3036a040616db7248abd62bf4d682b4774e185c0eafd9a1c02bda1ebc6d4ea9d

General

Target

cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe
Size

936KB
MD5

cb4f00a2bc53fe0bb4f1ce615bdce070
SHA1

928d853e4649d1a6692adbcbdf037b880d5da287
SHA256

3036a040616db7248abd62bf4d682b4774e185c0eafd9a1c02bda1ebc6d4ea9d
SHA512

ac34567d393495fade1f88827c3095c9adc3d1d79233e5972da4388e1530d9dfc495d72614faeb6dc7210db8693c55eef98bda36cc75d22d3116e46d86f95ec9
SSDEEP

3072:YtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQS0Tm2TdLz2i1qt2i1p:Iuj8NDF3OR9/Qe2HdklrSqjzQtJo3FCp

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2244	casino_extensions.exe
5024	Casino_ext.exe
216	casino_extensions.exe
2676	Casino_ext.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5024	Casino_ext.exe
5024	Casino_ext.exe
2676	Casino_ext.exe
2676	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
236	cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 1536	236	cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe	85
PID 236 wrote to memory of 1536	236	cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe	85
PID 236 wrote to memory of 1536	236	cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe	85
PID 1536 wrote to memory of 2244	1536	casino_extensions.exe	86
PID 1536 wrote to memory of 2244	1536	casino_extensions.exe	86
PID 1536 wrote to memory of 2244	1536	casino_extensions.exe	86
PID 2244 wrote to memory of 5024	2244	casino_extensions.exe	87
PID 2244 wrote to memory of 5024	2244	casino_extensions.exe	87
PID 2244 wrote to memory of 5024	2244	casino_extensions.exe	87
PID 5024 wrote to memory of 4628	5024	Casino_ext.exe	88
PID 5024 wrote to memory of 4628	5024	Casino_ext.exe	88
PID 5024 wrote to memory of 4628	5024	Casino_ext.exe	88
PID 4628 wrote to memory of 216	4628	casino_extensions.exe	89
PID 4628 wrote to memory of 216	4628	casino_extensions.exe	89
PID 4628 wrote to memory of 216	4628	casino_extensions.exe	89
PID 216 wrote to memory of 2676	216	casino_extensions.exe	90
PID 216 wrote to memory of 2676	216	casino_extensions.exe	90
PID 216 wrote to memory of 2676	216	casino_extensions.exe	90
PID 2676 wrote to memory of 4428	2676	Casino_ext.exe	91
PID 2676 wrote to memory of 4428	2676	Casino_ext.exe	91
PID 2676 wrote to memory of 4428	2676	Casino_ext.exe	91
PID 4428 wrote to memory of 1608	4428	casino_extensions.exe	92
PID 4428 wrote to memory of 1608	4428	casino_extensions.exe	92
PID 4428 wrote to memory of 1608	4428	casino_extensions.exe	92

C:\Users\Admin\AppData\Local\Temp\cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\cb4f00a2bc53fe0bb4f1ce615bdce070_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:236
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        9⤵
        
        PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
943KB

MD5
55cd14ed98ff5a8e14b94576bd929350

SHA1
7866b85fe69755b77094815ad89ad560686c0041

SHA256
3840f679889868534056293b81aefa6275a95ca83d0c7aa2aa4eb655ba385978

SHA512
62213899081990bd69fca0359fad8c542f20fbfa408d82b228441d9ab6f05bd45bba81ea7b40602a058bab162d67f79ae18ec5af48f25997bec3a2c70b10d9a4

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
943KB

MD5
3b8b3ebe9585cd05dd70c0063acee90c

SHA1
b3a589f08cd3d18ad107213d1fe5439436745db5

SHA256
c772711a5e0ec12d1af1fa95761a25985d0307f5733cd6836e95d9701464bd13

SHA512
819496c90e50370f7e94e5ce3a015010b0f1286f9cf927e25100fe088aec415cbcd1623a36fd27d3224b2c81eee1e31db44b13da7e546cc2c97e2f3ab309ed69

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
951KB

MD5
d2c64ea738dc00e35d81cce99aaebba7

SHA1
b67e3e4bf8b41ff7d8cfdf6827a6a2a18ec0128f

SHA256
59283eeb6f6884ad2e59debf42af273131143db915cc6f8ac0b719b52983ed86

SHA512
33c4fcd562b01aba7a0480ad44a8cb788a3d416df7a59b1a1abf8539670656525f640ec644a3a1a332084421cfdff6810b5cb467f353565029d7dccfb6766008

Download Submit
memory/236-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2244-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing