494c44f7a9658d6701ddcf3501e4d0f93dd99117dea2183c71b48e3b9cb71b11

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 01:53 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b8ccf44d0e442ab204b830e76762860.exe
Size

1.1MB
MD5

1b8ccf44d0e442ab204b830e76762860
SHA1

baa94f273e6f8df835ff9aa45bf230a83053d98e
SHA256

494c44f7a9658d6701ddcf3501e4d0f93dd99117dea2183c71b48e3b9cb71b11
SHA512

d66afe46f675bf27b7fee771c9752929642da4d64efddf581100c5ef2298359f4b5394e75eb3e77ec1ee9216869adc32d8528e87bdb09b64af75c4637bd07820
SSDEEP

3072:BtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQS0Tm2TdFcoV2i1JLj3:7uj8NDF3OR9/Qe2HdklrSqtBVvH3

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2132	casino_extensions.exe
2148	Casino_ext.exe
1456	casino_extensions.exe
2732	Casino_ext.exe
2720	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
2052	casino_extensions.exe
2052	casino_extensions.exe
2848	casino_extensions.exe
2848	casino_extensions.exe
2756	casino_extensions.exe
2756	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2148	Casino_ext.exe
2732	Casino_ext.exe
2720	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2288	1b8ccf44d0e442ab204b830e76762860.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2052	2288	1b8ccf44d0e442ab204b830e76762860.exe	28
PID 2288 wrote to memory of 2052	2288	1b8ccf44d0e442ab204b830e76762860.exe	28
PID 2288 wrote to memory of 2052	2288	1b8ccf44d0e442ab204b830e76762860.exe	28
PID 2288 wrote to memory of 2052	2288	1b8ccf44d0e442ab204b830e76762860.exe	28
PID 2052 wrote to memory of 2132	2052	casino_extensions.exe	29
PID 2052 wrote to memory of 2132	2052	casino_extensions.exe	29
PID 2052 wrote to memory of 2132	2052	casino_extensions.exe	29
PID 2052 wrote to memory of 2132	2052	casino_extensions.exe	29
PID 2132 wrote to memory of 2148	2132	casino_extensions.exe	30
PID 2132 wrote to memory of 2148	2132	casino_extensions.exe	30
PID 2132 wrote to memory of 2148	2132	casino_extensions.exe	30
PID 2132 wrote to memory of 2148	2132	casino_extensions.exe	30
PID 2148 wrote to memory of 2848	2148	Casino_ext.exe	31
PID 2148 wrote to memory of 2848	2148	Casino_ext.exe	31
PID 2148 wrote to memory of 2848	2148	Casino_ext.exe	31
PID 2148 wrote to memory of 2848	2148	Casino_ext.exe	31
PID 2848 wrote to memory of 1456	2848	casino_extensions.exe	32
PID 2848 wrote to memory of 1456	2848	casino_extensions.exe	32
PID 2848 wrote to memory of 1456	2848	casino_extensions.exe	32
PID 2848 wrote to memory of 1456	2848	casino_extensions.exe	32
PID 1456 wrote to memory of 2732	1456	casino_extensions.exe	33
PID 1456 wrote to memory of 2732	1456	casino_extensions.exe	33
PID 1456 wrote to memory of 2732	1456	casino_extensions.exe	33
PID 1456 wrote to memory of 2732	1456	casino_extensions.exe	33
PID 2732 wrote to memory of 2756	2732	Casino_ext.exe	34
PID 2732 wrote to memory of 2756	2732	Casino_ext.exe	34
PID 2732 wrote to memory of 2756	2732	Casino_ext.exe	34
PID 2732 wrote to memory of 2756	2732	Casino_ext.exe	34
PID 2756 wrote to memory of 2720	2756	casino_extensions.exe	35
PID 2756 wrote to memory of 2720	2756	casino_extensions.exe	35
PID 2756 wrote to memory of 2720	2756	casino_extensions.exe	35
PID 2756 wrote to memory of 2720	2756	casino_extensions.exe	35
PID 2720 wrote to memory of 2104	2720	LiveMessageCenter.exe	36
PID 2720 wrote to memory of 2104	2720	LiveMessageCenter.exe	36
PID 2720 wrote to memory of 2104	2720	LiveMessageCenter.exe	36
PID 2720 wrote to memory of 2104	2720	LiveMessageCenter.exe	36
PID 2104 wrote to memory of 2816	2104	casino_extensions.exe	37
PID 2104 wrote to memory of 2816	2104	casino_extensions.exe	37
PID 2104 wrote to memory of 2816	2104	casino_extensions.exe	37
PID 2104 wrote to memory of 2816	2104	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\1b8ccf44d0e442ab204b830e76762860.exe
"C:\Users\Admin\AppData\Local\Temp\1b8ccf44d0e442ab204b830e76762860.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
1.2MB

MD5
89740c31b1aefe9a7142722bf89fde30

SHA1
1bf8fab191969df5d291c858221d6785fc0841a3

SHA256
561be72f3e5b8d2ac1601cd9e45a979ced8f4151d3efeeadc79115fb38d05634

SHA512
1cfff9dea60ee58099d5b5072148fd61ff07860e014eee8a814f2cd734824afb04d0e4055f1ab8d0e20b270857e831d0edb9c7e2e664b19b5d40de18b7bfd93e

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
1.2MB

MD5
db25b76b4861983ca49d9ae9848ee141

SHA1
47904918e609a0bdfbaddbe5bd4f22c23215e835

SHA256
f16ba466160f66e437ff198c510955fff39c55f8b14966ef8c306dc6f06fe843

SHA512
ebff8e6029d82fd1f541e0f837014eb2dd7d49ca00dab774b932fe6649d84570eb5073ee36d1e9f8058050e2c7abd9161ccc08259c2ed095398ee9d330ccae6a

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
1.2MB

MD5
b330dd5d2d381697503ac60b57399163

SHA1
979fc757cd2b0221a1da99a11143bf37df57ab23

SHA256
fbcb9f5a37636c97e27a8c96868ae9b415e738654b3629d0ca9a8b3384016bae

SHA512
1fb9dfa790c5f6ae047b91f469ea8d8b654448086b92d886c0cf60b86b8877210112bcf71fedcaf72cd9e62f542f264665af83e852249d28f6c0906c12d22eb1

Download Submit
memory/2132-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2288-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download