18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171.exe
Size

294KB
MD5

04012df3c7820dc7c607baf023995b25
SHA1

79b0749d1a338bd396dbf019cb5ed8e852969b07
SHA256

18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171
SHA512

510e531fdefac18eb953de131ff536a6ef03321f8eb4006e1e880b6d9030ca988a4ad5ea040a6827a3d6524a5ee6550ef1e0b0e19971715a158a0a7a13a627f8
SSDEEP

3072:4twizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMqle7xa2i1xX2i1FU:ouj8NDF3OR9/Qe2HdJ8RAfXzU

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000001222d-3.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000a000000012248-15.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0035000000015e07-27.dat	INDICATOR_EXE_Packed_ASPack

Deletes itself 1 IoCs

pid	Process
2488	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2904	casino_extensions.exe
2972	Casino_ext.exe
2620	casino_extensions.exe
2848	Casino_ext.exe
2708	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
2504	casino_extensions.exe
2504	casino_extensions.exe
2532	casino_extensions.exe
2532	casino_extensions.exe
2580	casino_extensions.exe
2580	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2972	Casino_ext.exe
2848	Casino_ext.exe
2708	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2164	18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2504	2164	18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171.exe	28
PID 2164 wrote to memory of 2504	2164	18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171.exe	28
PID 2164 wrote to memory of 2504	2164	18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171.exe	28
PID 2164 wrote to memory of 2504	2164	18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171.exe	28
PID 2504 wrote to memory of 2904	2504	casino_extensions.exe	29
PID 2504 wrote to memory of 2904	2504	casino_extensions.exe	29
PID 2504 wrote to memory of 2904	2504	casino_extensions.exe	29
PID 2504 wrote to memory of 2904	2504	casino_extensions.exe	29
PID 2904 wrote to memory of 2972	2904	casino_extensions.exe	30
PID 2904 wrote to memory of 2972	2904	casino_extensions.exe	30
PID 2904 wrote to memory of 2972	2904	casino_extensions.exe	30
PID 2904 wrote to memory of 2972	2904	casino_extensions.exe	30
PID 2972 wrote to memory of 2532	2972	Casino_ext.exe	31
PID 2972 wrote to memory of 2532	2972	Casino_ext.exe	31
PID 2972 wrote to memory of 2532	2972	Casino_ext.exe	31
PID 2972 wrote to memory of 2532	2972	Casino_ext.exe	31
PID 2532 wrote to memory of 2620	2532	casino_extensions.exe	32
PID 2532 wrote to memory of 2620	2532	casino_extensions.exe	32
PID 2532 wrote to memory of 2620	2532	casino_extensions.exe	32
PID 2532 wrote to memory of 2620	2532	casino_extensions.exe	32
PID 2620 wrote to memory of 2848	2620	casino_extensions.exe	33
PID 2620 wrote to memory of 2848	2620	casino_extensions.exe	33
PID 2620 wrote to memory of 2848	2620	casino_extensions.exe	33
PID 2620 wrote to memory of 2848	2620	casino_extensions.exe	33
PID 2848 wrote to memory of 2580	2848	Casino_ext.exe	34
PID 2848 wrote to memory of 2580	2848	Casino_ext.exe	34
PID 2848 wrote to memory of 2580	2848	Casino_ext.exe	34
PID 2848 wrote to memory of 2580	2848	Casino_ext.exe	34
PID 2580 wrote to memory of 2708	2580	casino_extensions.exe	35
PID 2580 wrote to memory of 2708	2580	casino_extensions.exe	35
PID 2580 wrote to memory of 2708	2580	casino_extensions.exe	35
PID 2580 wrote to memory of 2708	2580	casino_extensions.exe	35
PID 2708 wrote to memory of 2728	2708	LiveMessageCenter.exe	36
PID 2708 wrote to memory of 2728	2708	LiveMessageCenter.exe	36
PID 2708 wrote to memory of 2728	2708	LiveMessageCenter.exe	36
PID 2708 wrote to memory of 2728	2708	LiveMessageCenter.exe	36
PID 2728 wrote to memory of 2488	2728	casino_extensions.exe	37
PID 2728 wrote to memory of 2488	2728	casino_extensions.exe	37
PID 2728 wrote to memory of 2488	2728	casino_extensions.exe	37
PID 2728 wrote to memory of 2488	2728	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171.exe
"C:\Users\Admin\AppData\Local\Temp\18c4a35197e731a253e4cc10f6f7fd9bdd9e4ac63e79062acb90f0f985049171.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
310KB

MD5
1c9f5267b23cde7cf822ef0f8e4a308f

SHA1
0ad6843c5afdef82fec12f689123dfa89ce19f18

SHA256
a21e3889ef83b6716e3b194c0f79d583b06568e6c53977d21ac3745d394a5121

SHA512
45789ac1f16dd05e3b234b0ed1fee4f22b2fe9bd0ce30fee4c7e3bce67ffc8e38e5ebfa6a8a691c40aff2cb43d7761e43f5ec774c9afadd34f23a9945e77b818

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
303KB

MD5
70aea836278f7c21e4b3305ed146334c

SHA1
34eca7608d4efc88c4dc377ab8cea3f823dddfbe

SHA256
d026007b093432c77278f4e362dd7929b14df186866d7a2a74b1bf15cc07dc28

SHA512
1bfca5d02331db162a1096e268f752a20e6c61db7424dc991a5731a446f2c9f052c03f1d1e966f7fbbffc11c99fff00bfdf7a25428da726c5fae632b95c0d558

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
301KB

MD5
8c94fb6385478b801a55b9c475c34b6b

SHA1
33cb03e94e816b765626380b5f5e98b470890a46

SHA256
140e9c37ddbcf2787a274df9e50649db7ed7e7c2c74aeec4cbca4b08e43856b3

SHA512
0d92a9b0fcc99b17ed6e40bbdc50ec33fdcf0f4ab1af5a4fdb4d71739451f51e407a3af178bfbb4a174b8415c8fa06ee5e7a395e8add76af7600ea785dae35b7

Download Submit