60db89f38626cc32b4592a6f261428175b63db954c9cf91b1ab677336a63a104

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 23:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60db89f38626cc32b4592a6f261428175b63db954c9cf91b1ab677336a63a104.exe
Size

979KB
MD5

79497e6810e40eac25716164ce78d221
SHA1

381bceb264813368a6482e9090a3b8f73e684b9b
SHA256

60db89f38626cc32b4592a6f261428175b63db954c9cf91b1ab677336a63a104
SHA512

e9643240ffcffbc1ae10cc9c3db14b8d73a0287e9ad50568ce7b988769bd3f89a0086039f54654f9e5ec38bdcd1390249edd4e16c6ec36433c6321ad90471a9b
SSDEEP

3072:mtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMykw+imi5wxx4Vao2i1dm:6uj8NDF3OR9/Qe2HdJ8pS4ofWdii6Qr/

Score

9^/10

Malware Config

Signatures

Detects executables packed with ASPack 5 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022f51-5.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/3592-7-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/memory/4836-8-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023406-13.dat	INDICATOR_EXE_Packed_ASPack
behavioral2/files/0x0007000000023407-20.dat	INDICATOR_EXE_Packed_ASPack

Executes dropped EXE 17 IoCs

pid	Process
3592	casino_extensions.exe
860	Casino_ext.exe
1116	casino_extensions.exe
3384	Casino_ext.exe
5108	LiveMessageCenter.exe
1472	casino_extensions.exe
1796	Casino_ext.exe
3208	casino_extensions.exe
1384	Casino_ext.exe
864	LiveMessageCenter.exe
1376	casino_extensions.exe
3080	Casino_ext.exe
2692	casino_extensions.exe
4580	Casino_ext.exe
548	LiveMessageCenter.exe
2472	casino_extensions.exe
4980	Casino_ext.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
860	Casino_ext.exe
860	Casino_ext.exe
3384	Casino_ext.exe
3384	Casino_ext.exe
5108	LiveMessageCenter.exe
5108	LiveMessageCenter.exe
1796	Casino_ext.exe
1796	Casino_ext.exe
1384	Casino_ext.exe
1384	Casino_ext.exe
864	LiveMessageCenter.exe
864	LiveMessageCenter.exe
3080	Casino_ext.exe
3080	Casino_ext.exe
4580	Casino_ext.exe
4580	Casino_ext.exe
548	LiveMessageCenter.exe
548	LiveMessageCenter.exe
4980	Casino_ext.exe
4980	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4836	60db89f38626cc32b4592a6f261428175b63db954c9cf91b1ab677336a63a104.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1616	4836	60db89f38626cc32b4592a6f261428175b63db954c9cf91b1ab677336a63a104.exe	83
PID 4836 wrote to memory of 1616	4836	60db89f38626cc32b4592a6f261428175b63db954c9cf91b1ab677336a63a104.exe	83
PID 4836 wrote to memory of 1616	4836	60db89f38626cc32b4592a6f261428175b63db954c9cf91b1ab677336a63a104.exe	83
PID 1616 wrote to memory of 3592	1616	casino_extensions.exe	84
PID 1616 wrote to memory of 3592	1616	casino_extensions.exe	84
PID 1616 wrote to memory of 3592	1616	casino_extensions.exe	84
PID 3592 wrote to memory of 860	3592	casino_extensions.exe	85
PID 3592 wrote to memory of 860	3592	casino_extensions.exe	85
PID 3592 wrote to memory of 860	3592	casino_extensions.exe	85
PID 860 wrote to memory of 4508	860	Casino_ext.exe	87
PID 860 wrote to memory of 4508	860	Casino_ext.exe	87
PID 860 wrote to memory of 4508	860	Casino_ext.exe	87
PID 4508 wrote to memory of 1116	4508	casino_extensions.exe	88
PID 4508 wrote to memory of 1116	4508	casino_extensions.exe	88
PID 4508 wrote to memory of 1116	4508	casino_extensions.exe	88
PID 1116 wrote to memory of 3384	1116	casino_extensions.exe	89
PID 1116 wrote to memory of 3384	1116	casino_extensions.exe	89
PID 1116 wrote to memory of 3384	1116	casino_extensions.exe	89
PID 3384 wrote to memory of 3916	3384	Casino_ext.exe	91
PID 3384 wrote to memory of 3916	3384	Casino_ext.exe	91
PID 3384 wrote to memory of 3916	3384	Casino_ext.exe	91
PID 3916 wrote to memory of 5108	3916	casino_extensions.exe	92
PID 3916 wrote to memory of 5108	3916	casino_extensions.exe	92
PID 3916 wrote to memory of 5108	3916	casino_extensions.exe	92
PID 5108 wrote to memory of 3380	5108	LiveMessageCenter.exe	93
PID 5108 wrote to memory of 3380	5108	LiveMessageCenter.exe	93
PID 5108 wrote to memory of 3380	5108	LiveMessageCenter.exe	93
PID 3380 wrote to memory of 1472	3380	casino_extensions.exe	94
PID 3380 wrote to memory of 1472	3380	casino_extensions.exe	94
PID 3380 wrote to memory of 1472	3380	casino_extensions.exe	94
PID 1472 wrote to memory of 1796	1472	casino_extensions.exe	95
PID 1472 wrote to memory of 1796	1472	casino_extensions.exe	95
PID 1472 wrote to memory of 1796	1472	casino_extensions.exe	95
PID 1796 wrote to memory of 3904	1796	Casino_ext.exe	96
PID 1796 wrote to memory of 3904	1796	Casino_ext.exe	96
PID 1796 wrote to memory of 3904	1796	Casino_ext.exe	96
PID 3904 wrote to memory of 3208	3904	casino_extensions.exe	97
PID 3904 wrote to memory of 3208	3904	casino_extensions.exe	97
PID 3904 wrote to memory of 3208	3904	casino_extensions.exe	97
PID 3208 wrote to memory of 1384	3208	casino_extensions.exe	98
PID 3208 wrote to memory of 1384	3208	casino_extensions.exe	98
PID 3208 wrote to memory of 1384	3208	casino_extensions.exe	98
PID 1384 wrote to memory of 452	1384	Casino_ext.exe	99
PID 1384 wrote to memory of 452	1384	Casino_ext.exe	99
PID 1384 wrote to memory of 452	1384	Casino_ext.exe	99
PID 452 wrote to memory of 864	452	casino_extensions.exe	100
PID 452 wrote to memory of 864	452	casino_extensions.exe	100
PID 452 wrote to memory of 864	452	casino_extensions.exe	100
PID 864 wrote to memory of 1672	864	LiveMessageCenter.exe	101
PID 864 wrote to memory of 1672	864	LiveMessageCenter.exe	101
PID 864 wrote to memory of 1672	864	LiveMessageCenter.exe	101
PID 1672 wrote to memory of 1376	1672	casino_extensions.exe	102
PID 1672 wrote to memory of 1376	1672	casino_extensions.exe	102
PID 1672 wrote to memory of 1376	1672	casino_extensions.exe	102
PID 1376 wrote to memory of 3080	1376	casino_extensions.exe	103
PID 1376 wrote to memory of 3080	1376	casino_extensions.exe	103
PID 1376 wrote to memory of 3080	1376	casino_extensions.exe	103
PID 3080 wrote to memory of 4184	3080	Casino_ext.exe	104
PID 3080 wrote to memory of 4184	3080	Casino_ext.exe	104
PID 3080 wrote to memory of 4184	3080	Casino_ext.exe	104
PID 4184 wrote to memory of 2692	4184	casino_extensions.exe	105
PID 4184 wrote to memory of 2692	4184	casino_extensions.exe	105
PID 4184 wrote to memory of 2692	4184	casino_extensions.exe	105
PID 2692 wrote to memory of 4580	2692	casino_extensions.exe	106

C:\Users\Admin\AppData\Local\Temp\60db89f38626cc32b4592a6f261428175b63db954c9cf91b1ab677336a63a104.exe
"C:\Users\Admin\AppData\Local\Temp\60db89f38626cc32b4592a6f261428175b63db954c9cf91b1ab677336a63a104.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4508
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        18⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        21⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4580
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        24⤵
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:548
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        26⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        27⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2472
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        28⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4980
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        29⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        30⤵
        
        PID:2872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
985KB

MD5
0b7208f836bf871331c8c88b8ef8c1d3

SHA1
bfcbc7becf92e5ec892af6d1426b6fb14f8adaa5

SHA256
a5c1d33b0c557a531c8a62730d2a3fa525b981416797bb9b6eae08b7e752a6cb

SHA512
066b452b524003a2ce3b99af091556a51ee3c21ae8a83c4e2e5f02747a1853da3542641c14fe27ff68d0f51f1fd80436a6c4d8181867dbeb77751514ae026f45

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
988KB

MD5
0f96cc8fea416795737a9d9e6f9700e1

SHA1
4fb76bd6a5fa905ffba4fa8ea372ba3472d22e68

SHA256
168cbd01a4ec511a5c0f22c9b4a9920225568b3d074b64f90a0f2d36d3c8f827

SHA512
8eaa2c41ba08956ab03618239dc77268e2d85c2fffd80c244e429d8050a3cbd795445d08206dea4d63e41bb659d6a4a8edc5757a810780a0d5f3f0eea62cde64

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
994KB

MD5
f0507aede0c3834cd914f46173c1ce88

SHA1
98251f1329cd099f4d69ff95db24d53cb2efd9bc

SHA256
b9581ecf8df50802f7c636b9c3a888a6b917e54d2a9c71ac71efbb07981d72a5

SHA512
42dd5eec482da1b505b92fdea7b1dfb6264a1616908f6c834c76df18211c2d784361852321145df756b6bc03216ea10c1664bacf8afd84497b37b34baab75492

Download Submit
memory/3592-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4836-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download