Analysis

  • max time kernel
    132s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 01:11

General

  • Target

    99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe

  • Size

    765KB

  • MD5

    1efff2a5cbd5af55693374077fcd51fb

  • SHA1

    b845dfadbc01e85111af97db05de84c50f2463fc

  • SHA256

    99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97

  • SHA512

    a70c427da1d7a9d09bf5e714670b29281801060017bb9a9d26279c6a4ae1e3ed657a80427eef71bbd00744f28ac08898a865172a51cda72bcc295d5f41b66330

  • SSDEEP

    3072:ltwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMqle7xa2i1hrxFpKUWZ2Q:vuj8NDF3OR9/Qe2HdJ8RAbrycW

Score
9/10

Malware Config

Signatures

  • Detects executables packed with ASPack 5 IoCs
  • Executes dropped EXE 16 IoCs
  • Drops file in System32 directory 16 IoCs
  • Drops file in Program Files directory 17 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe
    "C:\Users\Admin\AppData\Local\Temp\99c75afcbdd73e4122db993d12627296841c22757c4b72839d0cb1a9dd94fc97.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3856
    • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\SysWOW64\casino_extensions.exe
        C:\Windows\system32\casino_extensions.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Windows\SysWOW64\Casino_ext.exe
          C:\Windows\SysWOW64\Casino_ext.exe
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:336
          • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
            "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:3376
            • C:\Windows\SysWOW64\casino_extensions.exe
              C:\Windows\system32\casino_extensions.exe
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of WriteProcessMemory
              PID:3940
              • C:\Windows\SysWOW64\Casino_ext.exe
                C:\Windows\SysWOW64\Casino_ext.exe
                7⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3140
                • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                  8⤵
                  • Drops file in System32 directory
                  • Suspicious use of WriteProcessMemory
                  PID:4320
                  • C:\Windows\SysWOW64\casino_extensions.exe
                    C:\Windows\system32\casino_extensions.exe
                    9⤵
                    • Executes dropped EXE
                    • Drops file in Program Files directory
                    • Suspicious use of WriteProcessMemory
                    PID:4108
                    • C:\Windows\SysWOW64\Casino_ext.exe
                      C:\Windows\SysWOW64\Casino_ext.exe
                      10⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4136
                      • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                        11⤵
                        • Drops file in System32 directory
                        • Suspicious use of WriteProcessMemory
                        PID:1280
                        • C:\Windows\SysWOW64\LiveMessageCenter.exe
                          C:\Windows\system32\LiveMessageCenter.exe /part2
                          12⤵
                          • Executes dropped EXE
                          • Drops file in Program Files directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:3936
                          • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                            "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                            13⤵
                            • Drops file in System32 directory
                            • Suspicious use of WriteProcessMemory
                            PID:4980
                            • C:\Windows\SysWOW64\casino_extensions.exe
                              C:\Windows\system32\casino_extensions.exe
                              14⤵
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              • Suspicious use of WriteProcessMemory
                              PID:1740
                              • C:\Windows\SysWOW64\Casino_ext.exe
                                C:\Windows\SysWOW64\Casino_ext.exe
                                15⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of WriteProcessMemory
                                PID:8
                                • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                                  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                                  16⤵
                                  • Drops file in System32 directory
                                  • Suspicious use of WriteProcessMemory
                                  PID:5016
                                  • C:\Windows\SysWOW64\casino_extensions.exe
                                    C:\Windows\system32\casino_extensions.exe
                                    17⤵
                                    • Executes dropped EXE
                                    • Drops file in Program Files directory
                                    • Suspicious use of WriteProcessMemory
                                    PID:3668
                                    • C:\Windows\SysWOW64\Casino_ext.exe
                                      C:\Windows\SysWOW64\Casino_ext.exe
                                      18⤵
                                      • Executes dropped EXE
                                      • Drops file in Program Files directory
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of WriteProcessMemory
                                      PID:4648
                                      • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                                        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                                        19⤵
                                        • Drops file in System32 directory
                                        • Suspicious use of WriteProcessMemory
                                        PID:2424
                                        • C:\Windows\SysWOW64\casino_extensions.exe
                                          C:\Windows\system32\casino_extensions.exe
                                          20⤵
                                          • Executes dropped EXE
                                          • Drops file in Program Files directory
                                          • Suspicious use of WriteProcessMemory
                                          PID:2960
                                          • C:\Windows\SysWOW64\Casino_ext.exe
                                            C:\Windows\SysWOW64\Casino_ext.exe
                                            21⤵
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of WriteProcessMemory
                                            PID:3204
                                            • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                                              "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                                              22⤵
                                              • Drops file in System32 directory
                                              • Suspicious use of WriteProcessMemory
                                              PID:2224
                                              • C:\Windows\SysWOW64\LiveMessageCenter.exe
                                                C:\Windows\system32\LiveMessageCenter.exe
                                                23⤵
                                                • Executes dropped EXE
                                                • Drops file in Program Files directory
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:4536
                                                • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                                                  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                                                  24⤵
                                                  • Drops file in System32 directory
                                                  PID:4432
                                                  • C:\Windows\SysWOW64\casino_extensions.exe
                                                    C:\Windows\system32\casino_extensions.exe
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Drops file in Program Files directory
                                                    PID:2856
                                                    • C:\Windows\SysWOW64\Casino_ext.exe
                                                      C:\Windows\SysWOW64\Casino_ext.exe
                                                      26⤵
                                                      • Executes dropped EXE
                                                      • Drops file in Program Files directory
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:1276
                                                      • C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
                                                        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
                                                        27⤵
                                                        • Drops file in System32 directory
                                                        • Drops file in Program Files directory
                                                        PID:2576
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c $$2028~1.BAT
                                                          28⤵
                                                            PID:3676
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4320 /prefetch:8
      1⤵
        PID:4040

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Internet Explorer\$$202803s.bat

              Filesize

              81B

              MD5

              4777bf695815d870d27ed4a38a8f0840

              SHA1

              565412b5182bca7a221448dba78369c42d1c4a0c

              SHA256

              c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

              SHA512

              87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

            • C:\Windows\SysWOW64\LiveMessageCenter.exe

              Filesize

              780KB

              MD5

              9a2071081a24fccc61d2215871a2cef1

              SHA1

              dcc58404d45424f9ea92e2730ea86d47272c65c1

              SHA256

              d1cad23f35332b85f55b2093160dcc4f5090fac3c35f9cd7110973d7d0dba24b

              SHA512

              4a9ea0e42dba7ec3b2ddd6a916f732be334af0a498330151a9e1a38f43e59c687f4866d342f96893d628f6838a2d164df93f3670d306cba22d361f3a04548117

            • C:\Windows\SysWOW64\casino_extensions.exe

              Filesize

              769KB

              MD5

              8d5a423d7d94652e41ac8320c58f8c06

              SHA1

              77e48518c9f079c4f0eaa11bb22fcd5a41814ece

              SHA256

              e3c420edf1fd0490aedbdd489629e90abe6b22d38d37208eaf28c46f27fb27a2

              SHA512

              57c868026482b99a5bb77a073bf58527257768684b1cf1747eda26557877c19eb84a70b2c46a667b79d0697a8670f0b77ac83a0f7d6fd35defbc0dbc9e951419

            • C:\Windows\SysWOW64\casino_extensions.exe

              Filesize

              780KB

              MD5

              c3f9cc3c9af091cafdf184e5b8d694b1

              SHA1

              8b765d50a84df21ddb2d95cbcc1ff0855a541b74

              SHA256

              253c992130ec2192edf3450625c76e1615c8eeb674000bfa3010e3ec2cf95c37

              SHA512

              3e6e08fa1c12721cf699f4f057295fac7f496f0b66f5fa7136172ba1b882fbab84e81e614523f0b5710cc038c1b4b323d47db44e24e12826e40ca047638a87e9

            • memory/3856-7-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

            • memory/4864-12-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB