Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/05/2024, 01:11
Static task
static1
Behavioral task
behavioral1
Sample
99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe
Resource
win10v2004-20240508-en
General
-
Target
99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe
-
Size
765KB
-
MD5
1efff2a5cbd5af55693374077fcd51fb
-
SHA1
b845dfadbc01e85111af97db05de84c50f2463fc
-
SHA256
99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97
-
SHA512
a70c427da1d7a9d09bf5e714670b29281801060017bb9a9d26279c6a4ae1e3ed657a80427eef71bbd00744f28ac08898a865172a51cda72bcc295d5f41b66330
-
SSDEEP
3072:ltwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMqle7xa2i1hrxFpKUWZ2Q:vuj8NDF3OR9/Qe2HdJ8RAbrycW
Malware Config
Signatures
-
Detects executables packed with ASPack 5 IoCs
resource yara_rule behavioral1/files/0x000d000000014698-3.dat INDICATOR_EXE_Packed_ASPack behavioral1/memory/2892-13-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/memory/2900-12-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral1/files/0x002b000000014c67-19.dat INDICATOR_EXE_Packed_ASPack behavioral1/files/0x0011000000014e3d-33.dat INDICATOR_EXE_Packed_ASPack -
Deletes itself 1 IoCs
pid Process 1592 cmd.exe -
Executes dropped EXE 10 IoCs
pid Process 2900 casino_extensions.exe 3024 Casino_ext.exe 2668 casino_extensions.exe 2796 Casino_ext.exe 2672 casino_extensions.exe 2144 Casino_ext.exe 2716 LiveMessageCenter.exe 2532 casino_extensions.exe 2660 Casino_ext.exe 2384 LiveMessageCenter.exe -
Loads dropped DLL 12 IoCs
pid Process 1688 casino_extensions.exe 1688 casino_extensions.exe 2492 casino_extensions.exe 2492 casino_extensions.exe 2292 casino_extensions.exe 2292 casino_extensions.exe 2604 casino_extensions.exe 2604 casino_extensions.exe 2628 casino_extensions.exe 2628 casino_extensions.exe 2360 casino_extensions.exe 2360 casino_extensions.exe -
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File created C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File created C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe LiveMessageCenter.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe LiveMessageCenter.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat casino_extensions.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3024 Casino_ext.exe 2796 Casino_ext.exe 2144 Casino_ext.exe 2716 LiveMessageCenter.exe 2660 Casino_ext.exe 2384 LiveMessageCenter.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2892 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2892 wrote to memory of 1688 2892 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe 28 PID 2892 wrote to memory of 1688 2892 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe 28 PID 2892 wrote to memory of 1688 2892 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe 28 PID 2892 wrote to memory of 1688 2892 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe 28 PID 1688 wrote to memory of 2900 1688 casino_extensions.exe 29 PID 1688 wrote to memory of 2900 1688 casino_extensions.exe 29 PID 1688 wrote to memory of 2900 1688 casino_extensions.exe 29 PID 1688 wrote to memory of 2900 1688 casino_extensions.exe 29 PID 2900 wrote to memory of 3024 2900 casino_extensions.exe 30 PID 2900 wrote to memory of 3024 2900 casino_extensions.exe 30 PID 2900 wrote to memory of 3024 2900 casino_extensions.exe 30 PID 2900 wrote to memory of 3024 2900 casino_extensions.exe 30 PID 3024 wrote to memory of 2492 3024 Casino_ext.exe 31 PID 3024 wrote to memory of 2492 3024 Casino_ext.exe 31 PID 3024 wrote to memory of 2492 3024 Casino_ext.exe 31 PID 3024 wrote to memory of 2492 3024 Casino_ext.exe 31 PID 2492 wrote to memory of 2668 2492 casino_extensions.exe 32 PID 2492 wrote to memory of 2668 2492 casino_extensions.exe 32 PID 2492 wrote to memory of 2668 2492 casino_extensions.exe 32 PID 2492 wrote to memory of 2668 2492 casino_extensions.exe 32 PID 2668 wrote to memory of 2796 2668 casino_extensions.exe 33 PID 2668 wrote to memory of 2796 2668 casino_extensions.exe 33 PID 2668 wrote to memory of 2796 2668 casino_extensions.exe 33 PID 2668 wrote to memory of 2796 2668 casino_extensions.exe 33 PID 2796 wrote to memory of 2292 2796 Casino_ext.exe 34 PID 2796 wrote to memory of 2292 2796 Casino_ext.exe 34 PID 2796 wrote to memory of 2292 2796 Casino_ext.exe 34 PID 2796 wrote to memory of 2292 2796 Casino_ext.exe 34 PID 2292 wrote to memory of 2672 2292 casino_extensions.exe 35 PID 2292 wrote to memory of 2672 2292 casino_extensions.exe 35 PID 2292 wrote to memory of 2672 2292 casino_extensions.exe 35 PID 2292 wrote to memory of 2672 2292 casino_extensions.exe 35 PID 2672 wrote to memory of 2144 2672 casino_extensions.exe 36 PID 2672 wrote to memory of 2144 2672 casino_extensions.exe 36 PID 2672 wrote to memory of 2144 2672 casino_extensions.exe 36 PID 2672 wrote to memory of 2144 2672 casino_extensions.exe 36 PID 2144 wrote to memory of 2604 2144 Casino_ext.exe 37 PID 2144 wrote to memory of 2604 2144 Casino_ext.exe 37 PID 2144 wrote to memory of 2604 2144 Casino_ext.exe 37 PID 2144 wrote to memory of 2604 2144 Casino_ext.exe 37 PID 2604 wrote to memory of 2716 2604 casino_extensions.exe 38 PID 2604 wrote to memory of 2716 2604 casino_extensions.exe 38 PID 2604 wrote to memory of 2716 2604 casino_extensions.exe 38 PID 2604 wrote to memory of 2716 2604 casino_extensions.exe 38 PID 2716 wrote to memory of 2628 2716 LiveMessageCenter.exe 39 PID 2716 wrote to memory of 2628 2716 LiveMessageCenter.exe 39 PID 2716 wrote to memory of 2628 2716 LiveMessageCenter.exe 39 PID 2716 wrote to memory of 2628 2716 LiveMessageCenter.exe 39 PID 2628 wrote to memory of 2532 2628 casino_extensions.exe 40 PID 2628 wrote to memory of 2532 2628 casino_extensions.exe 40 PID 2628 wrote to memory of 2532 2628 casino_extensions.exe 40 PID 2628 wrote to memory of 2532 2628 casino_extensions.exe 40 PID 2532 wrote to memory of 2660 2532 casino_extensions.exe 41 PID 2532 wrote to memory of 2660 2532 casino_extensions.exe 41 PID 2532 wrote to memory of 2660 2532 casino_extensions.exe 41 PID 2532 wrote to memory of 2660 2532 casino_extensions.exe 41 PID 2660 wrote to memory of 2360 2660 Casino_ext.exe 42 PID 2660 wrote to memory of 2360 2660 Casino_ext.exe 42 PID 2660 wrote to memory of 2360 2660 Casino_ext.exe 42 PID 2660 wrote to memory of 2360 2660 Casino_ext.exe 42 PID 2360 wrote to memory of 2384 2360 casino_extensions.exe 43 PID 2360 wrote to memory of 2384 2360 casino_extensions.exe 43 PID 2360 wrote to memory of 2384 2360 casino_extensions.exe 43 PID 2360 wrote to memory of 2384 2360 casino_extensions.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe"C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"5⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"8⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"11⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\LiveMessageCenter.exeC:\Windows\system32\LiveMessageCenter.exe /part212⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"13⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe14⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe15⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"16⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\LiveMessageCenter.exeC:\Windows\system32\LiveMessageCenter.exe17⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2384 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"18⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2440 -
C:\Windows\SysWOW64\cmd.execmd /c $$2028~1.BAT19⤵
- Deletes itself
PID:1592
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81B
MD54777bf695815d870d27ed4a38a8f0840
SHA1565412b5182bca7a221448dba78369c42d1c4a0c
SHA256c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA51287e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d
-
Filesize
768KB
MD54f8d1b18208210b4376b5907120d2ca3
SHA16dc886b17f0ae2499e317857dfcd70184d85f6da
SHA2563ee4d7ca464069120e125febe12e3b55eb6f8785ab5912f1b9b34305eedec183
SHA512edc87c629966072675f3d35455c14834a52406b8a1b3657ed3b9ffc478ae1c9459765161a4a84380a1e281368151b6f9e720f3676c94e1fb5af6b7106135f1ed
-
Filesize
772KB
MD5355a0fda6d3b0d4f2ff5a6130137fda5
SHA1be99e7b951e899923eca9057e96f7a6cdad7ad9a
SHA256f1b7fd371ddf4e1931f7cd96efc976dbe20649f1767fe5f0d83dacddac901a52
SHA51298f905cf419e90f6059170fd199b45e9816bb6e289867579ee31df3b13a57c222ffece476c536e7ae4f697dbe5260562e7da5c50f0f6b53f158ec6dc1386ce31
-
Filesize
772KB
MD5d4bbeb11bcbadc0d8a6f12bc5cf4ccec
SHA1cf0aca091ba6c17c9268c518d80a719a2738c109
SHA256d3774a8145d3083d24b9fd2cacfb6c1961deadad2b6b81c87762ce7cb722ae11
SHA5122a25f4d8474841638783837c45105fcf3eb9aa69889058048db4a479e6e9772b5a05d97505e9a7317f092206ba99e2aecef7d881a9df8e4bd2111e852f7b2e4d