote to memory of 2952	2188	752136ab66c661a356a7dfe583a4e093.exe	29
PID 2188 wrote to memory of 2952	2188	752136ab66c661a356a7dfe583a4e093.exe	29
PID 2188 wrote to memory of 2952	2188	752136ab66c661a356a7dfe583a4e093.exe	29
PID 2188 wrote to memory of 2952	2188	752136ab66c661a356a7dfe583a4e093.exe	29
PID 2188 wrote to memory of 2952	2188	752136ab66c661a356a7dfe583a4e093.exe	29

C:\Users\Admin\AppData\Local\Temp\752136ab66c661a356a7dfe583a4e093.exe
"C:\Users\Admin\AppData\Local\Temp\752136ab66c661a356a7dfe583a4e093.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2188
- C:\casino\Golden Palace Casino\casino.exe
  "C:\casino\Golden Palace Casino\casino.exe" /nosplash
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2872
- C:\casino\Golden Palace Casino\blocker.exe
  "C:\casino\Golden Palace Casino\blocker.exe" Golden Palace Casino
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~vis0000\English.vlg

Filesize
13KB

MD5
707e3b6418526ed6729deb4a1307f1f2

SHA1
521a175e2e18ad316c8fbf25aa35c35dbf449668

SHA256
75081f741b450b8049d3a0106121516745bba675681fb490e78b7978238258d5

SHA512
cbf15467cbd0797a8ec781ce8fcae416c9dd30db052e32c85aa717ec955e24f5592ab937c2f8b82e7cf862c09a4a5d767808b56000bf3942da58c457a3fbcc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\rollback.log

Filesize
156B

MD5
866625ed959fee05c4f8f2b9b99eea82

SHA1
7c7e853aa1ec958b485d5a3a972c1bdb40fa28ed

SHA256
116244e4fc3540e2e2428d9e5e64447d4b3256d5264f2f9887f289a2a4b3f94c

SHA512
bfdb4702d24eb626993470291d98e796411f8edd41da39193644db1a6bdda0092d971fdd7ca5003e459c7dfc3ec31bc7e429ec333ce1ede94f9d7d1d92811125

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\rollback.log

Filesize
251B

MD5
a4f958496101a7c5d2497f1867683a66

SHA1
e8e42b4b4c5567e1d4b7360dda1c4cb3b59ea436

SHA256
418a886b451b7c7360d861ec4649d5f356039685f1437ec0f32a0e7f5cae7da1

SHA512
cb6d31c7df0422b89bae1ea74b52795d253fbcad1964d7b67d2163efa6968627b786661ab98c8bf023fa30303a0cf04f93f8a8bd89af206292d375f6f5209f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\rollback.log

Filesize
355B

MD5
88512c58b9396ae8445c672bf5b23a76

SHA1
35cb6ad347e3e597818b0db1a0fa55ee6180c04f

SHA256
827484360bc50fee0be65fdbc953bad97364b18d5430a0e66283f896b0cd4749

SHA512
5bfbab112fe99ebafc81aefe062e62be08313dea54b9c59847738f40926d2477a8c0d9d0fc298c59fc8b148094bb3db348db4a40b533f6fee5ab799995d54612

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\setuplog.txt

Filesize
318B

MD5
3f0068a7f2afa0b2e23e0c8ab19769f2

SHA1
f25d57212dcc7f17c32dabd40817233ccdcf7f7d

SHA256
0ed1656a439798604d9c58f1436b3a12bf45531d21caa1c400963e82e8fb5197

SHA512
7060198e2d26a32126e74bd2707f07c6b6cdda8bea3fc6da60e9bfa2fb023b4c38ec7a1f265ad32da94ff8363f7d2db274fc6358cd481e343f7f8456facddd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\setuplog.txt

Filesize
451B

MD5
8bb5bd674d2a2cbda5d1e24056f8c75c

SHA1
53be9b210c39277183df7fea38ce0de49512a685

SHA256
146f22234d87f96be47cc516cdd5fde86fac01be542c14e9e9ed49e534d2c81c

SHA512
326cd2d24a5f23e8fa8b2301be47472a9f34898bc5eb35b8f48cbe84cdff4c8b9c6fd16eaab8ed5c8583843a7c5fd74e44eb8a53f834177e27da01cbdafe95da

Download Submit
C:\Users\Admin\AppData\Local\Temp\~vis0000\uninstal.log

Filesize
241B

MD5
f08f03f7fc52c0532089bf2cd9f7ab47

SHA1
0669fcdf50db10973c28ed8e519ef4d4b072b965

SHA256
20f3c61f77c58ff86daab6247e6ace619f4a481458763af87bf6173ad475ed07

SHA512
c365997f7f69ef66ca54983bea826b4501fe9a6a2173307304858f94c6c21775700aecd95d370e6614c5cfa9421ded5a44b8aabaf94e633aa84354bd68605c10

Download Submit
C:\casino\Golden Palace Casino\directsounddriver.dll

Filesize
72KB

MD5
9ce36a7322e6f63d3a11eef0144e1a64

SHA1
9004a17f85254263234e9422cc16ca28e5df09cc

SHA256
1b9e8b71b9b4f57f65514191e3f60e9d12fdc854ca26375951120fc61baa5802

SHA512
5ac127fba09dcd6fd18c5038cb58e79f05a9d10ab98e489dbf3a207a4ead772a5019a3f53a1ca15e3b89dd5b195d56200115092f17e11c7806b3c7614a323c3d

Download Submit
C:\casino\Golden Palace Casino\fileinfo.dat

Filesize
19KB

MD5
2481c7295bc634056c24a2b6fb61b551

SHA1
bd3dbe8627ee805d7475082edb1e9ca4dc7722bb

SHA256
e892847193149caacb4f1c9ca0ed6de941453959a397b50b0e500f90aebdda10

SHA512
37524cfdcf7a9e79e37fb613ec8a58cb9d3ad46b2b5a98027a10d676bcd68adcd9a2553ed9ec439e9957f4b1aa30c9750caa4fd7b4482b1af6e5455b1b9b16c3

Download Submit
C:\casino\Golden Palace Casino\gdigraphdriver.dll

Filesize
84KB

MD5
6df1df1823f3ed801b49c3d21c2094c5

SHA1
074dfe579ddadb13f9c0e4f68b80eb08973e07b8

SHA256
55dbbef9c2c50c9ed7c60b0fef61b64963e894dac862ba2901ce85d940c57126

SHA512
73345c68a4649003e1497bee9d6a397270d523c2deef7170341fc3527c98c8739b19afb03a7f5d7a738aea1a7274fe51de26184b421b277bd8554fe296a21e7e

Download Submit
C:\casino\Golden Palace Casino\replacer.exe

Filesize
64KB

MD5
4c65763ea6207c7eb66523bfdabe2239

SHA1
9cd3ffc72ce8258d774fbb30187cb8d02a1dca09

SHA256
07e1de0755a3026fca2fb43d08aeaba486322b3c7deb08ec6f6d5ad1aed5bd46

SHA512
7bdb26e316f36fb27cf6d7f346a90d571e11633f8db89368bf8c5eedc07f24ed9995f5dedb0c4ab8ed83129dd9d586712c63fdf2d0c7a21d9c609c87d19ed2b3

Download Submit
C:\casino\Golden Palace Casino\wavesounddriver.dll

Filesize
60KB

MD5
2ebb346fb88ce0972768a0e333763467

SHA1
bff4bc5fa94ee24c43741e7c44f1e73c6815ef5f

SHA256
d79e63ce3e41d05c3fa8d34b11600b740e5249bc2dadece553b461daea586cdd

SHA512
8a4b0cd98db1641b5937ef5282895efd97d08477dcb30b0279c2df9dd24fa5e6c30d2af000dc21252fec8f379670d8d2d3746bced2c50636af1605975c93c20d

Download Submit
\Users\Admin\AppData\Local\Temp\~vis0000\vise32ex.dll

Filesize
496KB

MD5
db798587868984eb838a71338f6ffe53

SHA1
c9fef0b8e6806137f29beb8c0eae04f1c5bb8c39

SHA256
6d4209a51dedb0aedcdfd5cbed6fc80dbc34b51cd1dc176d788f07b5cdf06642

SHA512
1e6f4ce4156693f9f9a8f70b8b9ff5080a27ac903929ae7aefd277c455d088aaf6b19ddc1edc131eb552eada877462829473885804df7f9246d412754d098c58

Download Submit
\casino\Golden Palace Casino\blocker.exe

Filesize
36KB

MD5
ef4020dae1e38ec388ecac6d13ba4dd0

SHA1
8b512ce38769a49ab54240004f8286706c6ed573

SHA256
3ff064f7fa28091da25b291f516cd6b6e46c7d5494f7e432c3b2f7f87b09aad1

SHA512
af2e657b99edfbd9994dd6ea251b8842b3d53fbb13ff69b0a448953d63240ff83ca59a3021caf065addcfbd0b0be3173760cb0d89739e08f44420faa70ae1392

Download Submit
\casino\Golden Palace Casino\casino.exe

Filesize
1.2MB

MD5
52452ebc3dfd8c8f9b5002a4ef27d154

SHA1
a87b3dc05f6ab77dd36ce914385cf7abe72fab30

SHA256
5d7e68583c8cee8036380b7cf99b38da0928c51ee264d4c5c8b561110a7251e8

SHA512
4276393a9765233050ad00081905853bf9d495c54a9b0e558555279e9d5e8f595f1bbb84f39f47ff3e81eeb27ce79a3c0ee25a917c20365abbffdc2d923628c1

Download Submit
memory/2872-210-0x00000000003D0000-0x00000000003E3000-memory.dmp

Filesize
76KB

Download