700f9227308f17a2b302e33de019fae6cda0c328e02d5220fedef1d0e8bd5f71

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 19:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5af52049e7c7f9af3350b9d48132c7d5.exe
Size

177KB
MD5

5af52049e7c7f9af3350b9d48132c7d5
SHA1

b0ad79c29ad3a58266edcd2d754d2c8760c820d1
SHA256

700f9227308f17a2b302e33de019fae6cda0c328e02d5220fedef1d0e8bd5f71
SHA512

59a963aa5eeea17c7d156edad93d3607c1442e811dcb8eea948e74b262d92a55144c6a2dd2261b376c35db733ab5490d0bb98d2a52806909ae76a17ce15c55d1
SSDEEP

3072:5twizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMDYjKE8YX:juj8NDF3OR9/Qe2HdJ8DYjKQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2644	LiveMessageCenter.exe

Executes dropped EXE 5 IoCs

pid	Process
2648	casino_extensions.exe
2492	Casino_ext.exe
2568	casino_extensions.exe
2520	Casino_ext.exe
2644	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
2216	casino_extensions.exe
2216	casino_extensions.exe
2036	casino_extensions.exe
2036	casino_extensions.exe
2920	casino_extensions.exe
2920	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2492	Casino_ext.exe
2520	Casino_ext.exe
2644	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1912	5af52049e7c7f9af3350b9d48132c7d5.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 2216	1912	5af52049e7c7f9af3350b9d48132c7d5.exe	28
PID 1912 wrote to memory of 2216	1912	5af52049e7c7f9af3350b9d48132c7d5.exe	28
PID 1912 wrote to memory of 2216	1912	5af52049e7c7f9af3350b9d48132c7d5.exe	28
PID 1912 wrote to memory of 2216	1912	5af52049e7c7f9af3350b9d48132c7d5.exe	28
PID 2216 wrote to memory of 2648	2216	casino_extensions.exe	29
PID 2216 wrote to memory of 2648	2216	casino_extensions.exe	29
PID 2216 wrote to memory of 2648	2216	casino_extensions.exe	29
PID 2216 wrote to memory of 2648	2216	casino_extensions.exe	29
PID 2648 wrote to memory of 2492	2648	casino_extensions.exe	30
PID 2648 wrote to memory of 2492	2648	casino_extensions.exe	30
PID 2648 wrote to memory of 2492	2648	casino_extensions.exe	30
PID 2648 wrote to memory of 2492	2648	casino_extensions.exe	30
PID 2492 wrote to memory of 2036	2492	Casino_ext.exe	31
PID 2492 wrote to memory of 2036	2492	Casino_ext.exe	31
PID 2492 wrote to memory of 2036	2492	Casino_ext.exe	31
PID 2492 wrote to memory of 2036	2492	Casino_ext.exe	31
PID 2036 wrote to memory of 2568	2036	casino_extensions.exe	32
PID 2036 wrote to memory of 2568	2036	casino_extensions.exe	32
PID 2036 wrote to memory of 2568	2036	casino_extensions.exe	32
PID 2036 wrote to memory of 2568	2036	casino_extensions.exe	32
PID 2568 wrote to memory of 2520	2568	casino_extensions.exe	33
PID 2568 wrote to memory of 2520	2568	casino_extensions.exe	33
PID 2568 wrote to memory of 2520	2568	casino_extensions.exe	33
PID 2568 wrote to memory of 2520	2568	casino_extensions.exe	33
PID 2520 wrote to memory of 2920	2520	Casino_ext.exe	34
PID 2520 wrote to memory of 2920	2520	Casino_ext.exe	34
PID 2520 wrote to memory of 2920	2520	Casino_ext.exe	34
PID 2520 wrote to memory of 2920	2520	Casino_ext.exe	34
PID 2920 wrote to memory of 2644	2920	casino_extensions.exe	35
PID 2920 wrote to memory of 2644	2920	casino_extensions.exe	35
PID 2920 wrote to memory of 2644	2920	casino_extensions.exe	35
PID 2920 wrote to memory of 2644	2920	casino_extensions.exe	35

C:\Users\Admin\AppData\Local\Temp\5af52049e7c7f9af3350b9d48132c7d5.exe
"C:\Users\Admin\AppData\Local\Temp\5af52049e7c7f9af3350b9d48132c7d5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Deletes itself
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
179KB

MD5
48c27d0539c4c35d47e6866694a01c20

SHA1
79f46378221d8e78b76c628ffb76970a6a93bd9f

SHA256
6d66a054c20811b35dad80c1f81b1e74410c1c7ed650ca6d75e455382ea99e4f

SHA512
302597831729a0468ac40a4a90f37ee780dd6aca63f5a74574a432eb88f3e88b5d633beb54c7948f5285587ac81e9885ccd24007bba43a7713a4f1b1954a80dd

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
188KB

MD5
b8b9e42d67847f942f86c530282e9a69

SHA1
00b64a2d544269bf5f3650fc942e686fdf70dc90

SHA256
6fd82124b20c24c37e71a59b8e9d8df114b155f9c29edac4c9512d6cf37310c4

SHA512
7443f80d1e67dbda0eabde0e891afa9e7b724dd00bc87a612646ea1de9adb1184a5ce48a84202554f8a04ec77e09529f82e34f741fa6380251dae1c50790ee87

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
193KB

MD5
393b5970af4b16c15743c883f123687c

SHA1
26bc3a952c755692adb6ee6cfd3e53990629c765

SHA256
041cebf87be7abc050c306c9e8eeec2acd6579f2b42def9b8813baf4fa186e6e

SHA512
d988db614366eeccd40d9cb7989639c0315c633ac2ff631ddcdd076bdc5fe68c4eaae15970ea27e522fa3e7a1f539b8bd576c9fe070d572fc4d645588e81a74b

Download Submit