3036a040616db7248abd62bf4d682b4774e185c0eafd9a1c02bda1ebc6d4ea9d

General

Target

cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe
Size

936KB
MD5

cb4f00a2bc53fe0bb4f1ce615bdce070
SHA1

928d853e4649d1a6692adbcbdf037b880d5da287
SHA256

3036a040616db7248abd62bf4d682b4774e185c0eafd9a1c02bda1ebc6d4ea9d
SHA512

ac34567d393495fade1f88827c3095c9adc3d1d79233e5972da4388e1530d9dfc495d72614faeb6dc7210db8693c55eef98bda36cc75d22d3116e46d86f95ec9
SSDEEP

3072:YtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQS0Tm2TdLz2i1qt2i1p:Iuj8NDF3OR9/Qe2HdklrSqjzQtJo3FCp

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2820	Casino_ext.exe

Executes dropped EXE 4 IoCs

pid	Process
2456	casino_extensions.exe
1956	Casino_ext.exe
2664	casino_extensions.exe
2820	Casino_ext.exe

Loads dropped DLL 4 IoCs

pid	Process
1028	casino_extensions.exe
1028	casino_extensions.exe
2108	casino_extensions.exe
2108	casino_extensions.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1956	Casino_ext.exe
2820	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2488	cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 1028	2488	cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe	28
PID 2488 wrote to memory of 1028	2488	cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe	28
PID 2488 wrote to memory of 1028	2488	cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe	28
PID 2488 wrote to memory of 1028	2488	cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe	28
PID 1028 wrote to memory of 2456	1028	casino_extensions.exe	29
PID 1028 wrote to memory of 2456	1028	casino_extensions.exe	29
PID 1028 wrote to memory of 2456	1028	casino_extensions.exe	29
PID 1028 wrote to memory of 2456	1028	casino_extensions.exe	29
PID 2456 wrote to memory of 1956	2456	casino_extensions.exe	30
PID 2456 wrote to memory of 1956	2456	casino_extensions.exe	30
PID 2456 wrote to memory of 1956	2456	casino_extensions.exe	30
PID 2456 wrote to memory of 1956	2456	casino_extensions.exe	30
PID 1956 wrote to memory of 2108	1956	Casino_ext.exe	31
PID 1956 wrote to memory of 2108	1956	Casino_ext.exe	31
PID 1956 wrote to memory of 2108	1956	Casino_ext.exe	31
PID 1956 wrote to memory of 2108	1956	Casino_ext.exe	31
PID 2108 wrote to memory of 2664	2108	casino_extensions.exe	32
PID 2108 wrote to memory of 2664	2108	casino_extensions.exe	32
PID 2108 wrote to memory of 2664	2108	casino_extensions.exe	32
PID 2108 wrote to memory of 2664	2108	casino_extensions.exe	32
PID 2664 wrote to memory of 2820	2664	casino_extensions.exe	33
PID 2664 wrote to memory of 2820	2664	casino_extensions.exe	33
PID 2664 wrote to memory of 2820	2664	casino_extensions.exe	33
PID 2664 wrote to memory of 2820	2664	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Deletes itself
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\casino_extensions.exe

Filesize
938KB

MD5
c81a0f9f40060b9f461ae4a25401a7b0

SHA1
eb67e6a80f6a9f3e51f5182c99ade1a14ddbfa71

SHA256
478f92b95b4002b2c8889343e583fb03348354c542f4175fc78c61b9a4bc131b

SHA512
b18e231cd7b5d9115967e0779a46f9b7caabcdee12704e9603c31e544deb64883d8e6cc49857e3f9b0a17c04afaeb77e8d0fda146859fe147f800234764efb4b

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
939KB

MD5
e5da8c6bc145e731dec18b79acdb3721

SHA1
f9628b5953b49f30236919a126c7340e8c5ecd92

SHA256
bd4dbca294fef1980f35bd8ad3c77a69e5db17b3da82380a8ef6020be3d0d565

SHA512
42b3b2197350f16579306322f1dc7e3a05fad211c9bc55264faabc88504245407613abf1145b0b1a678dc0c4be351a8469ae1a43771e963450740a696488666d

Download Submit
memory/2456-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2488-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing