5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fb

General

Target

5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fbN.exe
Size

867KB
MD5

f6f9dbc8feaa56abb34b474b7a346230
SHA1

d0415c2fa8d197244a058ed9ff6a3b00c5720c6b
SHA256

5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fb
SHA512

e4295031146602ae852af865edc0e0cbd9b71e8796499ab1c3899b8c25f26dc39f8c9ff860ac27beef92bec58e9734aca3912faeb318f52c4bac05d297be1af6
SSDEEP

3072:otwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwM/DTlS8oc3mLhH/rrWMu7:4uj8NDF3OR9/Qe2HdJ8/fQno

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2108	casino_extensions.exe
2528	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2552	casino_extensions.exe
2552	casino_extensions.exe
3056	casino_extensions.exe
3056	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LiveMessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	casino_extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2528	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1288	5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fbN.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2552	1288	5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fbN.exe	30
PID 1288 wrote to memory of 2552	1288	5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fbN.exe	30
PID 1288 wrote to memory of 2552	1288	5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fbN.exe	30
PID 1288 wrote to memory of 2552	1288	5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fbN.exe	30
PID 2552 wrote to memory of 2108	2552	casino_extensions.exe	31
PID 2552 wrote to memory of 2108	2552	casino_extensions.exe	31
PID 2552 wrote to memory of 2108	2552	casino_extensions.exe	31
PID 2552 wrote to memory of 2108	2552	casino_extensions.exe	31
PID 2108 wrote to memory of 3056	2108	casino_extensions.exe	32
PID 2108 wrote to memory of 3056	2108	casino_extensions.exe	32
PID 2108 wrote to memory of 3056	2108	casino_extensions.exe	32
PID 2108 wrote to memory of 3056	2108	casino_extensions.exe	32
PID 3056 wrote to memory of 2528	3056	casino_extensions.exe	33
PID 3056 wrote to memory of 2528	3056	casino_extensions.exe	33
PID 3056 wrote to memory of 2528	3056	casino_extensions.exe	33
PID 3056 wrote to memory of 2528	3056	casino_extensions.exe	33
PID 2528 wrote to memory of 1036	2528	LiveMessageCenter.exe	34
PID 2528 wrote to memory of 1036	2528	LiveMessageCenter.exe	34
PID 2528 wrote to memory of 1036	2528	LiveMessageCenter.exe	34
PID 2528 wrote to memory of 1036	2528	LiveMessageCenter.exe	34
PID 1036 wrote to memory of 2272	1036	casino_extensions.exe	35
PID 1036 wrote to memory of 2272	1036	casino_extensions.exe	35
PID 1036 wrote to memory of 2272	1036	casino_extensions.exe	35
PID 1036 wrote to memory of 2272	1036	casino_extensions.exe	35

C:\Users\Admin\AppData\Local\Temp\5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fbN.exe
"C:\Users\Admin\AppData\Local\Temp\5d8098428cb997220a269f7b398e33a2ca51f3ac765094d19c0a34bc733884fbN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        System Location Discovery: System Language Discovery
        
        PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
872KB

MD5
14274881039452a6b145751734c56db8

SHA1
cddf852e75ac41f2ecd061279bbc7c4dba2a7ff8

SHA256
6704871b010b44ff923b5f5485f27c5022f3e72fbab7c56b3907d99c4eb6dea3

SHA512
da98cdbc3cb6ff279a4c2652d1d0a01e44e66164a1c0793ce6ce3f2aa491308658c033201e8b63b191338fac5f6914b5e476249eb59ed39a402cf46eb3875478

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
880KB

MD5
19af99e5f2014ad18b9c6bb9a24d7fd0

SHA1
9f9633bebe2efe03af0ef927436de6d6a8cd9096

SHA256
e30fec79654b7f1df3a3c5aac7b68aaeac9751b1df72220df2f5fdf3f1fc0b3e

SHA512
a8f3680382cdd8ca4dd5b424f4d67961cb72748b95909219efd79f115b7c097eead8dbd1c959d6bc94bbce594e0e78a582599a5350257dff2ba85018d8f053a9

Download Submit
memory/1288-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing