79b6bb92199e54348d428a61e14b10b3ccf39a60be6b58d5383e906733487f7a

General

Target

217380093ee348e009ecd452abe1f9e0N.exe
Size

689KB
MD5

217380093ee348e009ecd452abe1f9e0
SHA1

1154dc4eb6c9df07946b0e8a5c5c0b5e0d9939f8
SHA256

79b6bb92199e54348d428a61e14b10b3ccf39a60be6b58d5383e906733487f7a
SHA512

b811d8f0216f1e95ef6a813f2fe2b9bb237479fe94cc2135130f05cc031169b8e7c350da507179e8a0314986237ff223365aba487fd5626e4435b6d12e44dd71
SSDEEP

3072:dtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMykw+imi5nzUsKBr3zhas:3uj8NDF3OR9/Qe2HdJ8pSAsK5DEs

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2556	Casino_ext.exe

Executes dropped EXE 4 IoCs

pid	Process
2732	casino_extensions.exe
2676	Casino_ext.exe
2528	casino_extensions.exe
2556	Casino_ext.exe

Loads dropped DLL 4 IoCs

pid	Process
2648	casino_extensions.exe
2648	casino_extensions.exe
2644	casino_extensions.exe
2644	casino_extensions.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Casino_ext.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	217380093ee348e009ecd452abe1f9e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	Casino_ext.exe
2556	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2340	217380093ee348e009ecd452abe1f9e0N.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2648	2340	217380093ee348e009ecd452abe1f9e0N.exe	30
PID 2340 wrote to memory of 2648	2340	217380093ee348e009ecd452abe1f9e0N.exe	30
PID 2340 wrote to memory of 2648	2340	217380093ee348e009ecd452abe1f9e0N.exe	30
PID 2340 wrote to memory of 2648	2340	217380093ee348e009ecd452abe1f9e0N.exe	30
PID 2648 wrote to memory of 2732	2648	casino_extensions.exe	31
PID 2648 wrote to memory of 2732	2648	casino_extensions.exe	31
PID 2648 wrote to memory of 2732	2648	casino_extensions.exe	31
PID 2648 wrote to memory of 2732	2648	casino_extensions.exe	31
PID 2732 wrote to memory of 2676	2732	casino_extensions.exe	32
PID 2732 wrote to memory of 2676	2732	casino_extensions.exe	32
PID 2732 wrote to memory of 2676	2732	casino_extensions.exe	32
PID 2732 wrote to memory of 2676	2732	casino_extensions.exe	32
PID 2676 wrote to memory of 2644	2676	Casino_ext.exe	33
PID 2676 wrote to memory of 2644	2676	Casino_ext.exe	33
PID 2676 wrote to memory of 2644	2676	Casino_ext.exe	33
PID 2676 wrote to memory of 2644	2676	Casino_ext.exe	33
PID 2644 wrote to memory of 2528	2644	casino_extensions.exe	34
PID 2644 wrote to memory of 2528	2644	casino_extensions.exe	34
PID 2644 wrote to memory of 2528	2644	casino_extensions.exe	34
PID 2644 wrote to memory of 2528	2644	casino_extensions.exe	34
PID 2528 wrote to memory of 2556	2528	casino_extensions.exe	35
PID 2528 wrote to memory of 2556	2528	casino_extensions.exe	35
PID 2528 wrote to memory of 2556	2528	casino_extensions.exe	35
PID 2528 wrote to memory of 2556	2528	casino_extensions.exe	35

C:\Users\Admin\AppData\Local\Temp\217380093ee348e009ecd452abe1f9e0N.exe
"C:\Users\Admin\AppData\Local\Temp\217380093ee348e009ecd452abe1f9e0N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Deletes itself
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Casino_ext.exe

Filesize
696KB

MD5
fd5396cfbed064b8bd990d9a74fff6ee

SHA1
18217ad3b3d4275a75e0d0ad56c53a8f141a5108

SHA256
1b5107d0945588873a287bce2d16212009b766f35474351ff0ea93526c96cb03

SHA512
395c9bd789d54545fdbed6643c5043d6bbe50288b590214af3d733e6642b2b2afa9fde470703c2888f747f4de332d01b086f0c16b03003a343a9459e10abfb98

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
691KB

MD5
113d38c018d6dd8db1343f653f955af7

SHA1
2163910c760d9dd1e87a1fcc8e1477a407a8aa31

SHA256
535e24cf7f09ce13068cd1231179a72b7d2da515261241bb823aedda9dc8f005

SHA512
6ad191e3fcea343c906f4aed7dea7d153ef76253b1e46c2df4acbd4c2750836841132a374ddd5b75d19d04337a71adf5b31b866550a67ec29716875beaa64da1

Download Submit
memory/2340-13-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2732-12-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing