4d2355a8d4244a036251e575ba35a2fb8434da77f1eb5109647fabe052bf586e

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 12:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b7990dd24656b62d10a043cdb941f980_NeikiAnalytics.exe
Size

681KB
MD5

b7990dd24656b62d10a043cdb941f980
SHA1

3ad119bcd3758893723f13c326be24acb8ee6f08
SHA256

4d2355a8d4244a036251e575ba35a2fb8434da77f1eb5109647fabe052bf586e
SHA512

60df81b17798e794bb43d8ad5583baafc9ebac75a029a6db61b75959497bec20d6bee9e20eff735e05352aa433695ba2207204d20a47c4ef9757c8f7e0b82fc4
SSDEEP

6144:nuj8NDF3OR9/Qe2HdJ8pSioXt4II0+zzrtjBvE:uOF3ORK3d11Xt4II0+zzrtjBvE

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2572	Casino_ext.exe

Executes dropped EXE 11 IoCs

pid	Process
2212	casino_extensions.exe
1068	LiveMessageCenter.exe
1036	casino_extensions.exe
2572	Casino_ext.exe
2584	casino_extensions.exe
2576	casino_extensions.exe
1892	casino_extensions.exe
2536	LiveMessageCenter.exe
2624	casino_extensions.exe
2404	casino_extensions.exe
2156	casino_extensions.exe

Loads dropped DLL 12 IoCs

pid	Process
2080	casino_extensions.exe
2080	casino_extensions.exe
1724	casino_extensions.exe
1724	casino_extensions.exe
2880	casino_extensions.exe
2880	casino_extensions.exe
2584	casino_extensions.exe
2584	casino_extensions.exe
1892	casino_extensions.exe
1892	casino_extensions.exe
2624	casino_extensions.exe
2624	casino_extensions.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1068	LiveMessageCenter.exe
2572	Casino_ext.exe
2536	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
612	b7990dd24656b62d10a043cdb941f980_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 612 wrote to memory of 2080	612	b7990dd24656b62d10a043cdb941f980_NeikiAnalytics.exe	28
PID 612 wrote to memory of 2080	612	b7990dd24656b62d10a043cdb941f980_NeikiAnalytics.exe	28
PID 612 wrote to memory of 2080	612	b7990dd24656b62d10a043cdb941f980_NeikiAnalytics.exe	28
PID 612 wrote to memory of 2080	612	b7990dd24656b62d10a043cdb941f980_NeikiAnalytics.exe	28
PID 2080 wrote to memory of 2212	2080	casino_extensions.exe	29
PID 2080 wrote to memory of 2212	2080	casino_extensions.exe	29
PID 2080 wrote to memory of 2212	2080	casino_extensions.exe	29
PID 2080 wrote to memory of 2212	2080	casino_extensions.exe	29
PID 2212 wrote to memory of 1724	2212	casino_extensions.exe	30
PID 2212 wrote to memory of 1724	2212	casino_extensions.exe	30
PID 2212 wrote to memory of 1724	2212	casino_extensions.exe	30
PID 2212 wrote to memory of 1724	2212	casino_extensions.exe	30
PID 1724 wrote to memory of 1068	1724	casino_extensions.exe	31
PID 1724 wrote to memory of 1068	1724	casino_extensions.exe	31
PID 1724 wrote to memory of 1068	1724	casino_extensions.exe	31
PID 1724 wrote to memory of 1068	1724	casino_extensions.exe	31
PID 1068 wrote to memory of 2880	1068	LiveMessageCenter.exe	32
PID 1068 wrote to memory of 2880	1068	LiveMessageCenter.exe	32
PID 1068 wrote to memory of 2880	1068	LiveMessageCenter.exe	32
PID 1068 wrote to memory of 2880	1068	LiveMessageCenter.exe	32
PID 2880 wrote to memory of 1036	2880	casino_extensions.exe	33
PID 2880 wrote to memory of 1036	2880	casino_extensions.exe	33
PID 2880 wrote to memory of 1036	2880	casino_extensions.exe	33
PID 2880 wrote to memory of 1036	2880	casino_extensions.exe	33
PID 1036 wrote to memory of 2572	1036	casino_extensions.exe	34
PID 1036 wrote to memory of 2572	1036	casino_extensions.exe	34
PID 1036 wrote to memory of 2572	1036	casino_extensions.exe	34
PID 1036 wrote to memory of 2572	1036	casino_extensions.exe	34
PID 2572 wrote to memory of 2584	2572	Casino_ext.exe	35
PID 2572 wrote to memory of 2584	2572	Casino_ext.exe	35
PID 2572 wrote to memory of 2584	2572	Casino_ext.exe	35
PID 2572 wrote to memory of 2584	2572	Casino_ext.exe	35
PID 2584 wrote to memory of 2576	2584	casino_extensions.exe	36
PID 2584 wrote to memory of 2576	2584	casino_extensions.exe	36
PID 2584 wrote to memory of 2576	2584	casino_extensions.exe	36
PID 2584 wrote to memory of 2576	2584	casino_extensions.exe	36
PID 2576 wrote to memory of 1892	2576	casino_extensions.exe	37
PID 2576 wrote to memory of 1892	2576	casino_extensions.exe	37
PID 2576 wrote to memory of 1892	2576	casino_extensions.exe	37
PID 2576 wrote to memory of 1892	2576	casino_extensions.exe	37
PID 1892 wrote to memory of 2536	1892	casino_extensions.exe	38
PID 1892 wrote to memory of 2536	1892	casino_extensions.exe	38
PID 1892 wrote to memory of 2536	1892	casino_extensions.exe	38
PID 1892 wrote to memory of 2536	1892	casino_extensions.exe	38
PID 2536 wrote to memory of 2624	2536	LiveMessageCenter.exe	39
PID 2536 wrote to memory of 2624	2536	LiveMessageCenter.exe	39
PID 2536 wrote to memory of 2624	2536	LiveMessageCenter.exe	39
PID 2536 wrote to memory of 2624	2536	LiveMessageCenter.exe	39
PID 2624 wrote to memory of 2404	2624	casino_extensions.exe	40
PID 2624 wrote to memory of 2404	2624	casino_extensions.exe	40
PID 2624 wrote to memory of 2404	2624	casino_extensions.exe	40
PID 2624 wrote to memory of 2404	2624	casino_extensions.exe	40
PID 2404 wrote to memory of 2156	2404	casino_extensions.exe	41
PID 2404 wrote to memory of 2156	2404	casino_extensions.exe	41
PID 2404 wrote to memory of 2156	2404	casino_extensions.exe	41
PID 2404 wrote to memory of 2156	2404	casino_extensions.exe	41
PID 2156 wrote to memory of 2608	2156	casino_extensions.exe	42
PID 2156 wrote to memory of 2608	2156	casino_extensions.exe	42
PID 2156 wrote to memory of 2608	2156	casino_extensions.exe	42
PID 2156 wrote to memory of 2608	2156	casino_extensions.exe	42
PID 2624 wrote to memory of 2440	2624	casino_extensions.exe	44
PID 2624 wrote to memory of 2440	2624	casino_extensions.exe	44
PID 2624 wrote to memory of 2440	2624	casino_extensions.exe	44
PID 2624 wrote to memory of 2440	2624	casino_extensions.exe	44

