a09d9b9cd61d203f5b6283781180c030fe453deb482860e8188603fe36d15223

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fa854cea9e5d21e2d8bbb3a492395d0_NeikiAnalytics.exe
Size

381KB
MD5

7fa854cea9e5d21e2d8bbb3a492395d0
SHA1

2b23b63746320fdab5739a75b9e4370ea925d2e9
SHA256

a09d9b9cd61d203f5b6283781180c030fe453deb482860e8188603fe36d15223
SHA512

d9b110b09dd0b772c98cfe355efcb91734e0945f3b472c7b95b46c6346f7c5442978362363a47f8adec4ab45066b7317d80e8a6b23b51983805c785e98f7f4e2
SSDEEP

3072:QtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwKbk0i0kfS:wuj8NDF3OR9/Qe2HdJfwKbk0i0B

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
4468	casino_extensions.exe
1544	Casino_ext.exe
5084	casino_extensions.exe
3028	Casino_ext.exe
4624	LiveMessageCenter.exe
2216	casino_extensions.exe
4972	Casino_ext.exe
2204	casino_extensions.exe
2932	Casino_ext.exe
2728	LiveMessageCenter.exe
3532	casino_extensions.exe
2208	Casino_ext.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1544	Casino_ext.exe
1544	Casino_ext.exe
3028	Casino_ext.exe
3028	Casino_ext.exe
4624	LiveMessageCenter.exe
4624	LiveMessageCenter.exe
4972	Casino_ext.exe
4972	Casino_ext.exe
2932	Casino_ext.exe
2932	Casino_ext.exe
2728	LiveMessageCenter.exe
2728	LiveMessageCenter.exe
2208	Casino_ext.exe
2208	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4544	7fa854cea9e5d21e2d8bbb3a492395d0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4564	4544	7fa854cea9e5d21e2d8bbb3a492395d0_NeikiAnalytics.exe	81
PID 4544 wrote to memory of 4564	4544	7fa854cea9e5d21e2d8bbb3a492395d0_NeikiAnalytics.exe	81
PID 4544 wrote to memory of 4564	4544	7fa854cea9e5d21e2d8bbb3a492395d0_NeikiAnalytics.exe	81
PID 4564 wrote to memory of 4468	4564	casino_extensions.exe	82
PID 4564 wrote to memory of 4468	4564	casino_extensions.exe	82
PID 4564 wrote to memory of 4468	4564	casino_extensions.exe	82
PID 4468 wrote to memory of 1544	4468	casino_extensions.exe	84
PID 4468 wrote to memory of 1544	4468	casino_extensions.exe	84
PID 4468 wrote to memory of 1544	4468	casino_extensions.exe	84
PID 1544 wrote to memory of 3316	1544	Casino_ext.exe	85
PID 1544 wrote to memory of 3316	1544	Casino_ext.exe	85
PID 1544 wrote to memory of 3316	1544	Casino_ext.exe	85
PID 3316 wrote to memory of 5084	3316	casino_extensions.exe	86
PID 3316 wrote to memory of 5084	3316	casino_extensions.exe	86
PID 3316 wrote to memory of 5084	3316	casino_extensions.exe	86
PID 5084 wrote to memory of 3028	5084	casino_extensions.exe	87
PID 5084 wrote to memory of 3028	5084	casino_extensions.exe	87
PID 5084 wrote to memory of 3028	5084	casino_extensions.exe	87
PID 3028 wrote to memory of 4240	3028	Casino_ext.exe	88
PID 3028 wrote to memory of 4240	3028	Casino_ext.exe	88
PID 3028 wrote to memory of 4240	3028	Casino_ext.exe	88
PID 4240 wrote to memory of 4624	4240	casino_extensions.exe	89
PID 4240 wrote to memory of 4624	4240	casino_extensions.exe	89
PID 4240 wrote to memory of 4624	4240	casino_extensions.exe	89
PID 4624 wrote to memory of 428	4624	LiveMessageCenter.exe	90
PID 4624 wrote to memory of 428	4624	LiveMessageCenter.exe	90
PID 4624 wrote to memory of 428	4624	LiveMessageCenter.exe	90
PID 428 wrote to memory of 2216	428	casino_extensions.exe	91
PID 428 wrote to memory of 2216	428	casino_extensions.exe	91
PID 428 wrote to memory of 2216	428	casino_extensions.exe	91
PID 2216 wrote to memory of 4972	2216	casino_extensions.exe	93
PID 2216 wrote to memory of 4972	2216	casino_extensions.exe	93
PID 2216 wrote to memory of 4972	2216	casino_extensions.exe	93
PID 4972 wrote to memory of 1536	4972	Casino_ext.exe	94
PID 4972 wrote to memory of 1536	4972	Casino_ext.exe	94
PID 4972 wrote to memory of 1536	4972	Casino_ext.exe	94
PID 1536 wrote to memory of 2204	1536	casino_extensions.exe	95
PID 1536 wrote to memory of 2204	1536	casino_extensions.exe	95
PID 1536 wrote to memory of 2204	1536	casino_extensions.exe	95
PID 2204 wrote to memory of 2932	2204	casino_extensions.exe	96
PID 2204 wrote to memory of 2932	2204	casino_extensions.exe	96
PID 2204 wrote to memory of 2932	2204	casino_extensions.exe	96
PID 2932 wrote to memory of 1140	2932	Casino_ext.exe	97
PID 2932 wrote to memory of 1140	2932	Casino_ext.exe	97
PID 2932 wrote to memory of 1140	2932	Casino_ext.exe	97
PID 1140 wrote to memory of 2728	1140	casino_extensions.exe	98
PID 1140 wrote to memory of 2728	1140	casino_extensions.exe	98
PID 1140 wrote to memory of 2728	1140	casino_extensions.exe	98
PID 2728 wrote to memory of 3020	2728	LiveMessageCenter.exe	100
PID 2728 wrote to memory of 3020	2728	LiveMessageCenter.exe	100
PID 2728 wrote to memory of 3020	2728	LiveMessageCenter.exe	100
PID 3020 wrote to memory of 3532	3020	casino_extensions.exe	101
PID 3020 wrote to memory of 3532	3020	casino_extensions.exe	101
PID 3020 wrote to memory of 3532	3020	casino_extensions.exe	101
PID 3532 wrote to memory of 2208	3532	casino_extensions.exe	102
PID 3532 wrote to memory of 2208	3532	casino_extensions.exe	102
PID 3532 wrote to memory of 2208	3532	casino_extensions.exe	102
PID 2208 wrote to memory of 1676	2208	Casino_ext.exe	103
PID 2208 wrote to memory of 1676	2208	Casino_ext.exe	103
PID 2208 wrote to memory of 1676	2208	Casino_ext.exe	103
PID 1676 wrote to memory of 4844	1676	casino_extensions.exe	104
PID 1676 wrote to memory of 4844	1676	casino_extensions.exe	104
PID 1676 wrote to memory of 4844	1676	casino_extensions.exe	104

C:\Users\Admin\AppData\Local\Temp\7fa854cea9e5d21e2d8bbb3a492395d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7fa854cea9e5d21e2d8bbb3a492395d0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3316
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        18⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        21⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        22⤵
        
        PID:4844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
394KB

MD5
26116f3c537f05c61a17fac6d1cf2879

SHA1
a3963c3e1db7d8c46202f915e4503472b65cef11

SHA256
d0f8d24c7a4a00fc01d0a429b2053e4d79459204adc83c61578fa4b22e28b60c

SHA512
4c55f7442e67c807204482391100ab6d3e46a6dfcd985cb6ccad85eaf938d6a0e0c745bcc7eb81156498b80eee6565e1c23fe664e5501940aa982ea8ef7c7a79

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
397KB

MD5
07a8c0bb0b836660d2c57bd6260588ea

SHA1
1f4172c6a6a3ace4bc23c28b0e8ae78caed48525

SHA256
eaf55eb135da01f76e1949fbf949cc693b5179daeaebeeae6816db2fbc77fce3

SHA512
8d3ad41215d9e5df93f0e4477847c19e366c7d8d558e6202ffa26820e7a4f7f3465ba0445fb8909e3a6fde9ba9a8b3b84fdd3539a67e5a1e8fe9c60e68e230e5

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
394KB

MD5
e7d62ec0d09d56e46c9eed1e21c53db0

SHA1
85e4e8b34f99a317bd818a5e2b3b13b1cdb176af

SHA256
6fc4e09369f15407746528328c9696940f0e1a5f803ae05b320bd2501197f961

SHA512
985fe5a68000fffd1319229de5064fa59ff91bfd270120fa103824967768844286097c12fc9d475345bb29206ffc7ad1aacbdf2bc16790fffc9ae4b7eea135d5

Download Submit
memory/4468-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4544-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download