9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5

General

Target

9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe
Size

541KB
MD5

4921630dbdebbe5b48534878144b8746
SHA1

ec59357487505ff4138fdb5c9f781b8f371fae18
SHA256

9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5
SHA512

38ed8f1f65e1ceda7bac759ed2f6fe406c0e2d87487633741a92fc16647cb495fa3588e10efbee5040ad3e48fe0e374399630d581b9349fd4a40993684adc327
SSDEEP

3072:TtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnjQ1F4AE4//XVfn/:5uj8NDF3OR9/Qe2Hdklrnsl

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2740	Casino_ext.exe

Executes dropped EXE 4 IoCs

pid	Process
2864	casino_extensions.exe
2140	Casino_ext.exe
2648	casino_extensions.exe
2740	Casino_ext.exe

Loads dropped DLL 4 IoCs

pid	Process
1968	casino_extensions.exe
1968	casino_extensions.exe
2596	casino_extensions.exe
2596	casino_extensions.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2140	Casino_ext.exe
2740	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1736	9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1968	1736	9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe	28
PID 1736 wrote to memory of 1968	1736	9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe	28
PID 1736 wrote to memory of 1968	1736	9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe	28
PID 1736 wrote to memory of 1968	1736	9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe	28
PID 1968 wrote to memory of 2864	1968	casino_extensions.exe	29
PID 1968 wrote to memory of 2864	1968	casino_extensions.exe	29
PID 1968 wrote to memory of 2864	1968	casino_extensions.exe	29
PID 1968 wrote to memory of 2864	1968	casino_extensions.exe	29
PID 2864 wrote to memory of 2140	2864	casino_extensions.exe	30
PID 2864 wrote to memory of 2140	2864	casino_extensions.exe	30
PID 2864 wrote to memory of 2140	2864	casino_extensions.exe	30
PID 2864 wrote to memory of 2140	2864	casino_extensions.exe	30
PID 2140 wrote to memory of 2596	2140	Casino_ext.exe	31
PID 2140 wrote to memory of 2596	2140	Casino_ext.exe	31
PID 2140 wrote to memory of 2596	2140	Casino_ext.exe	31
PID 2140 wrote to memory of 2596	2140	Casino_ext.exe	31
PID 2596 wrote to memory of 2648	2596	casino_extensions.exe	32
PID 2596 wrote to memory of 2648	2596	casino_extensions.exe	32
PID 2596 wrote to memory of 2648	2596	casino_extensions.exe	32
PID 2596 wrote to memory of 2648	2596	casino_extensions.exe	32
PID 2648 wrote to memory of 2740	2648	casino_extensions.exe	33
PID 2648 wrote to memory of 2740	2648	casino_extensions.exe	33
PID 2648 wrote to memory of 2740	2648	casino_extensions.exe	33
PID 2648 wrote to memory of 2740	2648	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe
"C:\Users\Admin\AppData\Local\Temp\9d2163099951fd1cb893bdb9dd3e293e51a7c9ebcdf5ecc9be9a6deb83c5f7a5.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Deletes itself
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\casino_extensions.exe

Filesize
556KB

MD5
cde38fe4a4f460685d1351832a9c089e

SHA1
56413b9540c69be96b88710bd37c1c889cb8a7db

SHA256
3b2d97d271c8e2e387753222eaa531128ffe1758663cca82bfd53afe9e3cbe56

SHA512
3d1d334a0fc16b0dceb2723ca5bd73b05ada75679b2b4650fb3c42d041181322e993d83acdfc2f624e98839f97901ec7e66f572f12c52510a7c6ae921a9bfc3a

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
550KB

MD5
1b4fc383180e9f61851644598f32fa06

SHA1
4288ab7ad96cf589d2118ff98f6080de1230723d

SHA256
b385857e55787ec295b4d7e5913cf2cbc59172413c2758b4b62c523f27b42b38

SHA512
6cb2d21c04fcd53a1602d22746ee48f9caf4dd39c29c9ce9e2b8da8510a50e1727958d6358961c683d76bbf04226d844376890af0746bb660bf6d20b5ebc3f4e

Download Submit
memory/1736-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2596-25-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2864-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing