Analysis
-
max time kernel
132s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 01:10
Static task
static1
Behavioral task
behavioral1
Sample
99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe
Resource
win10v2004-20240508-en
General
-
Target
99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe
-
Size
846KB
-
MD5
32a9877928fa90596a32d4a11450ff63
-
SHA1
b37f7cdeae88f8a76c625ce5ff00556cee8c74cb
-
SHA256
99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17
-
SHA512
1a9683e86de0729e65e6644bde440e4ebd1b6815df4bbafef0d860eaceb378087ae6ba64a3806b19f0961413760a47a4f21ceb6ba298ea52fcec50ea06a0a944
-
SSDEEP
6144:9uj8NDF3OR9/Qe2HdJ8pS2ts8UxILaOTq:UOF3ORK3d12ts8U6LaOTq
Malware Config
Signatures
-
Detects executables packed with ASPack 5 IoCs
resource yara_rule behavioral2/files/0x0008000000022f51-4.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/1312-8-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023413-13.dat INDICATOR_EXE_Packed_ASPack behavioral2/files/0x0007000000023414-21.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/2876-7-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_ASPack -
Executes dropped EXE 7 IoCs
pid Process 1312 casino_extensions.exe 2320 Casino_ext.exe 4936 casino_extensions.exe 4968 Casino_ext.exe 1964 LiveMessageCenter.exe 2420 casino_extensions.exe 5056 Casino_ext.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File created C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File created C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe -
Drops file in Program Files directory 8 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe LiveMessageCenter.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2320 Casino_ext.exe 2320 Casino_ext.exe 4968 Casino_ext.exe 4968 Casino_ext.exe 1964 LiveMessageCenter.exe 1964 LiveMessageCenter.exe 5056 Casino_ext.exe 5056 Casino_ext.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2876 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2600 2876 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe 83 PID 2876 wrote to memory of 2600 2876 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe 83 PID 2876 wrote to memory of 2600 2876 99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe 83 PID 2600 wrote to memory of 1312 2600 casino_extensions.exe 84 PID 2600 wrote to memory of 1312 2600 casino_extensions.exe 84 PID 2600 wrote to memory of 1312 2600 casino_extensions.exe 84 PID 1312 wrote to memory of 2320 1312 casino_extensions.exe 85 PID 1312 wrote to memory of 2320 1312 casino_extensions.exe 85 PID 1312 wrote to memory of 2320 1312 casino_extensions.exe 85 PID 2320 wrote to memory of 1516 2320 Casino_ext.exe 86 PID 2320 wrote to memory of 1516 2320 Casino_ext.exe 86 PID 2320 wrote to memory of 1516 2320 Casino_ext.exe 86 PID 1516 wrote to memory of 4936 1516 casino_extensions.exe 87 PID 1516 wrote to memory of 4936 1516 casino_extensions.exe 87 PID 1516 wrote to memory of 4936 1516 casino_extensions.exe 87 PID 4936 wrote to memory of 4968 4936 casino_extensions.exe 88 PID 4936 wrote to memory of 4968 4936 casino_extensions.exe 88 PID 4936 wrote to memory of 4968 4936 casino_extensions.exe 88 PID 4968 wrote to memory of 4784 4968 Casino_ext.exe 89 PID 4968 wrote to memory of 4784 4968 Casino_ext.exe 89 PID 4968 wrote to memory of 4784 4968 Casino_ext.exe 89 PID 4784 wrote to memory of 1964 4784 casino_extensions.exe 90 PID 4784 wrote to memory of 1964 4784 casino_extensions.exe 90 PID 4784 wrote to memory of 1964 4784 casino_extensions.exe 90 PID 1964 wrote to memory of 2860 1964 LiveMessageCenter.exe 91 PID 1964 wrote to memory of 2860 1964 LiveMessageCenter.exe 91 PID 1964 wrote to memory of 2860 1964 LiveMessageCenter.exe 91 PID 2860 wrote to memory of 2420 2860 casino_extensions.exe 92 PID 2860 wrote to memory of 2420 2860 casino_extensions.exe 92 PID 2860 wrote to memory of 2420 2860 casino_extensions.exe 92 PID 2420 wrote to memory of 5056 2420 casino_extensions.exe 93 PID 2420 wrote to memory of 5056 2420 casino_extensions.exe 93 PID 2420 wrote to memory of 5056 2420 casino_extensions.exe 93 PID 5056 wrote to memory of 1392 5056 Casino_ext.exe 94 PID 5056 wrote to memory of 1392 5056 Casino_ext.exe 94 PID 5056 wrote to memory of 1392 5056 Casino_ext.exe 94 PID 1392 wrote to memory of 3700 1392 casino_extensions.exe 95 PID 1392 wrote to memory of 3700 1392 casino_extensions.exe 95 PID 1392 wrote to memory of 3700 1392 casino_extensions.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe"C:\Users\Admin\AppData\Local\Temp\99b1768180e2fb86c530c5e318db1cfee08be67f3d56f1dbb65d844341c1dc17.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"8⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\SysWOW64\LiveMessageCenter.exeC:\Windows\system32\LiveMessageCenter.exe /part29⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"10⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe11⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe12⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"13⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c $$2028~1.BAT14⤵PID:3700
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81B
MD54777bf695815d870d27ed4a38a8f0840
SHA1565412b5182bca7a221448dba78369c42d1c4a0c
SHA256c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA51287e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d
-
Filesize
861KB
MD50aef1c727cb8ab33963b1a3e2575723a
SHA131d82d43781322b9454e6c8cc9d264bb77b3101c
SHA256bdbe5bc6d6b59bb3f97e2840f6e6d198e907335f2992461dad49b9db34c6d588
SHA512e1d5c72b4e4df724d5ecdff75dd590022f607c181fd02974fc157715bfa275b80988fbf50ae6d567814b68a2340ad0330db6cab10fdeda6d1fc9c61b3cad743f
-
Filesize
858KB
MD50eeb1c5835c01712d6b08260aec5d3df
SHA119d98b74138bc55671a438eb6c6d817ebd150342
SHA25649ac766c057f4e19fc404bdd56ffadf7e230463e5a61f9e4c5a435692534436c
SHA5121782166620f1d584c0bda10470794e4411fb7cfdf47e8e0b2b169046e5d835389629ee8c1f433d19964c2993428ed2dfd726418e2606195daf621f68685cc5c2
-
Filesize
848KB
MD59ac2e818814ab94f01c4930469bf7132
SHA19e53a54502809d1b1b5082e10c6318d76d3262a1
SHA2565a298b06e0f2f85f770c4a96a6c69a7e0d200eb555455440e2db7a6526381694
SHA5122094741ba1c3e6c29003869815d8b47fee3a7b61cb1576b1b532d0605e2a9471f3996252f1d56a17333190d90f535db57795191a8766f961ec712ee90842c6cd