6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd

General

Target

6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe
Size

721KB
MD5

148c39f140195b30df2b24bb102fa6a0
SHA1

f617320e294fbb43e7e23683f9e510de3004e0bc
SHA256

6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd
SHA512

c6cbef8ce0cac0ea7e9f6ff781a9b9ed822c8b27b307ba1d99dcd9529bbad593bb6fbc0cafe7dfdfd6c5e7d2ed679aebf76fe5e3cf4ce4591de6433620472d67
SSDEEP

3072:rtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFiWZ:huj8NDF3OR9/Qe2Hdklrn4K3eP7Z

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2512 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

casino_extensions.exeLiveMessageCenter.exe

pid process

2712 casino_extensions.exe
2524 LiveMessageCenter.exe
Loads dropped DLL 4 IoCs

Processes:

casino_extensions.execasino_extensions.exe

pid process

2908 casino_extensions.exe
2908 casino_extensions.exe
3052 casino_extensions.exe
3052 casino_extensions.exe

pid	process
2512	cmd.exe

pid	process
2712	casino_extensions.exe
2524	LiveMessageCenter.exe

pid	process
2908	casino_extensions.exe
2908	casino_extensions.exe
3052	casino_extensions.exe
3052	casino_extensions.exe

Drops file in System32 directory 7 IoCs

Processes:

casino_extensions.execasino_extensions.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

Processes:

casino_extensions.exeLiveMessageCenter.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

LiveMessageCenter.exe

pid process

2524 LiveMessageCenter.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe

pid process

1620 6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe

pid	process
2524	LiveMessageCenter.exe

pid	process
1620	6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.execasino_extensions.execasino_extensions.execasino_extensions.exeLiveMessageCenter.execasino_extensions.exe

description	pid	process	target process
PID 1620 wrote to memory of 2908	1620	6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe	casino_extensions.exe
PID 1620 wrote to memory of 2908	1620	6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe	casino_extensions.exe
PID 1620 wrote to memory of 2908	1620	6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe	casino_extensions.exe
PID 1620 wrote to memory of 2908	1620	6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe	casino_extensions.exe
PID 2908 wrote to memory of 2712	2908	casino_extensions.exe	casino_extensions.exe
PID 2908 wrote to memory of 2712	2908	casino_extensions.exe	casino_extensions.exe
PID 2908 wrote to memory of 2712	2908	casino_extensions.exe	casino_extensions.exe
PID 2908 wrote to memory of 2712	2908	casino_extensions.exe	casino_extensions.exe
PID 2712 wrote to memory of 3052	2712	casino_extensions.exe	casino_extensions.exe
PID 2712 wrote to memory of 3052	2712	casino_extensions.exe	casino_extensions.exe
PID 2712 wrote to memory of 3052	2712	casino_extensions.exe	casino_extensions.exe
PID 2712 wrote to memory of 3052	2712	casino_extensions.exe	casino_extensions.exe
PID 3052 wrote to memory of 2524	3052	casino_extensions.exe	LiveMessageCenter.exe
PID 3052 wrote to memory of 2524	3052	casino_extensions.exe	LiveMessageCenter.exe
PID 3052 wrote to memory of 2524	3052	casino_extensions.exe	LiveMessageCenter.exe
PID 3052 wrote to memory of 2524	3052	casino_extensions.exe	LiveMessageCenter.exe
PID 2524 wrote to memory of 2616	2524	LiveMessageCenter.exe	casino_extensions.exe
PID 2524 wrote to memory of 2616	2524	LiveMessageCenter.exe	casino_extensions.exe
PID 2524 wrote to memory of 2616	2524	LiveMessageCenter.exe	casino_extensions.exe
PID 2524 wrote to memory of 2616	2524	LiveMessageCenter.exe	casino_extensions.exe
PID 2616 wrote to memory of 2512	2616	casino_extensions.exe	cmd.exe
PID 2616 wrote to memory of 2512	2616	casino_extensions.exe	cmd.exe
PID 2616 wrote to memory of 2512	2616	casino_extensions.exe	cmd.exe
PID 2616 wrote to memory of 2512	2616	casino_extensions.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe
"C:\Users\Admin\AppData\Local\Temp\6ed0a42adc4bf773b99fc58923a0b78948e28d458a1925e65b0b72c72a1faedd.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1620

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\SysWOW64\casino_extensions.exe
C:\Windows\system32\casino_extensions.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2712

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\LiveMessageCenter.exe
C:\Windows\system32\LiveMessageCenter.exe /part2
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524

C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
6⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c $$2028~1.BAT
7⤵
- Deletes itself
PID:2512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
727KB

MD5
07bb2dbadd5c309a49ff95e2dca0ccb3

SHA1
d0aa1d5a62eaab8cb2b890bb87945452950f382f

SHA256
f4b56b55629b18bf1730fab82e9e44e1db8c8420788b98eb5e412aea25e79d95

SHA512
eeba8c1c14bd857cf1147caf8d7a876d201932826fb050f50304d7fc3327810095a77dbcb7a8a60e9bd56a72d1a4bafc379d8c5bbe66ca4a266cc0a06ff58595

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
724KB

MD5
6278499884369b78ce4b556f3c4c0d0e

SHA1
b6c73f63f1eb6afaa4fc87a2ae70601bb1571043

SHA256
c5a8f80d3ef056bbc7977b2a094502261f7f01121ae7f198c05f942f77cddd57

SHA512
151218fc65ad455f104f8a7fd997b4cff7a702d2eebc8d461c8f05c115dca0f6731edb07a99bcf9e10ac3e640f52b4650d80409691c823871edfd58f6dcc70c6

Download Submit
memory/1620-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads