db6eeda520ba1de3fc9a415fa4953bfd99aaf2ae788fff04c932aa9b2fb01521

Analysis

max time kernel
134s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db6eeda520ba1de3fc9a415fa4953bfd99aaf2ae788fff04c932aa9b2fb01521.exe
Size

599KB
MD5

4ffe6c1b2513512609c0de724dd81426
SHA1

1abb5d1f2d6c5640b8208c4344c9b6352eecf3c9
SHA256

db6eeda520ba1de3fc9a415fa4953bfd99aaf2ae788fff04c932aa9b2fb01521
SHA512

7c56e1d53381733e9c57f13d0901ce4743aecbac6e8df7385ddd88f2d4413b34f44a62342ccdbe7bd0e842dd8bc253e90d4ff4940b4c0d15f27168df7d19796d
SSDEEP

3072:LtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQuoYKN6LS12isr:Buj8NDF3OR9/Qe2HdklruoYk6LWG

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 5 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022f40-4.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1532-7-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/2964-8-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023417-13.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023418-24.dat	INDICATOR_EXE_Packed_ASPack

Executes dropped EXE 11 IoCs

pid	Process
1532	casino_extensions.exe
3568	Casino_ext.exe
60	casino_extensions.exe
1960	Casino_ext.exe
1160	casino_extensions.exe
380	Casino_ext.exe
2316	casino_extensions.exe
4064	Casino_ext.exe
4068	LiveMessageCenter.exe
3464	casino_extensions.exe
3316	Casino_ext.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3568	Casino_ext.exe
3568	Casino_ext.exe
1960	Casino_ext.exe
1960	Casino_ext.exe
380	Casino_ext.exe
380	Casino_ext.exe
4064	Casino_ext.exe
4064	Casino_ext.exe
4068	LiveMessageCenter.exe
4068	LiveMessageCenter.exe
3316	Casino_ext.exe
3316	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2964	db6eeda520ba1de3fc9a415fa4953bfd99aaf2ae788fff04c932aa9b2fb01521.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 4276	2964	db6eeda520ba1de3fc9a415fa4953bfd99aaf2ae788fff04c932aa9b2fb01521.exe	83
PID 2964 wrote to memory of 4276	2964	db6eeda520ba1de3fc9a415fa4953bfd99aaf2ae788fff04c932aa9b2fb01521.exe	83
PID 2964 wrote to memory of 4276	2964	db6eeda520ba1de3fc9a415fa4953bfd99aaf2ae788fff04c932aa9b2fb01521.exe	83
PID 4276 wrote to memory of 1532	4276	casino_extensions.exe	84
PID 4276 wrote to memory of 1532	4276	casino_extensions.exe	84
PID 4276 wrote to memory of 1532	4276	casino_extensions.exe	84
PID 1532 wrote to memory of 3568	1532	casino_extensions.exe	85
PID 1532 wrote to memory of 3568	1532	casino_extensions.exe	85
PID 1532 wrote to memory of 3568	1532	casino_extensions.exe	85
PID 3568 wrote to memory of 4460	3568	Casino_ext.exe	86
PID 3568 wrote to memory of 4460	3568	Casino_ext.exe	86
PID 3568 wrote to memory of 4460	3568	Casino_ext.exe	86
PID 4460 wrote to memory of 60	4460	casino_extensions.exe	87
PID 4460 wrote to memory of 60	4460	casino_extensions.exe	87
PID 4460 wrote to memory of 60	4460	casino_extensions.exe	87
PID 60 wrote to memory of 1960	60	casino_extensions.exe	88
PID 60 wrote to memory of 1960	60	casino_extensions.exe	88
PID 60 wrote to memory of 1960	60	casino_extensions.exe	88
PID 1960 wrote to memory of 996	1960	Casino_ext.exe	89
PID 1960 wrote to memory of 996	1960	Casino_ext.exe	89
PID 1960 wrote to memory of 996	1960	Casino_ext.exe	89
PID 996 wrote to memory of 1160	996	casino_extensions.exe	90
PID 996 wrote to memory of 1160	996	casino_extensions.exe	90
PID 996 wrote to memory of 1160	996	casino_extensions.exe	90
PID 1160 wrote to memory of 380	1160	casino_extensions.exe	91
PID 1160 wrote to memory of 380	1160	casino_extensions.exe	91
PID 1160 wrote to memory of 380	1160	casino_extensions.exe	91
PID 380 wrote to memory of 3556	380	Casino_ext.exe	92
PID 380 wrote to memory of 3556	380	Casino_ext.exe	92
PID 380 wrote to memory of 3556	380	Casino_ext.exe	92
PID 3556 wrote to memory of 2316	3556	casino_extensions.exe	93
PID 3556 wrote to memory of 2316	3556	casino_extensions.exe	93
PID 3556 wrote to memory of 2316	3556	casino_extensions.exe	93
PID 2316 wrote to memory of 4064	2316	casino_extensions.exe	94
PID 2316 wrote to memory of 4064	2316	casino_extensions.exe	94
PID 2316 wrote to memory of 4064	2316	casino_extensions.exe	94
PID 4064 wrote to memory of 2972	4064	Casino_ext.exe	95
PID 4064 wrote to memory of 2972	4064	Casino_ext.exe	95
PID 4064 wrote to memory of 2972	4064	Casino_ext.exe	95
PID 2972 wrote to memory of 4068	2972	casino_extensions.exe	96
PID 2972 wrote to memory of 4068	2972	casino_extensions.exe	96
PID 2972 wrote to memory of 4068	2972	casino_extensions.exe	96
PID 4068 wrote to memory of 1200	4068	LiveMessageCenter.exe	97
PID 4068 wrote to memory of 1200	4068	LiveMessageCenter.exe	97
PID 4068 wrote to memory of 1200	4068	LiveMessageCenter.exe	97
PID 1200 wrote to memory of 3464	1200	casino_extensions.exe	98
PID 1200 wrote to memory of 3464	1200	casino_extensions.exe	98
PID 1200 wrote to memory of 3464	1200	casino_extensions.exe	98
PID 3464 wrote to memory of 3316	3464	casino_extensions.exe	99
PID 3464 wrote to memory of 3316	3464	casino_extensions.exe	99
PID 3464 wrote to memory of 3316	3464	casino_extensions.exe	99
PID 3316 wrote to memory of 1752	3316	Casino_ext.exe	100
PID 3316 wrote to memory of 1752	3316	Casino_ext.exe	100
PID 3316 wrote to memory of 1752	3316	Casino_ext.exe	100
PID 1752 wrote to memory of 2100	1752	casino_extensions.exe	101
PID 1752 wrote to memory of 2100	1752	casino_extensions.exe	101
PID 1752 wrote to memory of 2100	1752	casino_extensions.exe	101

C:\Users\Admin\AppData\Local\Temp\db6eeda520ba1de3fc9a415fa4953bfd99aaf2ae788fff04c932aa9b2fb01521.exe
"C:\Users\Admin\AppData\Local\Temp\db6eeda520ba1de3fc9a415fa4953bfd99aaf2ae788fff04c932aa9b2fb01521.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3568
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4460
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        14⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        19⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        20⤵
        
        PID:2100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
614KB

MD5
a93b8c0f7aa93f4adbc4ffb0f947b570

SHA1
111422e7c831ea1270cc97f50dffae48df864b52

SHA256
754480968fa37ccde6c9d863135a57006afbb900f26b269ef8c7946029ba48b7

SHA512
783d67e3ce7e150010e2dd334dfc9da8389fe434bba2b63300b1877ec4645a257cacabe589c8a4db06be322746bdf721468d189783cda85ebbc1affcdf0e4d9a

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
604KB

MD5
188595e7067eb4cd50b32b04d3f8e627

SHA1
9c93f40fd10efe46d39d84cc60bc826ac98fe1e3

SHA256
e6672654484dbcf8bcfa53f1b3d7bd68356742911712a1e6762bdc2d5b1f95ab

SHA512
e02a6ff72000490d9b24701adf447caf4cb9187afacdfa433bb9f9effd26d52351e4df90da165158fa3950bd9bd73785848b912649b55dee9934993a54e0a3b3

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
615KB

MD5
f538945e1ce9e17ebd0ebcebdd8fe734

SHA1
f72900459b17a887bb13f6a4a66cd1f5169544dd

SHA256
aa0b23ce59f19dcce2731f3b5d51951557f14ff90cf6c920e4a6b04c04badfbd

SHA512
32be479da525a4d0889a2940f9944055b6f43c697e42ad0d56514da4992c216cf8cd9ab0e991df194587f811ecbacf5f1825d615644d1a4a8fca96be5ff3c230

Download Submit
memory/1532-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2964-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download