0ba9b992bc86ea38a40804f97dd3f6ced7f9de3240c62d4c181696a843931f9d

General

Target

67cf9ac20df0c9d15e3539b060bd7d50_NeikiAnalytics.exe
Size

393KB
MD5

67cf9ac20df0c9d15e3539b060bd7d50
SHA1

2db5ec49719dcf7361e61bfdc6dd70c326401d43
SHA256

0ba9b992bc86ea38a40804f97dd3f6ced7f9de3240c62d4c181696a843931f9d
SHA512

7f2ae67a7eb43feb8f7f55ef0dadd2fb48e76458ac2913f5eca36d52c7aab6a1dca232aea4c4538c50d6c7086a214cc9df0ebe3e803f22a02f5ae329cd76b99a
SSDEEP

3072:/twizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj7t92Xz5:Vuj8NDF3OR9/Qe2Hdklrnt9mz5

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2756	casino_extensions.exe
3028	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2388	casino_extensions.exe
2388	casino_extensions.exe
2704	casino_extensions.exe
2704	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3028	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1808	67cf9ac20df0c9d15e3539b060bd7d50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2388	1808	67cf9ac20df0c9d15e3539b060bd7d50_NeikiAnalytics.exe	28
PID 1808 wrote to memory of 2388	1808	67cf9ac20df0c9d15e3539b060bd7d50_NeikiAnalytics.exe	28
PID 1808 wrote to memory of 2388	1808	67cf9ac20df0c9d15e3539b060bd7d50_NeikiAnalytics.exe	28
PID 1808 wrote to memory of 2388	1808	67cf9ac20df0c9d15e3539b060bd7d50_NeikiAnalytics.exe	28
PID 2388 wrote to memory of 2756	2388	casino_extensions.exe	29
PID 2388 wrote to memory of 2756	2388	casino_extensions.exe	29
PID 2388 wrote to memory of 2756	2388	casino_extensions.exe	29
PID 2388 wrote to memory of 2756	2388	casino_extensions.exe	29
PID 2756 wrote to memory of 2704	2756	casino_extensions.exe	30
PID 2756 wrote to memory of 2704	2756	casino_extensions.exe	30
PID 2756 wrote to memory of 2704	2756	casino_extensions.exe	30
PID 2756 wrote to memory of 2704	2756	casino_extensions.exe	30
PID 2704 wrote to memory of 3028	2704	casino_extensions.exe	31
PID 2704 wrote to memory of 3028	2704	casino_extensions.exe	31
PID 2704 wrote to memory of 3028	2704	casino_extensions.exe	31
PID 2704 wrote to memory of 3028	2704	casino_extensions.exe	31
PID 3028 wrote to memory of 2632	3028	LiveMessageCenter.exe	32
PID 3028 wrote to memory of 2632	3028	LiveMessageCenter.exe	32
PID 3028 wrote to memory of 2632	3028	LiveMessageCenter.exe	32
PID 3028 wrote to memory of 2632	3028	LiveMessageCenter.exe	32
PID 2632 wrote to memory of 2588	2632	casino_extensions.exe	33
PID 2632 wrote to memory of 2588	2632	casino_extensions.exe	33
PID 2632 wrote to memory of 2588	2632	casino_extensions.exe	33
PID 2632 wrote to memory of 2588	2632	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\67cf9ac20df0c9d15e3539b060bd7d50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\67cf9ac20df0c9d15e3539b060bd7d50_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
399KB

MD5
1f7bf545a8ea7cfa813c440cca22ff1c

SHA1
a07265afb4f3753c65c153bd8690aa057c75a597

SHA256
4245dc34062a4e933d64acbe0a812f3722eb17829d1e04af8f6f81902d1054e6

SHA512
4c60d5097071ddda2922f6afc4cb0c8fac3eb78737fcbc035f86692465798337995b0d23bd6bdb63416c1923671a27d25df6abf84fbdd051dd503f5795510b4d

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
407KB

MD5
0c6ddb1d5870759e2394b2d075c36322

SHA1
1dc51332000c4f04ac8cab91764654b0ad047ca2

SHA256
8657039c92fb133c9292d861fb7eed0eb784fbd8226256193267989976c216fa

SHA512
03435da38363d4c9e91b61f7cf1af9617b242850c8a3c448eca95f3b02100e5f600b9671165dda85badbc6d8db1504075cae5f3870785033b2b86c32d2cfcc54

Download Submit
memory/1808-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing