4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a

General

Target

4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe
Size

715KB
MD5

9f097dabc838e75a9c4216ec60b6c460
SHA1

7f6cafc761e2a237138a429fcb1648b16fa3df84
SHA256

4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a
SHA512

814ecd5231908cd8b6588b19b774f03e04b7fabc4f7204c10e9e0d1dbdf4f24a9a4a01480ddc64f86b9cc435531bb2cd6fd657e2a8bff84a9267582b27105aaf
SSDEEP

3072:htwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFiWy:buj8NDF3OR9/Qe2Hdklrn4K3eP7y

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 4 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f51-4.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1108-8-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/1044-7-0x0000000000400000-0x0000000000425000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x00070000000233e5-13.dat	INDICATOR_EXE_Packed_ASPack

Executes dropped EXE 4 IoCs

pid	Process
1044	casino_extensions.exe
2084	Casino_ext.exe
2968	casino_extensions.exe
3996	Casino_ext.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2084	Casino_ext.exe
2084	Casino_ext.exe
3996	Casino_ext.exe
3996	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1108	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 3240	1108	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe	83
PID 1108 wrote to memory of 3240	1108	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe	83
PID 1108 wrote to memory of 3240	1108	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe	83
PID 3240 wrote to memory of 1044	3240	casino_extensions.exe	84
PID 3240 wrote to memory of 1044	3240	casino_extensions.exe	84
PID 3240 wrote to memory of 1044	3240	casino_extensions.exe	84
PID 1044 wrote to memory of 2084	1044	casino_extensions.exe	85
PID 1044 wrote to memory of 2084	1044	casino_extensions.exe	85
PID 1044 wrote to memory of 2084	1044	casino_extensions.exe	85
PID 2084 wrote to memory of 2200	2084	Casino_ext.exe	86
PID 2084 wrote to memory of 2200	2084	Casino_ext.exe	86
PID 2084 wrote to memory of 2200	2084	Casino_ext.exe	86
PID 2200 wrote to memory of 2968	2200	casino_extensions.exe	87
PID 2200 wrote to memory of 2968	2200	casino_extensions.exe	87
PID 2200 wrote to memory of 2968	2200	casino_extensions.exe	87
PID 2968 wrote to memory of 3996	2968	casino_extensions.exe	88
PID 2968 wrote to memory of 3996	2968	casino_extensions.exe	88
PID 2968 wrote to memory of 3996	2968	casino_extensions.exe	88
PID 3996 wrote to memory of 1460	3996	Casino_ext.exe	89
PID 3996 wrote to memory of 1460	3996	Casino_ext.exe	89
PID 3996 wrote to memory of 1460	3996	Casino_ext.exe	89
PID 1460 wrote to memory of 2256	1460	casino_extensions.exe	91
PID 1460 wrote to memory of 2256	1460	casino_extensions.exe	91
PID 1460 wrote to memory of 2256	1460	casino_extensions.exe	91

C:\Users\Admin\AppData\Local\Temp\4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe
"C:\Users\Admin\AppData\Local\Temp\4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        9⤵
        
        PID:2256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
716KB

MD5
a3de6782b0014890060a3b941cb96c7f

SHA1
469c32f6f5f59d8dd0775bee5a450c10306f7bf1

SHA256
848350b9285ee90b254d745b45c912872dc74866e8e43e002b097cdbe634e9e5

SHA512
30445884abb65b69e2e90437bfd9e060b04fbb75ebe35afb44fc9291a5929245459a99495b8de51c18fe5578cf442e635b75e6f098f85308c97e7a273683efbc

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
726KB

MD5
82d9e1b3cd912ecbadcf615f00d9157a

SHA1
099b42cecef44ba10bfd8a43f939422a58704b9a

SHA256
5b283320f8a544e48d69b9eda6c60c7d8420b99321a09fdfff708e697b0c7985

SHA512
68055a257ab0003c57938e3a9249da89ec1f6d2b501d87002a1267be411cb485a313eea0ab4eec206c050d715f3289faf16e149cb4247ed1cf7d7f57a7a29bf8

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
723KB

MD5
2672517338fe549bd5204e2982f2fb96

SHA1
414e05e0ed3ac78e6e36a45dff0a0e45ce43c184

SHA256
dfdebb8490c915f0a6b8493afc9bbd5162d377ed994d0fc2480b5ad9938d05b5

SHA512
0235d43ec83eae2873cfb784b7861fe1403aa8a3a0b59a018d02e7d1ef4bc6412a736a2cb83f7674fd945df0395c4d4845b2e7ebf04fcb7223cf9278297eb62c

Download Submit
memory/1044-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1108-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing