9ce09db478fd6207a5564cfb9ff089f94fe175b7d250ca6a3c4f25d328ab4ffe

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0005f24727852440c278f5db1d1b7504.exe
Size

442KB
MD5

0005f24727852440c278f5db1d1b7504
SHA1

f563f3a15ec2946adca8cac149f40987198b81b4
SHA256

9ce09db478fd6207a5564cfb9ff089f94fe175b7d250ca6a3c4f25d328ab4ffe
SHA512

455ed97f1fe448ff76ca200ef3995467104410048921e8cf1b892686669349dcb33c5d84f34833fc298fdf1b9ee67ae9ced08024153a8d736a02470398009660
SSDEEP

3072:6twizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwK+DKYFKs+ZJfDW:+uj8NDF3OR9/Qe2HdJfwKAKO+ZJf6

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2564	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
1244	casino_extensions.exe
2628	Casino_ext.exe
3040	casino_extensions.exe
2604	Casino_ext.exe
2732	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
2368	casino_extensions.exe
2368	casino_extensions.exe
2208	casino_extensions.exe
2208	casino_extensions.exe
2708	casino_extensions.exe
2708	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2628	Casino_ext.exe
2604	Casino_ext.exe
2732	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1940	0005f24727852440c278f5db1d1b7504.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2368	1940	0005f24727852440c278f5db1d1b7504.exe	28
PID 1940 wrote to memory of 2368	1940	0005f24727852440c278f5db1d1b7504.exe	28
PID 1940 wrote to memory of 2368	1940	0005f24727852440c278f5db1d1b7504.exe	28
PID 1940 wrote to memory of 2368	1940	0005f24727852440c278f5db1d1b7504.exe	28
PID 2368 wrote to memory of 1244	2368	casino_extensions.exe	29
PID 2368 wrote to memory of 1244	2368	casino_extensions.exe	29
PID 2368 wrote to memory of 1244	2368	casino_extensions.exe	29
PID 2368 wrote to memory of 1244	2368	casino_extensions.exe	29
PID 1244 wrote to memory of 2628	1244	casino_extensions.exe	30
PID 1244 wrote to memory of 2628	1244	casino_extensions.exe	30
PID 1244 wrote to memory of 2628	1244	casino_extensions.exe	30
PID 1244 wrote to memory of 2628	1244	casino_extensions.exe	30
PID 2628 wrote to memory of 2208	2628	Casino_ext.exe	31
PID 2628 wrote to memory of 2208	2628	Casino_ext.exe	31
PID 2628 wrote to memory of 2208	2628	Casino_ext.exe	31
PID 2628 wrote to memory of 2208	2628	Casino_ext.exe	31
PID 2208 wrote to memory of 3040	2208	casino_extensions.exe	32
PID 2208 wrote to memory of 3040	2208	casino_extensions.exe	32
PID 2208 wrote to memory of 3040	2208	casino_extensions.exe	32
PID 2208 wrote to memory of 3040	2208	casino_extensions.exe	32
PID 3040 wrote to memory of 2604	3040	casino_extensions.exe	33
PID 3040 wrote to memory of 2604	3040	casino_extensions.exe	33
PID 3040 wrote to memory of 2604	3040	casino_extensions.exe	33
PID 3040 wrote to memory of 2604	3040	casino_extensions.exe	33
PID 2604 wrote to memory of 2708	2604	Casino_ext.exe	34
PID 2604 wrote to memory of 2708	2604	Casino_ext.exe	34
PID 2604 wrote to memory of 2708	2604	Casino_ext.exe	34
PID 2604 wrote to memory of 2708	2604	Casino_ext.exe	34
PID 2708 wrote to memory of 2732	2708	casino_extensions.exe	35
PID 2708 wrote to memory of 2732	2708	casino_extensions.exe	35
PID 2708 wrote to memory of 2732	2708	casino_extensions.exe	35
PID 2708 wrote to memory of 2732	2708	casino_extensions.exe	35
PID 2732 wrote to memory of 2780	2732	LiveMessageCenter.exe	36
PID 2732 wrote to memory of 2780	2732	LiveMessageCenter.exe	36
PID 2732 wrote to memory of 2780	2732	LiveMessageCenter.exe	36
PID 2732 wrote to memory of 2780	2732	LiveMessageCenter.exe	36
PID 2780 wrote to memory of 2564	2780	casino_extensions.exe	37
PID 2780 wrote to memory of 2564	2780	casino_extensions.exe	37
PID 2780 wrote to memory of 2564	2780	casino_extensions.exe	37
PID 2780 wrote to memory of 2564	2780	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\0005f24727852440c278f5db1d1b7504.exe
"C:\Users\Admin\AppData\Local\Temp\0005f24727852440c278f5db1d1b7504.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2208
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
444KB

MD5
dfea01a18f83342d9f85a61d77221552

SHA1
f8bce2c593105ab62023499c618be502abe0bbb6

SHA256
2b78d844c9d2d924d51969bc987a2f4d124de9013c377a02d0f9d13a5475d9ac

SHA512
835f3fd617ab635afc4b00ce2cd136a3f6981ca0a4b222eb62052a3c04330f31a9f1a9364222f3371b392a88b7a89bc8fb120da988defac1f873e5dcbcfa56e7

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
458KB

MD5
d558cd0aa883cff99196843a1d9f072b

SHA1
2ca3c1603137a30fed782711f22e209b26b36d0c

SHA256
87b190856bd3e9b589695866048f77e07ec67ac8cccca5a006af5bf0f9fac4c0

SHA512
10901383db76f4fa9fddb518f56b25df0b5d5e079c47f76dec196f100abe5b404951122a384d7dd71bdcaaca26ee15aac4242907471d08dd057f3955683f1735

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
453KB

MD5
ed7d7da039d79f357630580a2654785b

SHA1
29b869caff9d2f6412e1577e243de9a7dd6e4cde

SHA256
f5ed50404738d376c5b9cde4641570bf3d944e1a53ac00455941e7a86e1cbf5a

SHA512
fec80df39873a84a3866d0e726af36627f9be641e991be8b694b1ba4a88c4882c657c1c36bb6eedb2e3e1ceb5c57bcd193da8ef8b74a2d79f4962434720f34e6

Download Submit
memory/1244-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1940-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download