f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff

General

Target

f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff.exe
Size

651KB
MD5

8556bf3725cb827d2885339c0a378d39
SHA1

de70b0b4f83134db3c7af6302d6938b29b5b3c8c
SHA256

f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff
SHA512

f1fb656e52c49c2711c53742828baf83f420d647645fa481587760ff41b21ffc9ffe5496853cff9a4bac129cd315a5407f349e566b2913d67a19d1bd2050cd78
SSDEEP

3072:AtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFiWl:Auj8NDF3OR9/Qe2Hdklrn4K3eP75j

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 3 IoCs

resource	yara_rule
behavioral1/files/0x000b000000016056-3.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x00390000000167ef-13.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/1968-20-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack

Deletes itself 1 IoCs

pid	Process
2988	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2688	casino_extensions.exe
2624	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2684	casino_extensions.exe
2684	casino_extensions.exe
1936	casino_extensions.exe
1936	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2624	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1968	f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2684	1968	f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff.exe	28
PID 1968 wrote to memory of 2684	1968	f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff.exe	28
PID 1968 wrote to memory of 2684	1968	f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff.exe	28
PID 1968 wrote to memory of 2684	1968	f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff.exe	28
PID 2684 wrote to memory of 2688	2684	casino_extensions.exe	29
PID 2684 wrote to memory of 2688	2684	casino_extensions.exe	29
PID 2684 wrote to memory of 2688	2684	casino_extensions.exe	29
PID 2684 wrote to memory of 2688	2684	casino_extensions.exe	29
PID 2688 wrote to memory of 1936	2688	casino_extensions.exe	30
PID 2688 wrote to memory of 1936	2688	casino_extensions.exe	30
PID 2688 wrote to memory of 1936	2688	casino_extensions.exe	30
PID 2688 wrote to memory of 1936	2688	casino_extensions.exe	30
PID 1936 wrote to memory of 2624	1936	casino_extensions.exe	31
PID 1936 wrote to memory of 2624	1936	casino_extensions.exe	31
PID 1936 wrote to memory of 2624	1936	casino_extensions.exe	31
PID 1936 wrote to memory of 2624	1936	casino_extensions.exe	31
PID 2624 wrote to memory of 2672	2624	LiveMessageCenter.exe	32
PID 2624 wrote to memory of 2672	2624	LiveMessageCenter.exe	32
PID 2624 wrote to memory of 2672	2624	LiveMessageCenter.exe	32
PID 2624 wrote to memory of 2672	2624	LiveMessageCenter.exe	32
PID 2672 wrote to memory of 2988	2672	casino_extensions.exe	33
PID 2672 wrote to memory of 2988	2672	casino_extensions.exe	33
PID 2672 wrote to memory of 2988	2672	casino_extensions.exe	33
PID 2672 wrote to memory of 2988	2672	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff.exe
"C:\Users\Admin\AppData\Local\Temp\f45094a65bf223e5b3b743682fee5f118242eb86fcff73fb3f069c0a27a557ff.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:2988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
666KB

MD5
6d53137640e0694ed46d9dbb2ff4e844

SHA1
19376553a508b0801bbd049597d085645d75d3b8

SHA256
5c69499638be74143f4f1931cc611e8f1f0660dd2bcbbe4fd1262ca005523a6c

SHA512
7e8c2e91d1b2ffbfee551afd976dd428ef7ccb5f61f535ab7de0d82e6541d02a9aa79110f8095bb6df6af39477adfde8be08dbd3566c033f3388f13ce46e7025

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
666KB

MD5
e8d471dd762881265b0ba3618779f60f

SHA1
d64d867d8ec03bb6a719a048bc0890bb93932c15

SHA256
8decf6dbed8b4594189c94176eb74597dc19aa530bb85fe99e3a492ef985280b

SHA512
1bf88e45d10ed2f60fb4c79be526fe12420ac96196ed02bf060166418ccafb729c02dc163896f3e5148898d7d222bb130c80b2820681d7ff7c823ecd7421d943

Download Submit
memory/1968-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing