9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe
Size

640KB
MD5

03e67f76d0f1313dfc784b9106e8d1da
SHA1

b6b362166eb45036573599371a75b56fcdb1c32d
SHA256

9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03
SHA512

f96c521b47eef9dbb015579eb653b97d4fec4deee497cfa601e8620ec54e671cdc178b2c6642adf381d485337818c5939fb11709376e7dbfc13b6c89493b0dfe
SSDEEP

6144:kuj8NDF3OR9/Qe2HdJfwKO5h/h2Xn8Nc97N7S:XOF3ORK3dC5h/h2Xn8Nc97N7S

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 3 IoCs

resource	yara_rule
behavioral2/files/0x00090000000231f7-4.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x00070000000231fe-11.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x00070000000231ff-21.dat	INDICATOR_EXE_Packed_ASPack

Executes dropped EXE 9 IoCs

pid	Process
1772	casino_extensions.exe
4724	Casino_ext.exe
4728	casino_extensions.exe
4656	Casino_ext.exe
4720	casino_extensions.exe
4784	Casino_ext.exe
3560	LiveMessageCenter.exe
4740	casino_extensions.exe
4504	Casino_ext.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4724	Casino_ext.exe
4724	Casino_ext.exe
4656	Casino_ext.exe
4656	Casino_ext.exe
4784	Casino_ext.exe
4784	Casino_ext.exe
3560	LiveMessageCenter.exe
3560	LiveMessageCenter.exe
4504	Casino_ext.exe
4504	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4808	9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 2020	4808	9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe	85
PID 4808 wrote to memory of 2020	4808	9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe	85
PID 4808 wrote to memory of 2020	4808	9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe	85
PID 2020 wrote to memory of 1772	2020	casino_extensions.exe	86
PID 2020 wrote to memory of 1772	2020	casino_extensions.exe	86
PID 2020 wrote to memory of 1772	2020	casino_extensions.exe	86
PID 1772 wrote to memory of 4724	1772	casino_extensions.exe	87
PID 1772 wrote to memory of 4724	1772	casino_extensions.exe	87
PID 1772 wrote to memory of 4724	1772	casino_extensions.exe	87
PID 4724 wrote to memory of 1260	4724	Casino_ext.exe	89
PID 4724 wrote to memory of 1260	4724	Casino_ext.exe	89
PID 4724 wrote to memory of 1260	4724	Casino_ext.exe	89
PID 1260 wrote to memory of 4728	1260	casino_extensions.exe	90
PID 1260 wrote to memory of 4728	1260	casino_extensions.exe	90
PID 1260 wrote to memory of 4728	1260	casino_extensions.exe	90
PID 4728 wrote to memory of 4656	4728	casino_extensions.exe	91
PID 4728 wrote to memory of 4656	4728	casino_extensions.exe	91
PID 4728 wrote to memory of 4656	4728	casino_extensions.exe	91
PID 4656 wrote to memory of 3020	4656	Casino_ext.exe	93
PID 4656 wrote to memory of 3020	4656	Casino_ext.exe	93
PID 4656 wrote to memory of 3020	4656	Casino_ext.exe	93
PID 3020 wrote to memory of 4720	3020	casino_extensions.exe	94
PID 3020 wrote to memory of 4720	3020	casino_extensions.exe	94
PID 3020 wrote to memory of 4720	3020	casino_extensions.exe	94
PID 4720 wrote to memory of 4784	4720	casino_extensions.exe	95
PID 4720 wrote to memory of 4784	4720	casino_extensions.exe	95
PID 4720 wrote to memory of 4784	4720	casino_extensions.exe	95
PID 4784 wrote to memory of 1360	4784	Casino_ext.exe	96
PID 4784 wrote to memory of 1360	4784	Casino_ext.exe	96
PID 4784 wrote to memory of 1360	4784	Casino_ext.exe	96
PID 1360 wrote to memory of 3560	1360	casino_extensions.exe	97
PID 1360 wrote to memory of 3560	1360	casino_extensions.exe	97
PID 1360 wrote to memory of 3560	1360	casino_extensions.exe	97
PID 3560 wrote to memory of 4584	3560	LiveMessageCenter.exe	98
PID 3560 wrote to memory of 4584	3560	LiveMessageCenter.exe	98
PID 3560 wrote to memory of 4584	3560	LiveMessageCenter.exe	98
PID 4584 wrote to memory of 4740	4584	casino_extensions.exe	99
PID 4584 wrote to memory of 4740	4584	casino_extensions.exe	99
PID 4584 wrote to memory of 4740	4584	casino_extensions.exe	99
PID 4740 wrote to memory of 4504	4740	casino_extensions.exe	100
PID 4740 wrote to memory of 4504	4740	casino_extensions.exe	100
PID 4740 wrote to memory of 4504	4740	casino_extensions.exe	100
PID 4504 wrote to memory of 1496	4504	Casino_ext.exe	102
PID 4504 wrote to memory of 1496	4504	Casino_ext.exe	102
PID 4504 wrote to memory of 1496	4504	Casino_ext.exe	102
PID 1496 wrote to memory of 3500	1496	casino_extensions.exe	103
PID 1496 wrote to memory of 3500	1496	casino_extensions.exe	103
PID 1496 wrote to memory of 3500	1496	casino_extensions.exe	103

C:\Users\Admin\AppData\Local\Temp\9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe
"C:\Users\Admin\AppData\Local\Temp\9ec2eb6d661d673b7725b4376807110854b55e047c56c748c788cbec3738ea03.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1260
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        17⤵
        
        PID:3500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
642KB

MD5
8d75964ecf9a1d6a9c2676f533a085ba

SHA1
361a569cfec170e27dfc1b5bbe6536c438868e33

SHA256
dedac30185d48ff8b11c0d5404bdcf1c069a560419f8b26408707a37e51d3be5

SHA512
aa0c96b3b69d8202fb3ccad847ee1115c83e7ea01cfb680ebc9c2e5ff4853d189f86d98650496ab0018c06bbfd49509fec60d077d2811ee5c09df878876bbebb

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
641KB

MD5
e7bf5a9092810682c83496db340034ae

SHA1
fee0cbc6d328ba8f5a195b33042ea9ea79f73a8a

SHA256
957c3aef8e5a8cbcb0453b719ab0c44bbb9b0e316d00216ea127eff17ed79b00

SHA512
f44c57f1babb71da208d163da6960d0962f49a2808867374e2b2952e42e3f1b63af880a4be32152d0b7ecba03170db6fd8c8d69e496d47a3bf4d95a7b2e60941

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
646KB

MD5
05d8241da6f4abb60ce8cc77c249cbf2

SHA1
40228b5bcd5c348c9936a935b00768fa86406d7c

SHA256
f0936cfa930058ef82b93b782f18ee3a13b120fa3377eea132456a459b233d24

SHA512
66014f16b3359af11f2629cf70a7576b72466ff6c44b098dafca1cbf57fbf6061b19d8f5d02036982bcde7bd6d5adfb3ea08e8b9ca944ee1ed70614bf19d9c8f

Download Submit