Analysis
-
max time kernel
143s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 18:29
Static task
static1
Behavioral task
behavioral1
Sample
287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe
Resource
win10v2004-20240226-en
General
-
Target
287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe
-
Size
433KB
-
MD5
287ab233b9b331ddfdab0c1ab7be91a0
-
SHA1
3d42f4b0d7ca99673910e9cdd53b7fd124a2c0e4
-
SHA256
59160a15a244f8e68cad41ce919b4baafa1a1addc22831f0dd344412ed7c47fb
-
SHA512
ebebae0d6272ac61afbeec30527f8a5f6bfc5d84bfce02ec1a3dfec4ff03133ea1fb3e46e850ed04d3d1c48137cf746f168b6e56c11b019d10a90eb7b3e962bd
-
SSDEEP
3072:dtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwK42i1ZKEJ6RCiVRz/ql:3uj8NDF3OR9/Qe2HdJfwK4Ddj+zk
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4168 LiveMessageCenter.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File created C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe File opened for modification C:\Windows\SysWOW64\LiveMessageCenter.exe casino_extensions.exe File created C:\Windows\SysWOW64\casino_extensions.exe casino_extensions.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\casino_extensions.exe LiveMessageCenter.exe File created C:\Program Files (x86)\Internet Explorer\$$202803s.bat casino_extensions.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4168 LiveMessageCenter.exe 4168 LiveMessageCenter.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2640 287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2640 wrote to memory of 3104 2640 287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe 91 PID 2640 wrote to memory of 3104 2640 287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe 91 PID 2640 wrote to memory of 3104 2640 287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe 91 PID 3104 wrote to memory of 4168 3104 casino_extensions.exe 92 PID 3104 wrote to memory of 4168 3104 casino_extensions.exe 92 PID 3104 wrote to memory of 4168 3104 casino_extensions.exe 92 PID 4168 wrote to memory of 4152 4168 LiveMessageCenter.exe 93 PID 4168 wrote to memory of 4152 4168 LiveMessageCenter.exe 93 PID 4168 wrote to memory of 4152 4168 LiveMessageCenter.exe 93 PID 4152 wrote to memory of 4540 4152 casino_extensions.exe 94 PID 4152 wrote to memory of 4540 4152 casino_extensions.exe 94 PID 4152 wrote to memory of 4540 4152 casino_extensions.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\287ab233b9b331ddfdab0c1ab7be91a0_NeikiAnalytics.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\LiveMessageCenter.exeC:\Windows\system32\LiveMessageCenter.exe /part23⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"4⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c $$2028~1.BAT5⤵PID:4540
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2808 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:1624
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81B
MD54777bf695815d870d27ed4a38a8f0840
SHA1565412b5182bca7a221448dba78369c42d1c4a0c
SHA256c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d
SHA51287e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d
-
Filesize
444KB
MD59105b622dc6b727d0885ab21fd0ac0c9
SHA14d52d68861c91a6e6fb416ba0872e305736d6aa7
SHA256a93b5297f8664eb0278443cfa63344642d0a312041c8b0209bc145728498aa3a
SHA512b20a79a1a95caf43657e545ff8bb78bb1d08f91da932859ac13f6a66846cd9ddb94ef6ce0441627c01aba347e03301add170ea52652b44455b0db1c391aa762b
-
Filesize
446KB
MD59873661b4f7591db346cb90803dce8e8
SHA143612b7042eb790fef1d7000fafc9be53df6e753
SHA2562801e2c87cd578bdb337fd86943d11efea3e3b8e3c9bc9552f0e338fc8a1d3c2
SHA5129d82d067d6d2094b72373ed84f996cc569555e3b45ed0ad8508db286fcf2ae7e047b3e55e09e29350008a6b95dbcacb015bb59be5a9bb83d88847b8f9439cbf7