8e4cb736fe2182b18fd872b497f193bba0d5a222a9085007232c8f6c0b14df1f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2024, 23:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e4cb736fe2182b18fd872b497f193bba0d5a222a9085007232c8f6c0b14df1f.exe
Size

450KB
MD5

9e2d1f12eec9f028a4ddf93d1bb74273
SHA1

a8e9cd62860ca57e258f018156669e0b797a1b22
SHA256

8e4cb736fe2182b18fd872b497f193bba0d5a222a9085007232c8f6c0b14df1f
SHA512

05db5036ad8e630eb54b82c89fd79056a9f1dacf0dcddb1ead6a81f828b47f41b309b4d39df7b1f0eff449c1027be875085eddd80b7a6bfb10f9e72a3d94c9bc
SSDEEP

1536:6chdUBSoGURfoH8XkaqDzYLKzo/5/QUZ0SU5UDsH6OJUTTb5RmVD6seYCb0WNBrk:ySl1Hsmr6ZDsaOundR4D5eYCVjk

Score

9^/10

aspackv2

Malware Config

Signatures

Detects executables packed with ASPack 14 IoCs

resource	yara_rule
behavioral2/files/0x000700000001e59e-4.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/544-7-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0008000000023211-12.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3844-15-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1476-17-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0008000000023214-22.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1772-16-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4540-24-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3284-25-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1108-28-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4340-31-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3696-33-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2888-34-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2288-32-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000700000001e59e-4.dat	aspack_v212_v242
behavioral2/files/0x0008000000023211-12.dat	aspack_v212_v242
behavioral2/files/0x0008000000023214-22.dat	aspack_v212_v242

Executes dropped EXE 7 IoCs

pid	Process
4456	casino_extensions.exe
1772	Casino_ext.exe
1476	casino_extensions.exe
3284	Casino_ext.exe
4340	LiveMessageCenter.exe
2288	casino_extensions.exe
2888	Casino_ext.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1772	Casino_ext.exe
1772	Casino_ext.exe
3284	Casino_ext.exe
3284	Casino_ext.exe
4340	LiveMessageCenter.exe
4340	LiveMessageCenter.exe
2888	Casino_ext.exe
2888	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2508	8e4cb736fe2182b18fd872b497f193bba0d5a222a9085007232c8f6c0b14df1f.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 544	2508	8e4cb736fe2182b18fd872b497f193bba0d5a222a9085007232c8f6c0b14df1f.exe	89
PID 2508 wrote to memory of 544	2508	8e4cb736fe2182b18fd872b497f193bba0d5a222a9085007232c8f6c0b14df1f.exe	89
PID 2508 wrote to memory of 544	2508	8e4cb736fe2182b18fd872b497f193bba0d5a222a9085007232c8f6c0b14df1f.exe	89
PID 544 wrote to memory of 4456	544	casino_extensions.exe	90
PID 544 wrote to memory of 4456	544	casino_extensions.exe	90
PID 544 wrote to memory of 4456	544	casino_extensions.exe	90
PID 4456 wrote to memory of 1772	4456	casino_extensions.exe	91
PID 4456 wrote to memory of 1772	4456	casino_extensions.exe	91
PID 4456 wrote to memory of 1772	4456	casino_extensions.exe	91
PID 1772 wrote to memory of 3844	1772	Casino_ext.exe	92
PID 1772 wrote to memory of 3844	1772	Casino_ext.exe	92
PID 1772 wrote to memory of 3844	1772	Casino_ext.exe	92
PID 3844 wrote to memory of 1476	3844	casino_extensions.exe	93
PID 3844 wrote to memory of 1476	3844	casino_extensions.exe	93
PID 3844 wrote to memory of 1476	3844	casino_extensions.exe	93
PID 1476 wrote to memory of 3284	1476	casino_extensions.exe	94
PID 1476 wrote to memory of 3284	1476	casino_extensions.exe	94
PID 1476 wrote to memory of 3284	1476	casino_extensions.exe	94
PID 3284 wrote to memory of 4540	3284	Casino_ext.exe	95
PID 3284 wrote to memory of 4540	3284	Casino_ext.exe	95
PID 3284 wrote to memory of 4540	3284	Casino_ext.exe	95
PID 4540 wrote to memory of 4340	4540	casino_extensions.exe	96
PID 4540 wrote to memory of 4340	4540	casino_extensions.exe	96
PID 4540 wrote to memory of 4340	4540	casino_extensions.exe	96
PID 4340 wrote to memory of 1108	4340	LiveMessageCenter.exe	97
PID 4340 wrote to memory of 1108	4340	LiveMessageCenter.exe	97
PID 4340 wrote to memory of 1108	4340	LiveMessageCenter.exe	97
PID 1108 wrote to memory of 2288	1108	casino_extensions.exe	98
PID 1108 wrote to memory of 2288	1108	casino_extensions.exe	98
PID 1108 wrote to memory of 2288	1108	casino_extensions.exe	98
PID 2288 wrote to memory of 2888	2288	casino_extensions.exe	99
PID 2288 wrote to memory of 2888	2288	casino_extensions.exe	99
PID 2288 wrote to memory of 2888	2288	casino_extensions.exe	99
PID 2888 wrote to memory of 3696	2888	Casino_ext.exe	100
PID 2888 wrote to memory of 3696	2888	Casino_ext.exe	100
PID 2888 wrote to memory of 3696	2888	Casino_ext.exe	100
PID 3696 wrote to memory of 1292	3696	casino_extensions.exe	101
PID 3696 wrote to memory of 1292	3696	casino_extensions.exe	101
PID 3696 wrote to memory of 1292	3696	casino_extensions.exe	101

C:\Users\Admin\AppData\Local\Temp\8e4cb736fe2182b18fd872b497f193bba0d5a222a9085007232c8f6c0b14df1f.exe
"C:\Users\Admin\AppData\Local\Temp\8e4cb736fe2182b18fd872b497f193bba0d5a222a9085007232c8f6c0b14df1f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1772
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3844
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        14⤵
        
        PID:1292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
452KB

MD5
e66d3d6631b92c132a797517db489cbf

SHA1
441557fbeaff4cd84cbb470ec450ca5313db651f

SHA256
ec3b5b41fb93c4cfc3767db976d65e13e57249ad2ca7140f9cc4d64aeebab9d6

SHA512
152be9037d3af1002b86977045733e69836c617c197b31ad97589916fe3f102a3a1c6708aff55080c8cb3ada13c9a63bd38d03d4ddd989580ddb23e9c65e1241

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
454KB

MD5
c5f7b3aed49b7b3a2e8bf34673e97e8e

SHA1
99c82c8f6dd28004dafdd57909e1b5980dc44767

SHA256
8c573f99e044accf2eb23d91a4b0f7cf9be8fe9cbb958172d6c37bfee6d4261f

SHA512
fd76fcbf501aeb40358180f4d57ec9535c26825fb12d629e515e4a4b58d7370adcdd27774b2e7a0dfd0b4ecaed6829786870be6319f777c46ae53535e6c7e189

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
460KB

MD5
9bfea3ea7e75a58ba2762a763d735dfe

SHA1
ce54204f95bd49ed3e482ed27bc3a66d01e2cf02

SHA256
85a66328e2dbbb1a7a239980a118291d032989d5d38c7d50a2442d05cdb5255f

SHA512
f5858b460bb5726567d4131cfc6b49eeef19ec0cf66e519e1709c838156869a990f0d7986b91c17bc89409df452cdb5bbca84750399347eec8b8b607749e3e31

Download Submit
memory/544-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1108-28-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1476-17-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1772-16-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2288-32-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2888-34-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3284-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3696-33-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3844-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4340-31-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4540-24-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download