5f068e11710d6b6c7dbdc910796a70a71b2ca40789e96e550c8e3d29b6b884ef

Analysis

max time kernel
135s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c30cce23d84af662846c14ed0a2bbd0_NEIKI.exe
Size

713KB
MD5

2c30cce23d84af662846c14ed0a2bbd0
SHA1

124f90b18128c595b3034a2aa5c88d2301bb0e6c
SHA256

5f068e11710d6b6c7dbdc910796a70a71b2ca40789e96e550c8e3d29b6b884ef
SHA512

0033b25d8851af1e290f52fe68b43deb1c69a76be1bcc1a2c80e19574fff15688d36478d3986c0e0c62d704d94d16c59e99346ad55612fda5192c942b65f0f4f
SSDEEP

6144:Buj8NDF3OR9/Qe2HdklrSqjzQtJnjqno2k29r:wOF3ORK3d9QzQtJnjqno2k29r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
1052	casino_extensions.exe
3624	Casino_ext.exe
4952	casino_extensions.exe
1264	Casino_ext.exe
1840	LiveMessageCenter.exe
2404	casino_extensions.exe
632	Casino_ext.exe
2108	casino_extensions.exe
2656	Casino_ext.exe
2236	LiveMessageCenter.exe
3284	casino_extensions.exe
4888	Casino_ext.exe
1624	casino_extensions.exe
2640	Casino_ext.exe
2668	casino_extensions.exe
3784	Casino_ext.exe
4968	LiveMessageCenter.exe
4296	casino_extensions.exe
2084	Casino_ext.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3624	Casino_ext.exe
3624	Casino_ext.exe
1264	Casino_ext.exe
1264	Casino_ext.exe
1840	LiveMessageCenter.exe
1840	LiveMessageCenter.exe
632	Casino_ext.exe
632	Casino_ext.exe
2656	Casino_ext.exe
2656	Casino_ext.exe
2236	LiveMessageCenter.exe
2236	LiveMessageCenter.exe
4888	Casino_ext.exe
4888	Casino_ext.exe
2640	Casino_ext.exe
2640	Casino_ext.exe
3784	Casino_ext.exe
3784	Casino_ext.exe
4968	LiveMessageCenter.exe
4968	LiveMessageCenter.exe
2084	Casino_ext.exe
2084	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4632	2c30cce23d84af662846c14ed0a2bbd0_NEIKI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 4932	4632	2c30cce23d84af662846c14ed0a2bbd0_NEIKI.exe	83
PID 4632 wrote to memory of 4932	4632	2c30cce23d84af662846c14ed0a2bbd0_NEIKI.exe	83
PID 4632 wrote to memory of 4932	4632	2c30cce23d84af662846c14ed0a2bbd0_NEIKI.exe	83
PID 4932 wrote to memory of 1052	4932	casino_extensions.exe	84
PID 4932 wrote to memory of 1052	4932	casino_extensions.exe	84
PID 4932 wrote to memory of 1052	4932	casino_extensions.exe	84
PID 1052 wrote to memory of 3624	1052	casino_extensions.exe	85
PID 1052 wrote to memory of 3624	1052	casino_extensions.exe	85
PID 1052 wrote to memory of 3624	1052	casino_extensions.exe	85
PID 3624 wrote to memory of 1456	3624	Casino_ext.exe	86
PID 3624 wrote to memory of 1456	3624	Casino_ext.exe	86
PID 3624 wrote to memory of 1456	3624	Casino_ext.exe	86
PID 1456 wrote to memory of 4952	1456	casino_extensions.exe	87
PID 1456 wrote to memory of 4952	1456	casino_extensions.exe	87
PID 1456 wrote to memory of 4952	1456	casino_extensions.exe	87
PID 4952 wrote to memory of 1264	4952	casino_extensions.exe	88
PID 4952 wrote to memory of 1264	4952	casino_extensions.exe	88
PID 4952 wrote to memory of 1264	4952	casino_extensions.exe	88
PID 1264 wrote to memory of 5080	1264	Casino_ext.exe	89
PID 1264 wrote to memory of 5080	1264	Casino_ext.exe	89
PID 1264 wrote to memory of 5080	1264	Casino_ext.exe	89
PID 5080 wrote to memory of 1840	5080	casino_extensions.exe	90
PID 5080 wrote to memory of 1840	5080	casino_extensions.exe	90
PID 5080 wrote to memory of 1840	5080	casino_extensions.exe	90
PID 1840 wrote to memory of 1896	1840	LiveMessageCenter.exe	91
PID 1840 wrote to memory of 1896	1840	LiveMessageCenter.exe	91
PID 1840 wrote to memory of 1896	1840	LiveMessageCenter.exe	91
PID 1896 wrote to memory of 2404	1896	casino_extensions.exe	92
PID 1896 wrote to memory of 2404	1896	casino_extensions.exe	92
PID 1896 wrote to memory of 2404	1896	casino_extensions.exe	92
PID 2404 wrote to memory of 632	2404	casino_extensions.exe	93
PID 2404 wrote to memory of 632	2404	casino_extensions.exe	93
PID 2404 wrote to memory of 632	2404	casino_extensions.exe	93
PID 632 wrote to memory of 4808	632	Casino_ext.exe	94
PID 632 wrote to memory of 4808	632	Casino_ext.exe	94
PID 632 wrote to memory of 4808	632	Casino_ext.exe	94
PID 4808 wrote to memory of 2108	4808	casino_extensions.exe	95
PID 4808 wrote to memory of 2108	4808	casino_extensions.exe	95
PID 4808 wrote to memory of 2108	4808	casino_extensions.exe	95
PID 2108 wrote to memory of 2656	2108	casino_extensions.exe	96
PID 2108 wrote to memory of 2656	2108	casino_extensions.exe	96
PID 2108 wrote to memory of 2656	2108	casino_extensions.exe	96
PID 2656 wrote to memory of 4476	2656	Casino_ext.exe	97
PID 2656 wrote to memory of 4476	2656	Casino_ext.exe	97
PID 2656 wrote to memory of 4476	2656	Casino_ext.exe	97
PID 4476 wrote to memory of 2236	4476	casino_extensions.exe	98
PID 4476 wrote to memory of 2236	4476	casino_extensions.exe	98
PID 4476 wrote to memory of 2236	4476	casino_extensions.exe	98
PID 2236 wrote to memory of 3444	2236	LiveMessageCenter.exe	99
PID 2236 wrote to memory of 3444	2236	LiveMessageCenter.exe	99
PID 2236 wrote to memory of 3444	2236	LiveMessageCenter.exe	99
PID 3444 wrote to memory of 3284	3444	casino_extensions.exe	100
PID 3444 wrote to memory of 3284	3444	casino_extensions.exe	100
PID 3444 wrote to memory of 3284	3444	casino_extensions.exe	100
PID 3284 wrote to memory of 4888	3284	casino_extensions.exe	101
PID 3284 wrote to memory of 4888	3284	casino_extensions.exe	101
PID 3284 wrote to memory of 4888	3284	casino_extensions.exe	101
PID 4888 wrote to memory of 4924	4888	Casino_ext.exe	102
PID 4888 wrote to memory of 4924	4888	Casino_ext.exe	102
PID 4888 wrote to memory of 4924	4888	Casino_ext.exe	102
PID 4924 wrote to memory of 1624	4924	casino_extensions.exe	103
PID 4924 wrote to memory of 1624	4924	casino_extensions.exe	103
PID 4924 wrote to memory of 1624	4924	casino_extensions.exe	103
PID 1624 wrote to memory of 2640	1624	casino_extensions.exe	104

C:\Users\Admin\AppData\Local\Temp\2c30cce23d84af662846c14ed0a2bbd0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\2c30cce23d84af662846c14ed0a2bbd0_NEIKI.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3624
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4808
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        18⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3284
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        21⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        24⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2668
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3784
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        27⤵
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        28⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        29⤵
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        30⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4296
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        31⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        32⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        33⤵
        
        PID:5076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
719KB

MD5
4f0533abcfcd76b59f3ddec3882568ef

SHA1
a7c9afd44b37420ee4c3f28f5bee7fff1a71419c

SHA256
c0b6f320abf08e9c70af07977e37aeab0d1af90cd5c4bb05117d0c418d5a2a86

SHA512
5175f609d171b8ac3dc637ffec7cc291409ea2b7ffa8efc9737f424facbca67928ec07cad5a94e52af35f917fa2654fcc85bb4be60a3d947129674843fc6794d

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
718KB

MD5
3c1e64fb3cf71582dcf3d72f8fb20adf

SHA1
349d4bde239f57543e542708957f4a48d43ff02f

SHA256
b296756192d72545ad7a4ff693965b7f7134964a0b220b4ec40ebeeaa4e8ee64

SHA512
9cf7dbb1f9cd48dbfe16e224b706469901c7c98ee67e2168032b2d087d40d034ecded7314249b5cb6307ba47acac1c2224d33501076d608e7cadb2d54b2f73a9

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
720KB

MD5
fa155aec5c84c91ad248018c343aab12

SHA1
ac77a6e743a05b27a602f766ed002d5ce139da83

SHA256
b21ab911f25088d81919764e3636793dc45dc2460f6ba0f2e75135258ac68f4b

SHA512
abb1f93ad780711212eeb57242c5a877dd2679867e1361d7d2bf5a5e35742e9a48569ca68286a1258d5436dfbd88ca9df40ba049ee86bfb1791c82b860b2f6b3

Download Submit
memory/1052-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4632-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download