84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
05-03-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3.exe
Size

331KB
MD5

47ab16d3ccafa67d43733da20009eaa4
SHA1

fa1abfbf0726dbe09d8f4ec6f45080a1b9f4ce95
SHA256

84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3
SHA512

b7f849dfc6d3d1a52b0c2abb44e57ea43d354d6fe3ccd042c40a39e2d0d3047380bd312a94c5a9c751035abd0078a7efdeaff879d0a6f4c9a720e4d7d8cb8218
SSDEEP

3072:wtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMqle7xa2i1WcEL:Quj8NDF3OR9/Qe2HdJ8RA8cEL

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 3 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012352-3.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000c0000000155f6-15.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0030000000015c6f-27.dat	INDICATOR_EXE_Packed_ASPack

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
3044	casino_extensions.exe
2760	Casino_ext.exe
2548	casino_extensions.exe
2636	Casino_ext.exe
2592	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
2976	casino_extensions.exe
2976	casino_extensions.exe
2528	casino_extensions.exe
2528	casino_extensions.exe
2720	casino_extensions.exe
2720	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2760	Casino_ext.exe
2636	Casino_ext.exe
2592	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2944	84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2976	2944	84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3.exe	28
PID 2944 wrote to memory of 2976	2944	84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3.exe	28
PID 2944 wrote to memory of 2976	2944	84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3.exe	28
PID 2944 wrote to memory of 2976	2944	84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3.exe	28
PID 2976 wrote to memory of 3044	2976	casino_extensions.exe	29
PID 2976 wrote to memory of 3044	2976	casino_extensions.exe	29
PID 2976 wrote to memory of 3044	2976	casino_extensions.exe	29
PID 2976 wrote to memory of 3044	2976	casino_extensions.exe	29
PID 3044 wrote to memory of 2760	3044	casino_extensions.exe	30
PID 3044 wrote to memory of 2760	3044	casino_extensions.exe	30
PID 3044 wrote to memory of 2760	3044	casino_extensions.exe	30
PID 3044 wrote to memory of 2760	3044	casino_extensions.exe	30
PID 2760 wrote to memory of 2528	2760	Casino_ext.exe	31
PID 2760 wrote to memory of 2528	2760	Casino_ext.exe	31
PID 2760 wrote to memory of 2528	2760	Casino_ext.exe	31
PID 2760 wrote to memory of 2528	2760	Casino_ext.exe	31
PID 2528 wrote to memory of 2548	2528	casino_extensions.exe	32
PID 2528 wrote to memory of 2548	2528	casino_extensions.exe	32
PID 2528 wrote to memory of 2548	2528	casino_extensions.exe	32
PID 2528 wrote to memory of 2548	2528	casino_extensions.exe	32
PID 2548 wrote to memory of 2636	2548	casino_extensions.exe	33
PID 2548 wrote to memory of 2636	2548	casino_extensions.exe	33
PID 2548 wrote to memory of 2636	2548	casino_extensions.exe	33
PID 2548 wrote to memory of 2636	2548	casino_extensions.exe	33
PID 2636 wrote to memory of 2720	2636	Casino_ext.exe	34
PID 2636 wrote to memory of 2720	2636	Casino_ext.exe	34
PID 2636 wrote to memory of 2720	2636	Casino_ext.exe	34
PID 2636 wrote to memory of 2720	2636	Casino_ext.exe	34
PID 2720 wrote to memory of 2592	2720	casino_extensions.exe	35
PID 2720 wrote to memory of 2592	2720	casino_extensions.exe	35
PID 2720 wrote to memory of 2592	2720	casino_extensions.exe	35
PID 2720 wrote to memory of 2592	2720	casino_extensions.exe	35
PID 2592 wrote to memory of 2908	2592	LiveMessageCenter.exe	36
PID 2592 wrote to memory of 2908	2592	LiveMessageCenter.exe	36
PID 2592 wrote to memory of 2908	2592	LiveMessageCenter.exe	36
PID 2592 wrote to memory of 2908	2592	LiveMessageCenter.exe	36
PID 2908 wrote to memory of 2788	2908	casino_extensions.exe	37
PID 2908 wrote to memory of 2788	2908	casino_extensions.exe	37
PID 2908 wrote to memory of 2788	2908	casino_extensions.exe	37
PID 2908 wrote to memory of 2788	2908	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3.exe
"C:\Users\Admin\AppData\Local\Temp\84caac39ab4f9feada9b7a5fd321ebb3cb180f4b78ec9fede5efebeb04f9cda3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
333KB

MD5
046b7e07ba979c1b7aeeef19846305f0

SHA1
a430e8e34c6e4fe2f008a200f92f4979e095c5f0

SHA256
f543f4cc92a9228c8ff1382dd9d9f6159f6488db2e40170a92d4fa36fa1073ff

SHA512
da9c7ad4248f23fc2153d936c3890ad5505e8297bfa3402a241d4d3ea9f830daaf0c8ada1c8824fc80365a7adc4a2f086496f4352f5462ed66e54457335b1c76

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
342KB

MD5
6a9627dcec048f570e74430bad48bfa3

SHA1
1b4b77f5bd236cc23232ba1996659afb426e954c

SHA256
36a8ea1ff0cd16907f5b6c15ed2e3d8726f8a1d3734eb1073e6e8c6849f93e74

SHA512
21d6f5c229cd9fa8a1a93ef29e09f8a1aa99631875ec34623a821303930e3f59fb1f99ea9d44f4d2e32a783ce8e900d372dbaed500faa4477ded6fdcf34589d4

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
344KB

MD5
5baf78767f1b693ae914d23b6d70a40a

SHA1
72057d53f882f6d90ad9fb2949ef13689c02fbdc

SHA256
3aa5a5a309f717702a71d6d1af89d1159c963aab40ab7c4da189f0e103bbdddd

SHA512
41df2fc2eb19e7828f58756add7f0f73e69626f69ba064947fd0914661a2c5ac78ee588544d2fbd932bb6392ca5101229e12aa84d7e7d8d59dbcdfa0a9463514

Download Submit