2f707b2e3a4a55233830597e4fc872902b9fed4e671ea05878c1ec0c8965c2a7

Analysis

max time kernel
134s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf1a01683158943d42226c41051e08a0_NeikiAnalytics.exe
Size

794KB
MD5

bf1a01683158943d42226c41051e08a0
SHA1

2800f728cec33be833fbb8762bff4323d28661cf
SHA256

2f707b2e3a4a55233830597e4fc872902b9fed4e671ea05878c1ec0c8965c2a7
SHA512

c56662b4b298f1018026c09bc002cea7a958560cdc551857415ceec322b728f63f2d71f4ede6f28b08c0e308d4aabf42cb3568e8bc8adadd9dff85feb4528b61
SSDEEP

3072:LtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMykw+imi5wxx4Vao2i1d3:Buj8NDF3OR9/Qe2HdJ8pS4ofWdii6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
640	casino_extensions.exe
4984	Casino_ext.exe
4168	casino_extensions.exe
2728	Casino_ext.exe
3272	casino_extensions.exe
3260	Casino_ext.exe
5044	LiveMessageCenter.exe
792	casino_extensions.exe
4756	Casino_ext.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4984	Casino_ext.exe
4984	Casino_ext.exe
2728	Casino_ext.exe
2728	Casino_ext.exe
3260	Casino_ext.exe
3260	Casino_ext.exe
5044	LiveMessageCenter.exe
5044	LiveMessageCenter.exe
4756	Casino_ext.exe
4756	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1352	bf1a01683158943d42226c41051e08a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 4828	1352	bf1a01683158943d42226c41051e08a0_NeikiAnalytics.exe	85
PID 1352 wrote to memory of 4828	1352	bf1a01683158943d42226c41051e08a0_NeikiAnalytics.exe	85
PID 1352 wrote to memory of 4828	1352	bf1a01683158943d42226c41051e08a0_NeikiAnalytics.exe	85
PID 4828 wrote to memory of 640	4828	casino_extensions.exe	86
PID 4828 wrote to memory of 640	4828	casino_extensions.exe	86
PID 4828 wrote to memory of 640	4828	casino_extensions.exe	86
PID 640 wrote to memory of 4984	640	casino_extensions.exe	87
PID 640 wrote to memory of 4984	640	casino_extensions.exe	87
PID 640 wrote to memory of 4984	640	casino_extensions.exe	87
PID 4984 wrote to memory of 2124	4984	Casino_ext.exe	88
PID 4984 wrote to memory of 2124	4984	Casino_ext.exe	88
PID 4984 wrote to memory of 2124	4984	Casino_ext.exe	88
PID 2124 wrote to memory of 4168	2124	casino_extensions.exe	89
PID 2124 wrote to memory of 4168	2124	casino_extensions.exe	89
PID 2124 wrote to memory of 4168	2124	casino_extensions.exe	89
PID 4168 wrote to memory of 2728	4168	casino_extensions.exe	90
PID 4168 wrote to memory of 2728	4168	casino_extensions.exe	90
PID 4168 wrote to memory of 2728	4168	casino_extensions.exe	90
PID 2728 wrote to memory of 2244	2728	Casino_ext.exe	92
PID 2728 wrote to memory of 2244	2728	Casino_ext.exe	92
PID 2728 wrote to memory of 2244	2728	Casino_ext.exe	92
PID 2244 wrote to memory of 3272	2244	casino_extensions.exe	93
PID 2244 wrote to memory of 3272	2244	casino_extensions.exe	93
PID 2244 wrote to memory of 3272	2244	casino_extensions.exe	93
PID 3272 wrote to memory of 3260	3272	casino_extensions.exe	94
PID 3272 wrote to memory of 3260	3272	casino_extensions.exe	94
PID 3272 wrote to memory of 3260	3272	casino_extensions.exe	94
PID 3260 wrote to memory of 4956	3260	Casino_ext.exe	95
PID 3260 wrote to memory of 4956	3260	Casino_ext.exe	95
PID 3260 wrote to memory of 4956	3260	Casino_ext.exe	95
PID 4956 wrote to memory of 5044	4956	casino_extensions.exe	96
PID 4956 wrote to memory of 5044	4956	casino_extensions.exe	96
PID 4956 wrote to memory of 5044	4956	casino_extensions.exe	96
PID 5044 wrote to memory of 628	5044	LiveMessageCenter.exe	97
PID 5044 wrote to memory of 628	5044	LiveMessageCenter.exe	97
PID 5044 wrote to memory of 628	5044	LiveMessageCenter.exe	97
PID 628 wrote to memory of 792	628	casino_extensions.exe	98
PID 628 wrote to memory of 792	628	casino_extensions.exe	98
PID 628 wrote to memory of 792	628	casino_extensions.exe	98
PID 792 wrote to memory of 4756	792	casino_extensions.exe	99
PID 792 wrote to memory of 4756	792	casino_extensions.exe	99
PID 792 wrote to memory of 4756	792	casino_extensions.exe	99
PID 4756 wrote to memory of 3016	4756	Casino_ext.exe	102
PID 4756 wrote to memory of 3016	4756	Casino_ext.exe	102
PID 4756 wrote to memory of 3016	4756	Casino_ext.exe	102
PID 3016 wrote to memory of 4596	3016	casino_extensions.exe	103
PID 3016 wrote to memory of 4596	3016	casino_extensions.exe	103
PID 3016 wrote to memory of 4596	3016	casino_extensions.exe	103

C:\Users\Admin\AppData\Local\Temp\bf1a01683158943d42226c41051e08a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\bf1a01683158943d42226c41051e08a0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4984
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        17⤵
        
        PID:4596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
811KB

MD5
f4407f51938b2f14a35c8530a9d040ba

SHA1
d843f861cd9ae25ab33a58dd277ac00c0f7a7bd8

SHA256
ff443c58968fe0123d013feed8948873d4143f33ae9af89b9599b3086dae0166

SHA512
1e9f95e0f8384cc690380a2e5985f2384b25085f382e73ae7ce76355d1dda06a704068f20404f382fe8e8602bd22b4d77b8d6e9375519e08389d72770cd5434f

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
803KB

MD5
13ef70a78066fbb5089b71a55bb5a518

SHA1
199fc1bf63a42772dc9149060bd0641a9c27edcb

SHA256
a0014bd3bfe565db702eae81339317c4b8efa34f130ccd0cdfde9f7e56c69951

SHA512
a7969caeb9872b26529acda66bf7ffebb52b8af9a675624782b521fb380745216b6d180599904a621d8d2c7d1e5e2cf5ee445d02c87ba7ed2e37a404c6a9b3d3

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
798KB

MD5
13a2b623d078cef422f2400f7bef156a

SHA1
21cf5b7859fbcb4ef80b5f5242d5de121a48bb3d

SHA256
a173bba1f5c1a5b39abeeaa508835f408397e2068cfff60a7beaababec8b8c5e

SHA512
1abe6325e79d76f13d574e93852799f1834b372e0667fea45265bf4adbd7b393dfedeb5eadda157686666486ff4ccab52604671ee67c96141b176e2a28e12b47

Download Submit
memory/640-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1352-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download