5543d593c77de530e29fe0ec48a0ac4a4f797186165928b8ac50fb971f66d878

Analysis

max time kernel
15s
max time network
21s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c44ecfa7bf8a1be3eb806dc600db3c50N.exe
Size

709KB
MD5

c44ecfa7bf8a1be3eb806dc600db3c50
SHA1

a0985c9831880de3b97cb972b2eca1844973412c
SHA256

5543d593c77de530e29fe0ec48a0ac4a4f797186165928b8ac50fb971f66d878
SHA512

a68f01887540c771ff87c2605223c8fcf59668d3ee590f21715c5a90a060432f6bd3a38021a5e05b6190a3098ad8515ecd3ac123f5730d949d9068e1d98003aa
SSDEEP

3072:rntwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMykw+imi5weJn4T+B8bw:rNuj8NDF3OR9/Qe2HdJ8pSLF

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2928	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2952	casino_extensions.exe
2780	LiveMessageCenter.exe
2640	casino_extensions.exe

Loads dropped DLL 6 IoCs

pid	Process
2716	casino_extensions.exe
2716	casino_extensions.exe
480	casino_extensions.exe
480	casino_extensions.exe
2868	casino_extensions.exe
2868	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LiveMessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c44ecfa7bf8a1be3eb806dc600db3c50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2780	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2304	c44ecfa7bf8a1be3eb806dc600db3c50N.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2716	2304	c44ecfa7bf8a1be3eb806dc600db3c50N.exe	29
PID 2304 wrote to memory of 2716	2304	c44ecfa7bf8a1be3eb806dc600db3c50N.exe	29
PID 2304 wrote to memory of 2716	2304	c44ecfa7bf8a1be3eb806dc600db3c50N.exe	29
PID 2304 wrote to memory of 2716	2304	c44ecfa7bf8a1be3eb806dc600db3c50N.exe	29
PID 2716 wrote to memory of 2952	2716	casino_extensions.exe	30
PID 2716 wrote to memory of 2952	2716	casino_extensions.exe	30
PID 2716 wrote to memory of 2952	2716	casino_extensions.exe	30
PID 2716 wrote to memory of 2952	2716	casino_extensions.exe	30
PID 2952 wrote to memory of 480	2952	casino_extensions.exe	31
PID 2952 wrote to memory of 480	2952	casino_extensions.exe	31
PID 2952 wrote to memory of 480	2952	casino_extensions.exe	31
PID 2952 wrote to memory of 480	2952	casino_extensions.exe	31
PID 480 wrote to memory of 2780	480	casino_extensions.exe	32
PID 480 wrote to memory of 2780	480	casino_extensions.exe	32
PID 480 wrote to memory of 2780	480	casino_extensions.exe	32
PID 480 wrote to memory of 2780	480	casino_extensions.exe	32
PID 2780 wrote to memory of 2868	2780	LiveMessageCenter.exe	33
PID 2780 wrote to memory of 2868	2780	LiveMessageCenter.exe	33
PID 2780 wrote to memory of 2868	2780	LiveMessageCenter.exe	33
PID 2780 wrote to memory of 2868	2780	LiveMessageCenter.exe	33
PID 2868 wrote to memory of 2640	2868	casino_extensions.exe	34
PID 2868 wrote to memory of 2640	2868	casino_extensions.exe	34
PID 2868 wrote to memory of 2640	2868	casino_extensions.exe	34
PID 2868 wrote to memory of 2640	2868	casino_extensions.exe	34
PID 2640 wrote to memory of 3040	2640	casino_extensions.exe	35
PID 2640 wrote to memory of 3040	2640	casino_extensions.exe	35
PID 2640 wrote to memory of 3040	2640	casino_extensions.exe	35
PID 2640 wrote to memory of 3040	2640	casino_extensions.exe	35
PID 3040 wrote to memory of 2928	3040	casino_extensions.exe	36
PID 3040 wrote to memory of 2928	3040	casino_extensions.exe	36
PID 3040 wrote to memory of 2928	3040	casino_extensions.exe	36
PID 3040 wrote to memory of 2928	3040	casino_extensions.exe	36
PID 2868 wrote to memory of 2796	2868	casino_extensions.exe	37
PID 2868 wrote to memory of 2796	2868	casino_extensions.exe	37
PID 2868 wrote to memory of 2796	2868	casino_extensions.exe	37
PID 2868 wrote to memory of 2796	2868	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\c44ecfa7bf8a1be3eb806dc600db3c50N.exe
"C:\Users\Admin\AppData\Local\Temp\c44ecfa7bf8a1be3eb806dc600db3c50N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:480
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        9⤵
        Deletes itself
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
715KB

MD5
4c32dc8f8e066185bf4c6619260ef142

SHA1
5fddefc902976785fb0433eccf9d7930fbcfe5ed

SHA256
18b7ef2d12c0f54eae170f17c464c10b55bbb0646c2691532213ae910b800749

SHA512
b6a53565cd7340e7d83b86976fc9a2757839ba8285488b231021b81b649fb3923c3716ac5960129466c798db1fd6d8db0adaca7e0ddfc8ecff596f3f207c5f36

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
724KB

MD5
8e0ae2cca659f59f1ab7ff191767aed8

SHA1
3cc51c1d08b70d4e127a62d8bbb8df55ebeb0e5d

SHA256
1ebb2a1332916c1dd2e7bac023ed606d29cf503a2011a8fb4966ee1a1ae4ceae

SHA512
1f8a15afc2af1e7b84675a33d9353145c4ed25698da355fc72d1bba2925563eb90450e02a59bb7f129c7414983703cb8bf7c0dcbe1d714ee4374e23ac4466fdb

Download Submit
memory/2304-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download