C:\Users\Admin\AppData\Local\Temp\b7990dd24656b62d10a043cdb941f980_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b7990dd24656b62d10a043cdb941f980_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:612
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        8⤵
        Deletes itself
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        16⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        14⤵
        
        PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
691KB

MD5
690a011f0131701b603e0c86c3ccf5cc

SHA1
606f371493c7629412b1bce06f2db59e48393a12

SHA256
9cca42696964aa59fe876646fa87baabad1aceb407658d8de72931fbde8892ec

SHA512
64cc50f366b05d47fa4cae91ef01de9730fc0e021a9b8184760ef7b409a39a4c76cd20e534464e84da692ec5e312096699f2ef743550ac08db14d18956076e93

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
703KB

MD5
d8371f3eef161a2efba8ab9531a5ff3a

SHA1
5621bd31bc85d02a4ec2215a0f48d937330bd9e0

SHA256
2685d70c0090e345b710de6b0311b75aca13eaf4c424ef86f956254ba1582328

SHA512
9b6a97282aae56dec58faa5aab35241675a6e68b5632af098e0305b1a8749de50127f83ef9c4c1955ed8da0422d1ebec20b202c09779e7f8311734b6f682dcff

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
688KB

MD5
faf2565f4a83436ec9abc18b0bf2d00a

SHA1
e16f52b179f27042eb1a35466edd0c87c5dca513

SHA256
44cad1fd2a3cea57cc6ca04c557a8f800b91023bd358625ec2d8de0bfe6c34d0

SHA512
ac788a597a750c02752df8dc7844ea4d57f99904558e756801a465e0badad749d45ab8f87954db1e1d2b648fabd2d550fc8a9cbeac1241448147e52dd918cdad

Download Submit
memory/612-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1036-26-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2572-43-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download