Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe
Resource
win10v2004-20240508-en
General
-
Target
99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe
-
Size
846KB
-
MD5
32a9877928fa90596a32d4a11450ff63
-
SHA1
b37f7cdeae88f8a76c625ce5ff00556cee8c74cb
-
SHA256
99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17
-
SHA512
1a9683e86de0729e65e6644bde440e4ebd1b6815df4bbafef0d860eaceb378087ae6ba64a3806b19f0961413760a47a4f21ceb6ba298ea52fcec50ea06a0a944
-
SSDEEP
6144:9uj8NDF3OR9/Qe2HdJ8pS2ts8UxILaOTq:UOF3ORK3d12ts8U6LaOTq
Malware Config
Signatures
-
Detects executables packed with ASPack 3 IoCs
resource yara_rule behavioral1/files/0x000c000000014f71-3.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2756-23-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2756-26-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Executes dropped EXE 1 IoCs
pid Process 1708 casino_extensions.exe -
Loads dropped DLL 2 IoCs
pid Process 2076 casino_extensions.exe 2076 casino_extensions.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File created C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File created C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat casino_extensions.exe File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat casino_extensions.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2648 2076 WerFault.exe 28 -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2756 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2756 wrote to memory of 2076 2756 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe 28 PID 2756 wrote to memory of 2076 2756 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe 28 PID 2756 wrote to memory of 2076 2756 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe 28 PID 2756 wrote to memory of 2076 2756 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe 28 PID 2076 wrote to memory of 1708 2076 casino_extensions.exe 29 PID 2076 wrote to memory of 1708 2076 casino_extensions.exe 29 PID 2076 wrote to memory of 1708 2076 casino_extensions.exe 29 PID 2076 wrote to memory of 1708 2076 casino_extensions.exe 29 PID 1708 wrote to memory of 2620 1708 casino_extensions.exe 30 PID 1708 wrote to memory of 2620 1708 casino_extensions.exe 30 PID 1708 wrote to memory of 2620 1708 casino_extensions.exe 30 PID 1708 wrote to memory of 2620 1708 casino_extensions.exe 30 PID 2620 wrote to memory of 2536 2620 casino_extensions.exe 31 PID 2620 wrote to memory of 2536 2620 casino_extensions.exe 31 PID 2620 wrote to memory of 2536 2620 casino_extensions.exe 31 PID 2620 wrote to memory of 2536 2620 casino_extensions.exe 31 PID 2076 wrote to memory of 2648 2076 casino_extensions.exe 33 PID 2076 wrote to memory of 2648 2076 casino_extensions.exe 33 PID 2076 wrote to memory of 2648 2076 casino_extensions.exe 33 PID 2076 wrote to memory of 2648 2076 casino_extensions.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe"C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"4⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\cmd.execmd /c $$2028~1.BAT5⤵PID:2536
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 2363⤵
- Program crash
PID:2648
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81B
MD54777bf695815d870d27ed4a38a8f0840
SHA1565412b5182bca7a221448dba78369c42d1c4a0c
SHA256c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA51287e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d
-
Filesize
854KB
MD5b5f50169d28bad7fcf9933e501073a3a
SHA1694839ad32c783cae3b9c3bb348f2119e51b7af2
SHA256723e8dd5cff6f58f118a4ccd240289ce51baf6df9e09bf76182a776694bef106
SHA512a1719068603a7fa57149c48257eaf2a16659c44e4b9e2b6be349d006189af1e74a400145a95cf94834f0d761024fdc1c64e9d80ed0ec53392fc1f5a6a3a45231
-
Filesize
850KB
MD504ca26dd1d4c47f762472821939ce72b
SHA16f2a9d11a61b584001f83b584287928c10fc133f
SHA2565a40580bbb3a3812523c0bd08dc5035deca878992b8b1b7e585f897a9ba9d15a
SHA512d237225187ea608fa7c8d14222512fd2c7b190fcea89882bc5bb1476b041feb885c0d1fb437803ad8b88d2363591c322bb2be2ab6dee2d3c947bf2ff22a1e5ee