9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe
Size

640KB
MD5

03e67f76d0f1313dfc784b9106e8d1da
SHA1

b6b362166eb45036573599371a75b56fcdb1c32d
SHA256

9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03
SHA512

f96c521b47eef9dbb015579eb653b97d4fec4deee497cfa601e8620ec54e671cdc178b2c6642adf381d485337818c5939fb11709376e7dbfc13b6c89493b0dfe
SSDEEP

6144:kuj8NDF3OR9/Qe2HdJfwKO5h/h2Xn8Nc97N7S:XOF3ORK3dC5h/h2Xn8Nc97N7S

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 3 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012253-3.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x000b000000014457-15.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0038000000014709-27.dat	INDICATOR_EXE_Packed_ASPack

Deletes itself 1 IoCs

pid	Process
2664	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2988	casino_extensions.exe
3048	Casino_ext.exe
2480	casino_extensions.exe
2656	Casino_ext.exe
2464	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
2928	casino_extensions.exe
2928	casino_extensions.exe
2976	casino_extensions.exe
2976	casino_extensions.exe
2536	casino_extensions.exe
2536	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3048	Casino_ext.exe
2656	Casino_ext.exe
2464	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2968	9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2928	2968	9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe	28
PID 2968 wrote to memory of 2928	2968	9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe	28
PID 2968 wrote to memory of 2928	2968	9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe	28
PID 2968 wrote to memory of 2928	2968	9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe	28
PID 2928 wrote to memory of 2988	2928	casino_extensions.exe	29
PID 2928 wrote to memory of 2988	2928	casino_extensions.exe	29
PID 2928 wrote to memory of 2988	2928	casino_extensions.exe	29
PID 2928 wrote to memory of 2988	2928	casino_extensions.exe	29
PID 2988 wrote to memory of 3048	2988	casino_extensions.exe	30
PID 2988 wrote to memory of 3048	2988	casino_extensions.exe	30
PID 2988 wrote to memory of 3048	2988	casino_extensions.exe	30
PID 2988 wrote to memory of 3048	2988	casino_extensions.exe	30
PID 3048 wrote to memory of 2976	3048	Casino_ext.exe	31
PID 3048 wrote to memory of 2976	3048	Casino_ext.exe	31
PID 3048 wrote to memory of 2976	3048	Casino_ext.exe	31
PID 3048 wrote to memory of 2976	3048	Casino_ext.exe	31
PID 2976 wrote to memory of 2480	2976	casino_extensions.exe	32
PID 2976 wrote to memory of 2480	2976	casino_extensions.exe	32
PID 2976 wrote to memory of 2480	2976	casino_extensions.exe	32
PID 2976 wrote to memory of 2480	2976	casino_extensions.exe	32
PID 2480 wrote to memory of 2656	2480	casino_extensions.exe	33
PID 2480 wrote to memory of 2656	2480	casino_extensions.exe	33
PID 2480 wrote to memory of 2656	2480	casino_extensions.exe	33
PID 2480 wrote to memory of 2656	2480	casino_extensions.exe	33
PID 2656 wrote to memory of 2536	2656	Casino_ext.exe	34
PID 2656 wrote to memory of 2536	2656	Casino_ext.exe	34
PID 2656 wrote to memory of 2536	2656	Casino_ext.exe	34
PID 2656 wrote to memory of 2536	2656	Casino_ext.exe	34
PID 2536 wrote to memory of 2464	2536	casino_extensions.exe	35
PID 2536 wrote to memory of 2464	2536	casino_extensions.exe	35
PID 2536 wrote to memory of 2464	2536	casino_extensions.exe	35
PID 2536 wrote to memory of 2464	2536	casino_extensions.exe	35
PID 2464 wrote to memory of 2612	2464	LiveMessageCenter.exe	36
PID 2464 wrote to memory of 2612	2464	LiveMessageCenter.exe	36
PID 2464 wrote to memory of 2612	2464	LiveMessageCenter.exe	36
PID 2464 wrote to memory of 2612	2464	LiveMessageCenter.exe	36
PID 2612 wrote to memory of 2664	2612	casino_extensions.exe	37
PID 2612 wrote to memory of 2664	2612	casino_extensions.exe	37
PID 2612 wrote to memory of 2664	2612	casino_extensions.exe	37
PID 2612 wrote to memory of 2664	2612	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe
"C:\Users\Admin\AppData\Local\Temp\9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
646KB

MD5
4844c7816668130117b990f748a6ac53

SHA1
d86e8137b3118f7847980c241b92daff2376f32e

SHA256
00d436438f2460a742e0ce60eb42689de6e17cac07103fa2093063c33c1aa591

SHA512
fb499f2d71a8e10311b480fd9bf9d62efa2d966e4b2ce920e0ec980596a9cd92b7ce1d538d7725e0939c4140c5e6b9613d8791309c30db984a5f4d9801b6dfb7

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
654KB

MD5
74ced217c081607ba96acf1ab1762c25

SHA1
a2676b5721f06282e72ce5aa346f80ca428bff2d

SHA256
23fef356c5267227611e5c412bdc3c65b827f2407f0c91a3660be56d33b88475

SHA512
2d8870e3e78ec1398efb9c6c2ae58c2c6a7f02feefb119d04321f470c7e1ade69eaac2347fa472cc6060b30edd8c1c9deabc384361d01f1fb55b47edbc1b106c

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
643KB

MD5
29133e83ce39dc172f1ab7514b17e254

SHA1
e1e7de1dfd05ca0eddf7377b7f2531e0a67161a3

SHA256
d6c0394fc12f4b212759f3a7d5eb16b40bb5a1095db73e16b2ac15a8d46bb041

SHA512
c381dde15e2815934977d10ec9de83a1d12c40592394853b62e192f8d0bdd08217cc8cff234365998447de976fee4368592984910c0b0f66624fce49af9e114d

Download Submit