Analysis
-
max time kernel
132s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25/05/2024, 01:11
Static task
static1
Behavioral task
behavioral1
Sample
99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe
Resource
win10v2004-20240508-en
General
-
Target
99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe
-
Size
765KB
-
MD5
1efff2a5cbd5af55693374077fcd51fb
-
SHA1
b845dfadbc01e85111af97db05de84c50f2463fc
-
SHA256
99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97
-
SHA512
a70c427da1d7a9d09bf5e714670b29281801060017bb9a9d26279c6a4ae1e3ed657a80427eef71bbd00744f28ac08898a865172a51cda72bcc295d5f41b66330
-
SSDEEP
3072:ltwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMqle7xa2i1hrxFpKUWZ2Q:vuj8NDF3OR9/Qe2HdJ8RAbrycW
Malware Config
Signatures
-
Detects executables packed with ASPack 5 IoCs
resource yara_rule behavioral2/files/0x00090000000235e3-4.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/3856-7-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x00070000000235ea-13.dat INDICATOR_EXE_Packed_ASPack behavioral2/memory/4864-12-0x0000000000400000-0x0000000000424000-memory.dmp INDICATOR_EXE_Packed_ASPack behavioral2/files/0x00070000000235eb-22.dat INDICATOR_EXE_Packed_ASPack -
Executes dropped EXE 16 IoCs
pid Process 4864 casino_extensions.exe 336 Casino_ext.exe 3940 casino_extensions.exe 3140 Casino_ext.exe 4108 casino_extensions.exe 4136 Casino_ext.exe 3936 LiveMessageCenter.exe 1740 casino_extensions.exe 8 Casino_ext.exe 3668 casino_extensions.exe 4648 Casino_ext.exe 2960 casino_extensions.exe 3204 Casino_ext.exe 4536 LiveMessageCenter.exe 2856 casino_extensions.exe 1276 Casino_ext.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File created C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File created C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File created C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe casino_extensions.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe LiveMessageCenter.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe Casino_ext.exe File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe LiveMessageCenter.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 336 Casino_ext.exe 336 Casino_ext.exe 3140 Casino_ext.exe 3140 Casino_ext.exe 4136 Casino_ext.exe 4136 Casino_ext.exe 3936 LiveMessageCenter.exe 3936 LiveMessageCenter.exe 8 Casino_ext.exe 8 Casino_ext.exe 4648 Casino_ext.exe 4648 Casino_ext.exe 3204 Casino_ext.exe 3204 Casino_ext.exe 4536 LiveMessageCenter.exe 4536 LiveMessageCenter.exe 1276 Casino_ext.exe 1276 Casino_ext.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3856 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3856 wrote to memory of 2204 3856 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe 90 PID 3856 wrote to memory of 2204 3856 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe 90 PID 3856 wrote to memory of 2204 3856 99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe 90 PID 2204 wrote to memory of 4864 2204 casino_extensions.exe 91 PID 2204 wrote to memory of 4864 2204 casino_extensions.exe 91 PID 2204 wrote to memory of 4864 2204 casino_extensions.exe 91 PID 4864 wrote to memory of 336 4864 casino_extensions.exe 92 PID 4864 wrote to memory of 336 4864 casino_extensions.exe 92 PID 4864 wrote to memory of 336 4864 casino_extensions.exe 92 PID 336 wrote to memory of 3376 336 Casino_ext.exe 93 PID 336 wrote to memory of 3376 336 Casino_ext.exe 93 PID 336 wrote to memory of 3376 336 Casino_ext.exe 93 PID 3376 wrote to memory of 3940 3376 casino_extensions.exe 94 PID 3376 wrote to memory of 3940 3376 casino_extensions.exe 94 PID 3376 wrote to memory of 3940 3376 casino_extensions.exe 94 PID 3940 wrote to memory of 3140 3940 casino_extensions.exe 95 PID 3940 wrote to memory of 3140 3940 casino_extensions.exe 95 PID 3940 wrote to memory of 3140 3940 casino_extensions.exe 95 PID 3140 wrote to memory of 4320 3140 Casino_ext.exe 96 PID 3140 wrote to memory of 4320 3140 Casino_ext.exe 96 PID 3140 wrote to memory of 4320 3140 Casino_ext.exe 96 PID 4320 wrote to memory of 4108 4320 casino_extensions.exe 97 PID 4320 wrote to memory of 4108 4320 casino_extensions.exe 97 PID 4320 wrote to memory of 4108 4320 casino_extensions.exe 97 PID 4108 wrote to memory of 4136 4108 casino_extensions.exe 98 PID 4108 wrote to memory of 4136 4108 casino_extensions.exe 98 PID 4108 wrote to memory of 4136 4108 casino_extensions.exe 98 PID 4136 wrote to memory of 1280 4136 Casino_ext.exe 99 PID 4136 wrote to memory of 1280 4136 Casino_ext.exe 99 PID 4136 wrote to memory of 1280 4136 Casino_ext.exe 99 PID 1280 wrote to memory of 3936 1280 casino_extensions.exe 100 PID 1280 wrote to memory of 3936 1280 casino_extensions.exe 100 PID 1280 wrote to memory of 3936 1280 casino_extensions.exe 100 PID 3936 wrote to memory of 4980 3936 LiveMessageCenter.exe 101 PID 3936 wrote to memory of 4980 3936 LiveMessageCenter.exe 101 PID 3936 wrote to memory of 4980 3936 LiveMessageCenter.exe 101 PID 4980 wrote to memory of 1740 4980 casino_extensions.exe 102 PID 4980 wrote to memory of 1740 4980 casino_extensions.exe 102 PID 4980 wrote to memory of 1740 4980 casino_extensions.exe 102 PID 1740 wrote to memory of 8 1740 casino_extensions.exe 103 PID 1740 wrote to memory of 8 1740 casino_extensions.exe 103 PID 1740 wrote to memory of 8 1740 casino_extensions.exe 103 PID 8 wrote to memory of 5016 8 Casino_ext.exe 104 PID 8 wrote to memory of 5016 8 Casino_ext.exe 104 PID 8 wrote to memory of 5016 8 Casino_ext.exe 104 PID 5016 wrote to memory of 3668 5016 casino_extensions.exe 105 PID 5016 wrote to memory of 3668 5016 casino_extensions.exe 105 PID 5016 wrote to memory of 3668 5016 casino_extensions.exe 105 PID 3668 wrote to memory of 4648 3668 casino_extensions.exe 106 PID 3668 wrote to memory of 4648 3668 casino_extensions.exe 106 PID 3668 wrote to memory of 4648 3668 casino_extensions.exe 106 PID 4648 wrote to memory of 2424 4648 Casino_ext.exe 107 PID 4648 wrote to memory of 2424 4648 Casino_ext.exe 107 PID 4648 wrote to memory of 2424 4648 Casino_ext.exe 107 PID 2424 wrote to memory of 2960 2424 casino_extensions.exe 108 PID 2424 wrote to memory of 2960 2424 casino_extensions.exe 108 PID 2424 wrote to memory of 2960 2424 casino_extensions.exe 108 PID 2960 wrote to memory of 3204 2960 casino_extensions.exe 110 PID 2960 wrote to memory of 3204 2960 casino_extensions.exe 110 PID 2960 wrote to memory of 3204 2960 casino_extensions.exe 110 PID 3204 wrote to memory of 2224 3204 Casino_ext.exe 111 PID 3204 wrote to memory of 2224 3204 Casino_ext.exe 111 PID 3204 wrote to memory of 2224 3204 Casino_ext.exe 111 PID 2224 wrote to memory of 4536 2224 casino_extensions.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe"C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"8⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4108 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"11⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\LiveMessageCenter.exeC:\Windows\system32\LiveMessageCenter.exe /part212⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"13⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe14⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe15⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"16⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe17⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe18⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"19⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe20⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe21⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"22⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\LiveMessageCenter.exeC:\Windows\system32\LiveMessageCenter.exe23⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4536 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"24⤵
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\casino_extensions.exeC:\Windows\system32\casino_extensions.exe25⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2856 -
C:\Windows\SysWOW64\Casino_ext.exeC:\Windows\SysWOW64\Casino_ext.exe26⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1276 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"27⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c $$2028~1.BAT28⤵PID:3676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4320 /prefetch:81⤵PID:4040
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81B
MD54777bf695815d870d27ed4a38a8f0840
SHA1565412b5182bca7a221448dba78369c42d1c4a0c
SHA256c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA51287e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d
-
Filesize
780KB
MD59a2071081a24fccc61d2215871a2cef1
SHA1dcc58404d45424f9ea92e2730ea86d47272c65c1
SHA256d1cad23f35332b85f55b2093160dcc4f5090fac3c35f9cd7110973d7d0dba24b
SHA5124a9ea0e42dba7ec3b2ddd6a916f732be334af0a498330151a9e1a38f43e59c687f4866d342f96893d628f6838a2d164df93f3670d306cba22d361f3a04548117
-
Filesize
769KB
MD58d5a423d7d94652e41ac8320c58f8c06
SHA177e48518c9f079c4f0eaa11bb22fcd5a41814ece
SHA256e3c420edf1fd0490aedbdd489629e90abe6b22d38d37208eaf28c46f27fb27a2
SHA51257c868026482b99a5bb77a073bf58527257768684b1cf1747eda26557877c19eb84a70b2c46a667b79d0697a8670f0b77ac83a0f7d6fd35defbc0dbc9e951419
-
Filesize
780KB
MD5c3f9cc3c9af091cafdf184e5b8d694b1
SHA18b765d50a84df21ddb2d95cbcc1ff0855a541b74
SHA256253c992130ec2192edf3450625c76e1615c8eeb674000bfa3010e3ec2cf95c37
SHA5123e6e08fa1c12721cf699f4f057295fac7f496f0b66f5fa7136172ba1b882fbab84e81e614523f0b5710cc038c1b4b323d47db44e24e12826e40ca047638a87e9