1dfc929f53def482d0a92cdfcb520a8208d7ac96067a57520bd92e59cb5cd50e

General

Target

1dfc929f53def482d0a92cdfcb520a8208d7ac96067a57520bd92e59cb5cd50e.exe
Size

826KB
MD5

6ed3b200028cba93bc72ca85551eda1b
SHA1

dfec811af3a0edfd83ed69e94b7e9970aeab67f6
SHA256

1dfc929f53def482d0a92cdfcb520a8208d7ac96067a57520bd92e59cb5cd50e
SHA512

ec1dced40f56e02e7ec3617f68189a81e010a185e913fb75a07452091d462baa0d98d101c8b66980c9419b326f4614e23f15f08f5d7fa80472cd4f6a8600e91c
SSDEEP

12288:COF3ORK3dj+z0y/HrF0M4Z1dnknmumic4:P32KNj+z0y/HrF0M4Z1dnknmumic4

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 3 IoCs

resource	yara_rule
behavioral2/files/0x000900000001ea83-4.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000900000001ea83-5.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x000700000002324d-16.dat	INDICATOR_EXE_Packed_ASPack

Executes dropped EXE 3 IoCs

pid	Process
3692	casino_extensions.exe
2988	Casino_ext.exe
4044	LiveMessageCenter.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2988	Casino_ext.exe
2988	Casino_ext.exe
4044	LiveMessageCenter.exe
4044	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4916	1dfc929f53def482d0a92cdfcb520a8208d7ac96067a57520bd92e59cb5cd50e.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 4716	4916	1dfc929f53def482d0a92cdfcb520a8208d7ac96067a57520bd92e59cb5cd50e.exe	98
PID 4916 wrote to memory of 4716	4916	1dfc929f53def482d0a92cdfcb520a8208d7ac96067a57520bd92e59cb5cd50e.exe	98
PID 4916 wrote to memory of 4716	4916	1dfc929f53def482d0a92cdfcb520a8208d7ac96067a57520bd92e59cb5cd50e.exe	98
PID 4716 wrote to memory of 3692	4716	casino_extensions.exe	99
PID 4716 wrote to memory of 3692	4716	casino_extensions.exe	99
PID 4716 wrote to memory of 3692	4716	casino_extensions.exe	99
PID 3692 wrote to memory of 2988	3692	casino_extensions.exe	100
PID 3692 wrote to memory of 2988	3692	casino_extensions.exe	100
PID 3692 wrote to memory of 2988	3692	casino_extensions.exe	100
PID 2988 wrote to memory of 400	2988	Casino_ext.exe	101
PID 2988 wrote to memory of 400	2988	Casino_ext.exe	101
PID 2988 wrote to memory of 400	2988	Casino_ext.exe	101
PID 400 wrote to memory of 4044	400	casino_extensions.exe	103
PID 400 wrote to memory of 4044	400	casino_extensions.exe	103
PID 400 wrote to memory of 4044	400	casino_extensions.exe	103
PID 4044 wrote to memory of 2336	4044	LiveMessageCenter.exe	104
PID 4044 wrote to memory of 2336	4044	LiveMessageCenter.exe	104
PID 4044 wrote to memory of 2336	4044	LiveMessageCenter.exe	104
PID 2336 wrote to memory of 1580	2336	casino_extensions.exe	105
PID 2336 wrote to memory of 1580	2336	casino_extensions.exe	105
PID 2336 wrote to memory of 1580	2336	casino_extensions.exe	105

C:\Users\Admin\AppData\Local\Temp\1dfc929f53def482d0a92cdfcb520a8208d7ac96067a57520bd92e59cb5cd50e.exe
"C:\Users\Admin\AppData\Local\Temp\1dfc929f53def482d0a92cdfcb520a8208d7ac96067a57520bd92e59cb5cd50e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        7⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        8⤵
        
        PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3920 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:4412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
835KB

MD5
6ca54ee3a9236db91b6940dae0737e8c

SHA1
08e08ac46f9ee5f4476719fa76cf13d8d896890b

SHA256
493d6bb9f7b1a5e9738044317a55dfbc31c1bcebc90e55c8e335202088a1823c

SHA512
e353b0fb43fd71a19f0f9926da8a22dfe30c4e6a420a7ccfa8aa11a2142a6781cd49856f58481c043fa926d5c924ad705d2eed1fe9c60931ca987b547f983cb5

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
842KB

MD5
d04b8a121187f91bcf7d010d9cb3dfbc

SHA1
6e179d579cb41c3fd61cf5b71cc21bf5a1600267

SHA256
86da759fe7258ea43d84da0aace71efc8a78ef3037ff221a5f243caf72adc53f

SHA512
63542bb9092acc2e80f450dece1a08daad02631ee7fab82b9da0eac8ce3e3f2ab871073652acdbd4ff033b88ce8a09ec298096c335f735fb95b9c711d929eb83

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
600KB

MD5
899be7fbeda266c8ebfb87bf0d1573f2

SHA1
e53124c62cf1905a120a61e55487cc3ad2f5a280

SHA256
95e61bbe6925ebedd73b8af15d5292408a954fcf7c9862216a80bbe0acf55021

SHA512
75c984e50ca6100ab04e9dc2c79cdfd92f2d3525559f5cd999af4116a7550b165531a7871daef8d788a477eaceb6ba321600444f5cefa948468c9e28bf7be75e

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
839KB

MD5
2b56f3df8b224a825689a9a325e35ffd

SHA1
0a7167ec5cef8ecd18b5c1bf12f645087c5c162f

SHA256
69575cf7311b8ca1f2ec61e7444bc5e8df5f7330e0a46eb571d14b480714bb4c

SHA512
2a030f446fc776e6423305c97ba726f6448ff6b2174d3933cff248d720adafdc44c59e01c6c76619dafcf06a52d825798253525fbe43e7f6d301e4b0330c732f

Download Submit

Analysis

Sharing