59160a15a244f8e68cad41ce919b4baafa1a1addc22831f0dd344412ed7c47fb

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe
Size

433KB
MD5

287ab233b9b331ddfdab0c1ab7be91a0
SHA1

3d42f4b0d7ca99673910e9cdd53b7fd124a2c0e4
SHA256

59160a15a244f8e68cad41ce919b4baafa1a1addc22831f0dd344412ed7c47fb
SHA512

ebebae0d6272ac61afbeec30527f8a5f6bfc5d84bfce02ec1a3dfec4ff03133ea1fb3e46e850ed04d3d1c48137cf746f168b6e56c11b019d10a90eb7b3e962bd
SSDEEP

3072:dtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwK42i1ZKEJ6RCiVRz/ql:3uj8NDF3OR9/Qe2HdJfwK4Ddj+zk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2744	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2896	casino_extensions.exe
2772	Casino_ext.exe
2580	casino_extensions.exe
2692	Casino_ext.exe
2596	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
2840	casino_extensions.exe
2840	casino_extensions.exe
2152	casino_extensions.exe
2152	casino_extensions.exe
2792	casino_extensions.exe
2792	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2772	Casino_ext.exe
2692	Casino_ext.exe
2596	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1128	287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2840	1128	287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe	28
PID 1128 wrote to memory of 2840	1128	287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe	28
PID 1128 wrote to memory of 2840	1128	287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe	28
PID 1128 wrote to memory of 2840	1128	287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe	28
PID 2840 wrote to memory of 2896	2840	casino_extensions.exe	29
PID 2840 wrote to memory of 2896	2840	casino_extensions.exe	29
PID 2840 wrote to memory of 2896	2840	casino_extensions.exe	29
PID 2840 wrote to memory of 2896	2840	casino_extensions.exe	29
PID 2896 wrote to memory of 2772	2896	casino_extensions.exe	30
PID 2896 wrote to memory of 2772	2896	casino_extensions.exe	30
PID 2896 wrote to memory of 2772	2896	casino_extensions.exe	30
PID 2896 wrote to memory of 2772	2896	casino_extensions.exe	30
PID 2772 wrote to memory of 2152	2772	Casino_ext.exe	31
PID 2772 wrote to memory of 2152	2772	Casino_ext.exe	31
PID 2772 wrote to memory of 2152	2772	Casino_ext.exe	31
PID 2772 wrote to memory of 2152	2772	Casino_ext.exe	31
PID 2152 wrote to memory of 2580	2152	casino_extensions.exe	32
PID 2152 wrote to memory of 2580	2152	casino_extensions.exe	32
PID 2152 wrote to memory of 2580	2152	casino_extensions.exe	32
PID 2152 wrote to memory of 2580	2152	casino_extensions.exe	32
PID 2580 wrote to memory of 2692	2580	casino_extensions.exe	33
PID 2580 wrote to memory of 2692	2580	casino_extensions.exe	33
PID 2580 wrote to memory of 2692	2580	casino_extensions.exe	33
PID 2580 wrote to memory of 2692	2580	casino_extensions.exe	33
PID 2692 wrote to memory of 2792	2692	Casino_ext.exe	34
PID 2692 wrote to memory of 2792	2692	Casino_ext.exe	34
PID 2692 wrote to memory of 2792	2692	Casino_ext.exe	34
PID 2692 wrote to memory of 2792	2692	Casino_ext.exe	34
PID 2792 wrote to memory of 2596	2792	casino_extensions.exe	35
PID 2792 wrote to memory of 2596	2792	casino_extensions.exe	35
PID 2792 wrote to memory of 2596	2792	casino_extensions.exe	35
PID 2792 wrote to memory of 2596	2792	casino_extensions.exe	35
PID 2596 wrote to memory of 2556	2596	LiveMessageCenter.exe	36
PID 2596 wrote to memory of 2556	2596	LiveMessageCenter.exe	36
PID 2596 wrote to memory of 2556	2596	LiveMessageCenter.exe	36
PID 2596 wrote to memory of 2556	2596	LiveMessageCenter.exe	36
PID 2556 wrote to memory of 2744	2556	casino_extensions.exe	37
PID 2556 wrote to memory of 2744	2556	casino_extensions.exe	37
PID 2556 wrote to memory of 2744	2556	casino_extensions.exe	37
PID 2556 wrote to memory of 2744	2556	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
440KB

MD5
c331aa7a3980ff78df4d55b24d0e66b0

SHA1
60dabc6f2a7a205e362c19309df364659651bcca

SHA256
49daf980a80280aee02395466dda1d07e2a121a7779f99bc9bd3551456c476e4

SHA512
a8ce61a43c4d6b39221c537ae6e6dda3e1eb4433db193816527dad0a21cb7d8b0ae7a0d6305953be2e507a4c05e7245c6215b79a5034df3b0974ab4b623dcbf9

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
447KB

MD5
9c2b86c02bea2219f88c2ee9b66900a0

SHA1
e67bfc624820a55311a0cc9abb0459896861b251

SHA256
b6c8cdd5d09960931b2e1df9aa74a733008be611f6b8d4ec34ff9a911d2336f1

SHA512
6695c0cd7ccd06d2cafa1550087658a16f83224c7ab757b13a553919806a3652b461d73816f094fc01b1c3b8758858352ea4884483ec7ae150a8fd5a95a2f8e0

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
448KB

MD5
4ce03ba1b333c1b65bdb18dadbd9d687

SHA1
143094eaf06af9468445e5e6f8485a6b50d41bfb

SHA256
2da1cfd939b175bfd237325e357246e173c732330352d7ebc679847ca8c58b49

SHA512
51ba9d72c824f681cc881acb74a39eb6ff7257305de27ad5e996e2a4f856404eee3c3ff4f3546703eb356108278f5b38a13e4aa876560a8ba36af3a601591592

Download Submit
memory/1128-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2896-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download