36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d

General

Target

36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.exe
Size

623KB
MD5

0e3032eb8d5e9402786852acea00c450
SHA1

b39591df4b70a4a69c2647e50f1196e5c2e2ac89
SHA256

36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d
SHA512

38f8abb9f4ad97a5b75d3a54a62c7a4805e99ee3ebb0caebf97cfe5b178fb5efe783b5464d43175339eb4f500de47bc0d54702427270963e11ba707d504449cb
SSDEEP

3072:vtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQuoYKN6LSSe9o6Y:luj8NDF3OR9/Qe2HdklruoYk6LReM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

casino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.exe

pid process

3688 casino_extensions.exe
2284 Casino_ext.exe
1720 casino_extensions.exe
1400 Casino_ext.exe
2876 LiveMessageCenter.exe

pid	process
3688	casino_extensions.exe
2284	Casino_ext.exe
1720	casino_extensions.exe
1400	Casino_ext.exe
2876	LiveMessageCenter.exe

Drops file in System32 directory 9 IoCs

Processes:

casino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

Processes:

casino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Casino_ext.exeCasino_ext.exeLiveMessageCenter.exe

pid process

2284 Casino_ext.exe
2284 Casino_ext.exe
1400 Casino_ext.exe
1400 Casino_ext.exe
2876 LiveMessageCenter.exe
2876 LiveMessageCenter.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.exe

pid process

1616 36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.exe

pid	process
2284	Casino_ext.exe
2284	Casino_ext.exe
1400	Casino_ext.exe
1400	Casino_ext.exe
2876	LiveMessageCenter.exe
2876	LiveMessageCenter.exe

pid	process
1616	36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.exeLiveMessageCenter.execasino_extensions.exe

description	pid	process	target process
PID 1616 wrote to memory of 2564	1616	36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.exe	casino_extensions.exe
PID 1616 wrote to memory of 2564	1616	36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.exe	casino_extensions.exe
PID 1616 wrote to memory of 2564	1616	36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.exe	casino_extensions.exe
PID 2564 wrote to memory of 3688	2564	casino_extensions.exe	casino_extensions.exe
PID 2564 wrote to memory of 3688	2564	casino_extensions.exe	casino_extensions.exe
PID 2564 wrote to memory of 3688	2564	casino_extensions.exe	casino_extensions.exe
PID 3688 wrote to memory of 2284	3688	casino_extensions.exe	Casino_ext.exe
PID 3688 wrote to memory of 2284	3688	casino_extensions.exe	Casino_ext.exe
PID 3688 wrote to memory of 2284	3688	casino_extensions.exe	Casino_ext.exe
PID 2284 wrote to memory of 4684	2284	Casino_ext.exe	casino_extensions.exe
PID 2284 wrote to memory of 4684	2284	Casino_ext.exe	casino_extensions.exe
PID 2284 wrote to memory of 4684	2284	Casino_ext.exe	casino_extensions.exe
PID 4684 wrote to memory of 1720	4684	casino_extensions.exe	casino_extensions.exe
PID 4684 wrote to memory of 1720	4684	casino_extensions.exe	casino_extensions.exe
PID 4684 wrote to memory of 1720	4684	casino_extensions.exe	casino_extensions.exe
PID 1720 wrote to memory of 1400	1720	casino_extensions.exe	Casino_ext.exe
PID 1720 wrote to memory of 1400	1720	casino_extensions.exe	Casino_ext.exe
PID 1720 wrote to memory of 1400	1720	casino_extensions.exe	Casino_ext.exe
PID 1400 wrote to memory of 2172	1400	Casino_ext.exe	casino_extensions.exe
PID 1400 wrote to memory of 2172	1400	Casino_ext.exe	casino_extensions.exe
PID 1400 wrote to memory of 2172	1400	Casino_ext.exe	casino_extensions.exe
PID 2172 wrote to memory of 2876	2172	casino_extensions.exe	LiveMessageCenter.exe
PID 2172 wrote to memory of 2876	2172	casino_extensions.exe	LiveMessageCenter.exe
PID 2172 wrote to memory of 2876	2172	casino_extensions.exe	LiveMessageCenter.exe
PID 2876 wrote to memory of 3940	2876	LiveMessageCenter.exe	casino_extensions.exe
PID 2876 wrote to memory of 3940	2876	LiveMessageCenter.exe	casino_extensions.exe
PID 2876 wrote to memory of 3940	2876	LiveMessageCenter.exe	casino_extensions.exe
PID 3940 wrote to memory of 4592	3940	casino_extensions.exe	cmd.exe
PID 3940 wrote to memory of 4592	3940	casino_extensions.exe	cmd.exe
PID 3940 wrote to memory of 4592	3940	casino_extensions.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.exe
"C:\Users\Admin\AppData\Local\Temp\36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1616

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\Casino_ext.exe
C:\Windows\SysWOW64\Casino_ext.exe
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
8⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\LiveMessageCenter.exe
C:\Windows\system32\LiveMessageCenter.exe /part2
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
10⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c $$2028~1.BAT
11⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2668,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
1⤵
PID:3392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
624KB

MD5
7c71263ac8a0a730953e80e6ada265a5

SHA1
5b4ac8b4fc74e25dc0f332c57feadb962b869970

SHA256
7c98ffdd263c41c04701e61447f694f4a3e46734f261c6718d3edc63ef621531

SHA512
21ae8d06fc6ef8f5813b4cea1d31f6d403e8e0eea7155b0d02bd9c5b42f16e7326f5bd7d7fb740dc9909a91ba6f2aad21e9d872a1485c16066386e60bd7b7aba

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
633KB

MD5
6ba2c22b0a42d0f14d78f973e3bad7ec

SHA1
5339f77c86095fec6010de35b2eb691070ce860c

SHA256
4bfe41a3f27c44e4a26e8520032419be1cd26c2061d2fc560cbffcdd9fbdceca

SHA512
e2873aa11619889ff9ef5d75d3a940562ae8f71ad1c89fc5a9ff211c6dfe36e22d9e722bbd54cfe83656322b84c381272114b00e3fa278d28a0bd806b77fa569

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
635KB

MD5
25231ae71efe42f8b3924458d1faf690

SHA1
8dd05e7ac01aeaecea32450f4e63830edac41667

SHA256
75bf3a0ab9ab2f6baad611dae195189e209a177ede0ff9cb21c7f2b6d8b2b66b

SHA512
c5c9aa0dc99e0c568e15a077d4542cf7452397dd911866af56f9a2032de217356be68f0aec29e9fd56e2890f0137a7fc7722905845ed785ff413af9ab76525ff

Download Submit
memory/1616-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3688-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads