fd75da62d8c4e4f38a9671dc21ac3d7254d72b35e810e727c7f82b99967d4a53

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd75da62d8c4e4f38a9671dc21ac3d7254d72b35e810e727c7f82b99967d4a53.exe
Size

591KB
MD5

94cbb3ff87af7ae6950b9840d8c1d7aa
SHA1

15f2189c63ff8ef152f525b2e5331833088fbdfc
SHA256

fd75da62d8c4e4f38a9671dc21ac3d7254d72b35e810e727c7f82b99967d4a53
SHA512

66b642416be1c5136cfee45a521b382a59e7631e30fc8fa25b5a31f03e5846e01c9a0ea65ef333f9ee8c80de15813629e8ec0a0a3609951d3c4803974a8bdd7a
SSDEEP

3072:jtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnjQ1F4AE4//B:puj8NDF3OR9/Qe2Hdklrnsx

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 5 IoCs

resource	yara_rule
behavioral2/files/0x000800000002327d-4.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4696-7-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1768-8-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023416-13.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023417-30.dat	INDICATOR_EXE_Packed_ASPack

Executes dropped EXE 17 IoCs

pid	Process
1768	casino_extensions.exe
4596	Casino_ext.exe
4580	casino_extensions.exe
1576	Casino_ext.exe
1372	casino_extensions.exe
1404	Casino_ext.exe
2276	casino_extensions.exe
1896	Casino_ext.exe
5096	casino_extensions.exe
4872	Casino_ext.exe
4664	casino_extensions.exe
1868	Casino_ext.exe
3312	casino_extensions.exe
4344	Casino_ext.exe
3768	LiveMessageCenter.exe
1428	casino_extensions.exe
4780	Casino_ext.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4596	Casino_ext.exe
4596	Casino_ext.exe
1576	Casino_ext.exe
1576	Casino_ext.exe
1404	Casino_ext.exe
1404	Casino_ext.exe
1896	Casino_ext.exe
1896	Casino_ext.exe
4872	Casino_ext.exe
4872	Casino_ext.exe
1868	Casino_ext.exe
1868	Casino_ext.exe
4344	Casino_ext.exe
4344	Casino_ext.exe
3768	LiveMessageCenter.exe
3768	LiveMessageCenter.exe
4780	Casino_ext.exe
4780	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4696	fd75da62d8c4e4f38a9671dc21ac3d7254d72b35e810e727c7f82b99967d4a53.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 2624	4696	fd75da62d8c4e4f38a9671dc21ac3d7254d72b35e810e727c7f82b99967d4a53.exe	82
PID 4696 wrote to memory of 2624	4696	fd75da62d8c4e4f38a9671dc21ac3d7254d72b35e810e727c7f82b99967d4a53.exe	82
PID 4696 wrote to memory of 2624	4696	fd75da62d8c4e4f38a9671dc21ac3d7254d72b35e810e727c7f82b99967d4a53.exe	82
PID 2624 wrote to memory of 1768	2624	casino_extensions.exe	83
PID 2624 wrote to memory of 1768	2624	casino_extensions.exe	83
PID 2624 wrote to memory of 1768	2624	casino_extensions.exe	83
PID 1768 wrote to memory of 4596	1768	casino_extensions.exe	84
PID 1768 wrote to memory of 4596	1768	casino_extensions.exe	84
PID 1768 wrote to memory of 4596	1768	casino_extensions.exe	84
PID 4596 wrote to memory of 2248	4596	Casino_ext.exe	85
PID 4596 wrote to memory of 2248	4596	Casino_ext.exe	85
PID 4596 wrote to memory of 2248	4596	Casino_ext.exe	85
PID 2248 wrote to memory of 4580	2248	casino_extensions.exe	86
PID 2248 wrote to memory of 4580	2248	casino_extensions.exe	86
PID 2248 wrote to memory of 4580	2248	casino_extensions.exe	86
PID 4580 wrote to memory of 1576	4580	casino_extensions.exe	87
PID 4580 wrote to memory of 1576	4580	casino_extensions.exe	87
PID 4580 wrote to memory of 1576	4580	casino_extensions.exe	87
PID 1576 wrote to memory of 1704	1576	Casino_ext.exe	88
PID 1576 wrote to memory of 1704	1576	Casino_ext.exe	88
PID 1576 wrote to memory of 1704	1576	Casino_ext.exe	88
PID 1704 wrote to memory of 1372	1704	casino_extensions.exe	89
PID 1704 wrote to memory of 1372	1704	casino_extensions.exe	89
PID 1704 wrote to memory of 1372	1704	casino_extensions.exe	89
PID 1372 wrote to memory of 1404	1372	casino_extensions.exe	90
PID 1372 wrote to memory of 1404	1372	casino_extensions.exe	90
PID 1372 wrote to memory of 1404	1372	casino_extensions.exe	90
PID 1404 wrote to memory of 4588	1404	Casino_ext.exe	91
PID 1404 wrote to memory of 4588	1404	Casino_ext.exe	91
PID 1404 wrote to memory of 4588	1404	Casino_ext.exe	91
PID 4588 wrote to memory of 2276	4588	casino_extensions.exe	93
PID 4588 wrote to memory of 2276	4588	casino_extensions.exe	93
PID 4588 wrote to memory of 2276	4588	casino_extensions.exe	93
PID 2276 wrote to memory of 1896	2276	casino_extensions.exe	94
PID 2276 wrote to memory of 1896	2276	casino_extensions.exe	94
PID 2276 wrote to memory of 1896	2276	casino_extensions.exe	94
PID 1896 wrote to memory of 1844	1896	Casino_ext.exe	95
PID 1896 wrote to memory of 1844	1896	Casino_ext.exe	95
PID 1896 wrote to memory of 1844	1896	Casino_ext.exe	95
PID 1844 wrote to memory of 5096	1844	casino_extensions.exe	96
PID 1844 wrote to memory of 5096	1844	casino_extensions.exe	96
PID 1844 wrote to memory of 5096	1844	casino_extensions.exe	96
PID 5096 wrote to memory of 4872	5096	casino_extensions.exe	97
PID 5096 wrote to memory of 4872	5096	casino_extensions.exe	97
PID 5096 wrote to memory of 4872	5096	casino_extensions.exe	97
PID 4872 wrote to memory of 3688	4872	Casino_ext.exe	98
PID 4872 wrote to memory of 3688	4872	Casino_ext.exe	98
PID 4872 wrote to memory of 3688	4872	Casino_ext.exe	98
PID 3688 wrote to memory of 4664	3688	casino_extensions.exe	100
PID 3688 wrote to memory of 4664	3688	casino_extensions.exe	100
PID 3688 wrote to memory of 4664	3688	casino_extensions.exe	100
PID 4664 wrote to memory of 1868	4664	casino_extensions.exe	101
PID 4664 wrote to memory of 1868	4664	casino_extensions.exe	101
PID 4664 wrote to memory of 1868	4664	casino_extensions.exe	101
PID 1868 wrote to memory of 1480	1868	Casino_ext.exe	102
PID 1868 wrote to memory of 1480	1868	Casino_ext.exe	102
PID 1868 wrote to memory of 1480	1868	Casino_ext.exe	102
PID 1480 wrote to memory of 3312	1480	casino_extensions.exe	103
PID 1480 wrote to memory of 3312	1480	casino_extensions.exe	103
PID 1480 wrote to memory of 3312	1480	casino_extensions.exe	103
PID 3312 wrote to memory of 4344	3312	casino_extensions.exe	104
PID 3312 wrote to memory of 4344	3312	casino_extensions.exe	104
PID 3312 wrote to memory of 4344	3312	casino_extensions.exe	104
PID 4344 wrote to memory of 1412	4344	Casino_ext.exe	105

C:\Users\Admin\AppData\Local\Temp\fd75da62d8c4e4f38a9671dc21ac3d7254d72b35e810e727c7f82b99967d4a53.exe
"C:\Users\Admin\AppData\Local\Temp\fd75da62d8c4e4f38a9671dc21ac3d7254d72b35e810e727c7f82b99967d4a53.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        14⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        16⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        17⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        20⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        23⤵
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        24⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3768
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        25⤵
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1428
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        27⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4780
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        28⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        29⤵
        
        PID:4764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
598KB

MD5
99ebd02921b1d78e4ba54a53e4298b58

SHA1
ff850ebd88e3ea5265e44d46a48d423174ecbf7c

SHA256
62711014f90aaf5366d8e37aeaad4e48120fd7f4bcf55a707f282c04e6b8ac2a

SHA512
489ba12098287f7c8322feaa049f30faa4d6a26550258216cd5071c98a0e18325adc78c43f1e1c59e41b1c4094c4a4c3981ef83a123d2868e2f87d16d5b49d64

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
596KB

MD5
f2b369f2ec39ea6343331f3209a21c3f

SHA1
a67cbd1cb69d036cc5ebf3f82b6d7354bd15425f

SHA256
8880501a4ea3e7811b50489bd7b30c52517d8ffcef0f8f23f28cf632dac4acd8

SHA512
820098418007115f468c2f4dfc1af8f543c2297127029e486ee646496e12497628ea97fd083794177ba5b2297ac939b97e56a6ccfd042a9b1e2d906c3e9f6522

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
607KB

MD5
20b3aee6ef8e8f6a1480f382d47b51f0

SHA1
3b7f2ae9563dad3dc0f9b8a860d74929c059abe3

SHA256
566929937a0d8918ea7c2c7855dd1803cc6ec95fbb6bdcee5b81312ae2f8046c

SHA512
b922081c0fb7cec7c3c7882aee30534712b21fca768c4f0a8be7c772fc9b5c4654e6bdf8401dd8a62d237a0575ff7835093d50ca333226f94bf845287f5e5c94

Download Submit
memory/1768-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4696-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download