Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 00:49

General

  • Target

    9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe

  • Size

    640KB

  • MD5

    03e67f76d0f1313dfc784b9106e8d1da

  • SHA1

    b6b362166eb45036573599371a75b56fcdb1c32d

  • SHA256

    9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03

  • SHA512

    f96c521b47eef9dbb015579eb653b97d4fec4deee497cfa601e8620ec54e671cdc178b2c6642adf381d485337818c5939fb11709376e7dbfc13b6c89493b0dfe

  • SSDEEP

    6144:kuj8NDF3OR9/Qe2HdJfwKO5h/h2Xn8Nc97N7S:XOF3ORK3dC5h/h2Xn8Nc97N7S

Score
9/10

Malware Config

Signatures

  • Detects executables packed with ASPack 3 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 9 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe
    "C:\Users\Admin\AppData\Local\Temp\9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\casino_extensions.exe
        C:\Windows\system32\casino_extensions.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\Casino_ext.exe
          C:\Windows\SysWOW64\Casino_ext.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
            "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
            5⤵
            • Loads dropped DLL
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:2976
            • C:\Windows\SysWOW64\casino_extensions.exe
              C:\Windows\system32\casino_extensions.exe
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of WriteProcessMemory
              PID:2480
              • C:\Windows\SysWOW64\Casino_ext.exe
                C:\Windows\SysWOW64\Casino_ext.exe
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2656
                • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                  8⤵
                  • Loads dropped DLL
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:2536
                  • C:\Windows\SysWOW64\LiveMessageCenter.exe
                    C:\Windows\system32\LiveMessageCenter.exe /part2
                    9⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:2464
                    • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                      10⤵
                      • Drops file in System32 directory
                      • Drops file in Program Files directory
                      • Suspicious use of WriteProcessMemory
                      PID:2612
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c $$2028~1.BAT
                        11⤵
                        • Deletes itself
                        PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Internet Explorer\$$202803s.bat

    Filesize

    81B

    MD5

    4777bf695815d870d27ed4a38a8f0840

    SHA1

    565412b5182bca7a221448dba78369c42d1c4a0c

    SHA256

    c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

    SHA512

    87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

  • \Windows\SysWOW64\LiveMessageCenter.exe

    Filesize

    646KB

    MD5

    4844c7816668130117b990f748a6ac53

    SHA1

    d86e8137b3118f7847980c241b92daff2376f32e

    SHA256

    00d436438f2460a742e0ce60eb42689de6e17cac07103fa2093063c33c1aa591

    SHA512

    fb499f2d71a8e10311b480fd9bf9d62efa2d966e4b2ce920e0ec980596a9cd92b7ce1d538d7725e0939c4140c5e6b9613d8791309c30db984a5f4d9801b6dfb7

  • \Windows\SysWOW64\casino_extensions.exe

    Filesize

    654KB

    MD5

    74ced217c081607ba96acf1ab1762c25

    SHA1

    a2676b5721f06282e72ce5aa346f80ca428bff2d

    SHA256

    23fef356c5267227611e5c412bdc3c65b827f2407f0c91a3660be56d33b88475

    SHA512

    2d8870e3e78ec1398efb9c6c2ae58c2c6a7f02feefb119d04321f470c7e1ade69eaac2347fa472cc6060b30edd8c1c9deabc384361d01f1fb55b47edbc1b106c

  • \Windows\SysWOW64\casino_extensions.exe

    Filesize

    643KB

    MD5

    29133e83ce39dc172f1ab7514b17e254

    SHA1

    e1e7de1dfd05ca0eddf7377b7f2531e0a67161a3

    SHA256

    d6c0394fc12f4b212759f3a7d5eb16b40bb5a1095db73e16b2ac15a8d46bb041

    SHA512

    c381dde15e2815934977d10ec9de83a1d12c40592394853b62e192f8d0bdd08217cc8cff234365998447de976fee4368592984910c0b0f66624fce49af9e114d