f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/03/2024, 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3.exe
Size

398KB
MD5

e8cfd4b9cba73fce65cbcb10a9bb191d
SHA1

fdf4dd9e795db452d9238787c4b81f66de2991dc
SHA256

f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3
SHA512

aa91a83bd075f626502546c4e8348beba532a06230cf7b654da29fbfbeb7132ae8d5cac615d2e09f4c5afb7d5560997e8ede20b590f7a7a67b06e903c3457cfc
SSDEEP

3072:8twizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvtexB3n9Gbpz4p92i13Uz:suj8NDF3OR9/Qe2HdJf+3wbGp91Uz

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 3 IoCs

resource	yara_rule
behavioral1/files/0x000a00000001224e-3.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000c000000012671-15.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x003400000001508a-27.dat	INDICATOR_EXE_Packed_ASPack

Deletes itself 1 IoCs

pid	Process
2748	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
1076	casino_extensions.exe
2208	Casino_ext.exe
2760	casino_extensions.exe
3068	Casino_ext.exe
2640	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
3016	casino_extensions.exe
3016	casino_extensions.exe
1816	casino_extensions.exe
1816	casino_extensions.exe
2572	casino_extensions.exe
2572	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2208	Casino_ext.exe
3068	Casino_ext.exe
2640	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3004	f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 3016	3004	f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3.exe	28
PID 3004 wrote to memory of 3016	3004	f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3.exe	28
PID 3004 wrote to memory of 3016	3004	f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3.exe	28
PID 3004 wrote to memory of 3016	3004	f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3.exe	28
PID 3016 wrote to memory of 1076	3016	casino_extensions.exe	29
PID 3016 wrote to memory of 1076	3016	casino_extensions.exe	29
PID 3016 wrote to memory of 1076	3016	casino_extensions.exe	29
PID 3016 wrote to memory of 1076	3016	casino_extensions.exe	29
PID 1076 wrote to memory of 2208	1076	casino_extensions.exe	30
PID 1076 wrote to memory of 2208	1076	casino_extensions.exe	30
PID 1076 wrote to memory of 2208	1076	casino_extensions.exe	30
PID 1076 wrote to memory of 2208	1076	casino_extensions.exe	30
PID 2208 wrote to memory of 1816	2208	Casino_ext.exe	31
PID 2208 wrote to memory of 1816	2208	Casino_ext.exe	31
PID 2208 wrote to memory of 1816	2208	Casino_ext.exe	31
PID 2208 wrote to memory of 1816	2208	Casino_ext.exe	31
PID 1816 wrote to memory of 2760	1816	casino_extensions.exe	32
PID 1816 wrote to memory of 2760	1816	casino_extensions.exe	32
PID 1816 wrote to memory of 2760	1816	casino_extensions.exe	32
PID 1816 wrote to memory of 2760	1816	casino_extensions.exe	32
PID 2760 wrote to memory of 3068	2760	casino_extensions.exe	33
PID 2760 wrote to memory of 3068	2760	casino_extensions.exe	33
PID 2760 wrote to memory of 3068	2760	casino_extensions.exe	33
PID 2760 wrote to memory of 3068	2760	casino_extensions.exe	33
PID 3068 wrote to memory of 2572	3068	Casino_ext.exe	34
PID 3068 wrote to memory of 2572	3068	Casino_ext.exe	34
PID 3068 wrote to memory of 2572	3068	Casino_ext.exe	34
PID 3068 wrote to memory of 2572	3068	Casino_ext.exe	34
PID 2572 wrote to memory of 2640	2572	casino_extensions.exe	35
PID 2572 wrote to memory of 2640	2572	casino_extensions.exe	35
PID 2572 wrote to memory of 2640	2572	casino_extensions.exe	35
PID 2572 wrote to memory of 2640	2572	casino_extensions.exe	35
PID 2640 wrote to memory of 2580	2640	LiveMessageCenter.exe	36
PID 2640 wrote to memory of 2580	2640	LiveMessageCenter.exe	36
PID 2640 wrote to memory of 2580	2640	LiveMessageCenter.exe	36
PID 2640 wrote to memory of 2580	2640	LiveMessageCenter.exe	36
PID 2580 wrote to memory of 2748	2580	casino_extensions.exe	37
PID 2580 wrote to memory of 2748	2580	casino_extensions.exe	37
PID 2580 wrote to memory of 2748	2580	casino_extensions.exe	37
PID 2580 wrote to memory of 2748	2580	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3.exe
"C:\Users\Admin\AppData\Local\Temp\f88bddf6313044145eeaf098b3b80196c172119280de056cc2a1e74935f585d3.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
403KB

MD5
f1c914dd2d8d8408c74844826685b3d4

SHA1
94c6756e447e4964c82669d1848e754a3663cb75

SHA256
7edbd0b49fabf9ad1d87607f8ee6cda71bf88179204d516050793ddb2d0c0bdb

SHA512
e183dcd53b3e75dcc16379a1cba2b6c7269355b75815488d661e06f39fb8e8a3aa0204a5f3feb933db5340c4e1abefdc5c6036a28b4c7904a09355d55e646654

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
414KB

MD5
6f99752ef8651432be1f988118d4ab97

SHA1
36ea1f1db655b88bc244df36ca9bc051479a3490

SHA256
40de6eddba0b1e060ec72b263373ea6a8520c0ba39c9157c001aaef66cef2f1e

SHA512
2d1f9886d57cea7c5f9892c967869c341fe1c1ec5605ff32d22d23bf271c1c939ce895115322553f1f0418674ebaf29b77332f8c694233a3e3d9d56a184d080e

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
407KB

MD5
e4dade3a4117af08d87f81be4c767e3e

SHA1
6a534dd8cb27ae08a3874a0e7392e286ad6755db

SHA256
64f2832c7bda00584693f12193b4bef2dd0754550130e55b4813da7acd97ac17

SHA512
a2ed6ddb89293858f3ae0b4a52ea178ff33eec221a64d8e9d86946e113571f7ba8d56a9ec47f411570b07086644bd2df26e5f22d472269b044b0dd9a03fc8469

Download Submit