4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe
Size

715KB
MD5

9f097dabc838e75a9c4216ec60b6c460
SHA1

7f6cafc761e2a237138a429fcb1648b16fa3df84
SHA256

4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a
SHA512

814ecd5231908cd8b6588b19b774f03e04b7fabc4f7204c10e9e0d1dbdf4f24a9a4a01480ddc64f86b9cc435531bb2cd6fd657e2a8bff84a9267582b27105aaf
SSDEEP

3072:htwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFiWy:buj8NDF3OR9/Qe2Hdklrn4K3eP7y

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 4 IoCs

resource	yara_rule
behavioral1/files/0x000d0000000144e9-3.dat	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2844-12-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/memory/2164-13-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral1/files/0x0007000000014e5a-21.dat	INDICATOR_EXE_Packed_ASPack

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2844	casino_extensions.exe
2920	Casino_ext.exe
2520	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2172	casino_extensions.exe
2172	casino_extensions.exe
2612	casino_extensions.exe
2612	casino_extensions.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2920	Casino_ext.exe
2520	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2164	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2172	2164	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe	28
PID 2164 wrote to memory of 2172	2164	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe	28
PID 2164 wrote to memory of 2172	2164	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe	28
PID 2164 wrote to memory of 2172	2164	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe	28
PID 2172 wrote to memory of 2844	2172	casino_extensions.exe	29
PID 2172 wrote to memory of 2844	2172	casino_extensions.exe	29
PID 2172 wrote to memory of 2844	2172	casino_extensions.exe	29
PID 2172 wrote to memory of 2844	2172	casino_extensions.exe	29
PID 2844 wrote to memory of 2920	2844	casino_extensions.exe	30
PID 2844 wrote to memory of 2920	2844	casino_extensions.exe	30
PID 2844 wrote to memory of 2920	2844	casino_extensions.exe	30
PID 2844 wrote to memory of 2920	2844	casino_extensions.exe	30
PID 2920 wrote to memory of 2612	2920	Casino_ext.exe	31
PID 2920 wrote to memory of 2612	2920	Casino_ext.exe	31
PID 2920 wrote to memory of 2612	2920	Casino_ext.exe	31
PID 2920 wrote to memory of 2612	2920	Casino_ext.exe	31
PID 2612 wrote to memory of 2520	2612	casino_extensions.exe	32
PID 2612 wrote to memory of 2520	2612	casino_extensions.exe	32
PID 2612 wrote to memory of 2520	2612	casino_extensions.exe	32
PID 2612 wrote to memory of 2520	2612	casino_extensions.exe	32
PID 2520 wrote to memory of 2600	2520	LiveMessageCenter.exe	33
PID 2520 wrote to memory of 2600	2520	LiveMessageCenter.exe	33
PID 2520 wrote to memory of 2600	2520	LiveMessageCenter.exe	33
PID 2520 wrote to memory of 2600	2520	LiveMessageCenter.exe	33
PID 2600 wrote to memory of 2484	2600	casino_extensions.exe	34
PID 2600 wrote to memory of 2484	2600	casino_extensions.exe	34
PID 2600 wrote to memory of 2484	2600	casino_extensions.exe	34
PID 2600 wrote to memory of 2484	2600	casino_extensions.exe	34

C:\Users\Admin\AppData\Local\Temp\4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe
"C:\Users\Admin\AppData\Local\Temp\4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        7⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        8⤵
        Deletes itself
        
        PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
724KB

MD5
22fdc9368859a6c472e4b3c9c0fca25e

SHA1
70b0859604ef5d14230079629f9adfa48e3174aa

SHA256
ca0b62685bf6ede918626b6c9e72f15a1a5fbeacf9deaf67e22bb82f234ecdd1

SHA512
59c91cb1cbaf11f2b9b78ca6287df9b14a0f3866ac7780c6ce0f20ce23351bf14d9932da857deae8123c9f985474853f26ea43ce459ec3b296468e9695df64d9

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
730KB

MD5
d5e7537ba88129d7863db2fb9a3b175b

SHA1
c6f3099ad44cbc5bb7a63b16655b49c0d65a2252

SHA256
22440a96b04697da6c4436237723390aab7c9b1fb72d615011a320c4a4d1b786

SHA512
15288b8a0d0c910bab2fd17dffcd53dde85d26e7ae5f08552184a7ca5c9adaea49012a744d859ab90dc254198ea0c269d91adfa6ee036621359b8a95fe8d80ca

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
730KB

MD5
4308251ed0ad75531904cc3f4e973c33

SHA1
098da5747e41427ba6930cea76d1366f3e221ff6

SHA256
b4a8f7a48f8855c0a68af4b394b5dd588eb34e6d03fb9fd805fc384ab3bff526

SHA512
a36e45f050a87583f1e2b5133f6d5d2aac930f7f96a670d928e91b684626cc30d5f5bc211b8a07929604f0266bdff262ffaf521840d2734fe68f4d72f331918c

Download Submit
memory/2164-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2844-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download