494c44f7a9658d6701ddcf3501e4d0f93dd99117dea2183c71b48e3b9cb71b11

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b8ccf44d0e442ab204b830e76762860.exe
Size

1.1MB
MD5

1b8ccf44d0e442ab204b830e76762860
SHA1

baa94f273e6f8df835ff9aa45bf230a83053d98e
SHA256

494c44f7a9658d6701ddcf3501e4d0f93dd99117dea2183c71b48e3b9cb71b11
SHA512

d66afe46f675bf27b7fee771c9752929642da4d64efddf581100c5ef2298359f4b5394e75eb3e77ec1ee9216869adc32d8528e87bdb09b64af75c4637bd07820
SSDEEP

3072:BtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQS0Tm2TdFcoV2i1JLj3:7uj8NDF3OR9/Qe2HdklrSqtBVvH3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2168	casino_extensions.exe
3100	Casino_ext.exe
384	casino_extensions.exe
348	Casino_ext.exe
1092	LiveMessageCenter.exe
2400	casino_extensions.exe
1072	Casino_ext.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3100	Casino_ext.exe
3100	Casino_ext.exe
348	Casino_ext.exe
348	Casino_ext.exe
1092	LiveMessageCenter.exe
1092	LiveMessageCenter.exe
1072	Casino_ext.exe
1072	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3516	1b8ccf44d0e442ab204b830e76762860.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3284	3516	1b8ccf44d0e442ab204b830e76762860.exe	81
PID 3516 wrote to memory of 3284	3516	1b8ccf44d0e442ab204b830e76762860.exe	81
PID 3516 wrote to memory of 3284	3516	1b8ccf44d0e442ab204b830e76762860.exe	81
PID 3284 wrote to memory of 2168	3284	casino_extensions.exe	82
PID 3284 wrote to memory of 2168	3284	casino_extensions.exe	82
PID 3284 wrote to memory of 2168	3284	casino_extensions.exe	82
PID 2168 wrote to memory of 3100	2168	casino_extensions.exe	83
PID 2168 wrote to memory of 3100	2168	casino_extensions.exe	83
PID 2168 wrote to memory of 3100	2168	casino_extensions.exe	83
PID 3100 wrote to memory of 4384	3100	Casino_ext.exe	84
PID 3100 wrote to memory of 4384	3100	Casino_ext.exe	84
PID 3100 wrote to memory of 4384	3100	Casino_ext.exe	84
PID 4384 wrote to memory of 384	4384	casino_extensions.exe	87
PID 4384 wrote to memory of 384	4384	casino_extensions.exe	87
PID 4384 wrote to memory of 384	4384	casino_extensions.exe	87
PID 384 wrote to memory of 348	384	casino_extensions.exe	88
PID 384 wrote to memory of 348	384	casino_extensions.exe	88
PID 384 wrote to memory of 348	384	casino_extensions.exe	88
PID 348 wrote to memory of 656	348	Casino_ext.exe	89
PID 348 wrote to memory of 656	348	Casino_ext.exe	89
PID 348 wrote to memory of 656	348	Casino_ext.exe	89
PID 656 wrote to memory of 1092	656	casino_extensions.exe	91
PID 656 wrote to memory of 1092	656	casino_extensions.exe	91
PID 656 wrote to memory of 1092	656	casino_extensions.exe	91
PID 1092 wrote to memory of 3104	1092	LiveMessageCenter.exe	92
PID 1092 wrote to memory of 3104	1092	LiveMessageCenter.exe	92
PID 1092 wrote to memory of 3104	1092	LiveMessageCenter.exe	92
PID 3104 wrote to memory of 2400	3104	casino_extensions.exe	93
PID 3104 wrote to memory of 2400	3104	casino_extensions.exe	93
PID 3104 wrote to memory of 2400	3104	casino_extensions.exe	93
PID 2400 wrote to memory of 1072	2400	casino_extensions.exe	94
PID 2400 wrote to memory of 1072	2400	casino_extensions.exe	94
PID 2400 wrote to memory of 1072	2400	casino_extensions.exe	94
PID 1072 wrote to memory of 1884	1072	Casino_ext.exe	95
PID 1072 wrote to memory of 1884	1072	Casino_ext.exe	95
PID 1072 wrote to memory of 1884	1072	Casino_ext.exe	95
PID 1884 wrote to memory of 1168	1884	casino_extensions.exe	96
PID 1884 wrote to memory of 1168	1884	casino_extensions.exe	96
PID 1884 wrote to memory of 1168	1884	casino_extensions.exe	96

C:\Users\Admin\AppData\Local\Temp\1b8ccf44d0e442ab204b830e76762860.exe
"C:\Users\Admin\AppData\Local\Temp\1b8ccf44d0e442ab204b830e76762860.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3100
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4384
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:384
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        14⤵
        
        PID:1168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
1.1MB

MD5
780a424ea700bfcafd714856946d72f9

SHA1
6ac841b704e2a9e538f808c834ec3a3a7c5ce269

SHA256
3801c261e2c6f131337016dee2c22e873937b9030f673cb001c137d240eb73e5

SHA512
22c0f78ebb78804776f0e4c63f4c4459af939e72f5efa589162540b6dc856c92e736f5f925023e415a6995aed425f7e1620acc0d39093d2cdd754292505d1af8

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
1.2MB

MD5
35485c73ff5fa130988495e88927f9a9

SHA1
f69c7e1dde7b5dcfb1621b6b751f52f6e72738e6

SHA256
312dc496b39c43d83657a3ce98a354b2a6bc76e8edf57dd98dc3a59cd0867396

SHA512
1f7d2d1ae9a57f8a40ac1dc5bfd359fbb878eec118520e4989d88824161fd80838737075b2aa2452e724c9f7cde5c19c26b9ee0c897caf6aeaa2da64832657e6

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
1.1MB

MD5
43d541e435aedd7b6dfe103304427324

SHA1
499dcf607a458f73b9dcaf14c853a5e696c49d0f

SHA256
02105595b6b790d3203df9dda524600a9b9ac8ef04f70d9f29af9f413f34f57c

SHA512
a3a6529fce625ca059ea9b5b9495fd6ad7a24547a64e3a5fd0d78056fe7a4480132f55facabc0b75d2112f6e39242771a767cbae2d10895118bee718a0d0e207

Download Submit
memory/2168-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3516-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download