8992cf2085f2efdd05624348688e5c642f1c4b190ea9c13e6b3b0c365f64a295

General

Target

1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe
Size

486KB
MD5

1457b8f9e49f44cf97097bd1e9d73bd0
SHA1

97aa30049db5dc06422911f95cb7708eb7262208
SHA256

8992cf2085f2efdd05624348688e5c642f1c4b190ea9c13e6b3b0c365f64a295
SHA512

8da976b3ece8fc34218492584b9759c35630c8979f23609848558d58c037408349851c9147b3bd5ad1f58a075eec96a84544caa74fb8d1560e61867a10d28a49
SSDEEP

3072:FtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQS0Tm2TdwnN0gUydt28:Puj8NDF3OR9/Qe2HdklrSqZghdtV

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1700	casino_extensions.exe
3020	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2188	casino_extensions.exe
2188	casino_extensions.exe
1728	casino_extensions.exe
1728	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3020	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2200	1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2188	2200	1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2188	2200	1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2188	2200	1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2188	2200	1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe	28
PID 2188 wrote to memory of 1700	2188	casino_extensions.exe	29
PID 2188 wrote to memory of 1700	2188	casino_extensions.exe	29
PID 2188 wrote to memory of 1700	2188	casino_extensions.exe	29
PID 2188 wrote to memory of 1700	2188	casino_extensions.exe	29
PID 1700 wrote to memory of 1728	1700	casino_extensions.exe	30
PID 1700 wrote to memory of 1728	1700	casino_extensions.exe	30
PID 1700 wrote to memory of 1728	1700	casino_extensions.exe	30
PID 1700 wrote to memory of 1728	1700	casino_extensions.exe	30
PID 1728 wrote to memory of 3020	1728	casino_extensions.exe	31
PID 1728 wrote to memory of 3020	1728	casino_extensions.exe	31
PID 1728 wrote to memory of 3020	1728	casino_extensions.exe	31
PID 1728 wrote to memory of 3020	1728	casino_extensions.exe	31
PID 3020 wrote to memory of 2536	3020	LiveMessageCenter.exe	32
PID 3020 wrote to memory of 2536	3020	LiveMessageCenter.exe	32
PID 3020 wrote to memory of 2536	3020	LiveMessageCenter.exe	32
PID 3020 wrote to memory of 2536	3020	LiveMessageCenter.exe	32
PID 2536 wrote to memory of 2640	2536	casino_extensions.exe	33
PID 2536 wrote to memory of 2640	2536	casino_extensions.exe	33
PID 2536 wrote to memory of 2640	2536	casino_extensions.exe	33
PID 2536 wrote to memory of 2640	2536	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1457b8f9e49f44cf97097bd1e9d73bd0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
502KB

MD5
91fe53647db7f347c41b12d80d2df889

SHA1
35d4064d384898a53f53965791293d2725e3762b

SHA256
360cbc930057aec951a9262e1a8445d0ffc75f77ffd1fe59149207240c84a49c

SHA512
fd6b2b9b4bd6396a253295b2f048faae02aadb4905149afffb6317b013ff7743a12354ad162138ca2a1304aa89afd8f61f0c4183e4ef21cff84283931d03d080

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
496KB

MD5
9835953b29be7832d3aefa2a77ae1e82

SHA1
5fea220e07defa2e9c556ca7d991529e100bb848

SHA256
34e6fa67061e3a2990881c38be3dd871f8ee22a83897935ecf375694df73d455

SHA512
6fdc8b2440b752a07310524d180cdf2044023de06c3a5f610559722a7d3a4b8f1b606b54affa35903e0aa5a2d8cfa1c1d619ade7bb871c4a8afab0cf0a63c061

Download Submit
memory/2200-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing