dd7b3526a55859be31413818b1f2f2d5a66484c0709e1a43e3025731f64a3eba

Analysis

max time kernel
93s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe
Size

895KB
MD5

00a65fcd55df9360f3b4ab1472db51f0
SHA1

29211bea1110f55505100b08c5c65cc102b35d1a
SHA256

dd7b3526a55859be31413818b1f2f2d5a66484c0709e1a43e3025731f64a3eba
SHA512

9d0c906ac496ccb9aeda6012c14f98c496d83b8cdfd19de3f73b54077e9c371dff5af0ca25a341108bfbf757e71f3765e8bf2ef5d1b05d3c8b70815c6e1465f8
SSDEEP

6144:+uj8NDF3OR9/Qe2HdJ8RAe6xV/nhDvyHOc:hOF3ORK3d7e6xV/hD6Hd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2208	casino_extensions.exe
2400	Casino_ext.exe
3552	casino_extensions.exe
1092	Casino_ext.exe
2576	LiveMessageCenter.exe
2776	casino_extensions.exe
2692	Casino_ext.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2400	Casino_ext.exe
2400	Casino_ext.exe
1092	Casino_ext.exe
1092	Casino_ext.exe
2576	LiveMessageCenter.exe
2576	LiveMessageCenter.exe
2692	Casino_ext.exe
2692	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
812	00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 1436	812	00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe	81
PID 812 wrote to memory of 1436	812	00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe	81
PID 812 wrote to memory of 1436	812	00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe	81
PID 1436 wrote to memory of 2208	1436	casino_extensions.exe	82
PID 1436 wrote to memory of 2208	1436	casino_extensions.exe	82
PID 1436 wrote to memory of 2208	1436	casino_extensions.exe	82
PID 2208 wrote to memory of 2400	2208	casino_extensions.exe	83
PID 2208 wrote to memory of 2400	2208	casino_extensions.exe	83
PID 2208 wrote to memory of 2400	2208	casino_extensions.exe	83
PID 2400 wrote to memory of 1340	2400	Casino_ext.exe	85
PID 2400 wrote to memory of 1340	2400	Casino_ext.exe	85
PID 2400 wrote to memory of 1340	2400	Casino_ext.exe	85
PID 1340 wrote to memory of 3552	1340	casino_extensions.exe	86
PID 1340 wrote to memory of 3552	1340	casino_extensions.exe	86
PID 1340 wrote to memory of 3552	1340	casino_extensions.exe	86
PID 3552 wrote to memory of 1092	3552	casino_extensions.exe	87
PID 3552 wrote to memory of 1092	3552	casino_extensions.exe	87
PID 3552 wrote to memory of 1092	3552	casino_extensions.exe	87
PID 1092 wrote to memory of 5048	1092	Casino_ext.exe	88
PID 1092 wrote to memory of 5048	1092	Casino_ext.exe	88
PID 1092 wrote to memory of 5048	1092	Casino_ext.exe	88
PID 5048 wrote to memory of 2576	5048	casino_extensions.exe	89
PID 5048 wrote to memory of 2576	5048	casino_extensions.exe	89
PID 5048 wrote to memory of 2576	5048	casino_extensions.exe	89
PID 2576 wrote to memory of 252	2576	LiveMessageCenter.exe	90
PID 2576 wrote to memory of 252	2576	LiveMessageCenter.exe	90
PID 2576 wrote to memory of 252	2576	LiveMessageCenter.exe	90
PID 252 wrote to memory of 2776	252	casino_extensions.exe	92
PID 252 wrote to memory of 2776	252	casino_extensions.exe	92
PID 252 wrote to memory of 2776	252	casino_extensions.exe	92
PID 2776 wrote to memory of 2692	2776	casino_extensions.exe	93
PID 2776 wrote to memory of 2692	2776	casino_extensions.exe	93
PID 2776 wrote to memory of 2692	2776	casino_extensions.exe	93
PID 2692 wrote to memory of 5028	2692	Casino_ext.exe	94
PID 2692 wrote to memory of 5028	2692	Casino_ext.exe	94
PID 2692 wrote to memory of 5028	2692	Casino_ext.exe	94
PID 5028 wrote to memory of 3940	5028	casino_extensions.exe	95
PID 5028 wrote to memory of 3940	5028	casino_extensions.exe	95
PID 5028 wrote to memory of 3940	5028	casino_extensions.exe	95

C:\Users\Admin\AppData\Local\Temp\00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\00a65fcd55df9360f3b4ab1472db51f0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:812
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2400
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:252
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        14⤵
        
        PID:3940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
897KB

MD5
c99efaefae2bafbff023b29afb94f171

SHA1
1ab1bcc8685f903c10a38c6caf8f807d3ef34722

SHA256
8263013cb7acbe3db2597016a747d8e327d0292f941be5a199721e3a3df8bb04

SHA512
dda028d5c6b58bbdc399b5487d3cb3310f0430d80a374e1e3119c514f640c1585093e103db9bc33f7abfb2cd02f0b9665572921cb56e3d8a21b3449c2b1f6d5a

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
909KB

MD5
2f514321b3d3d99d2e248d345f0501f3

SHA1
ba7997c374c9a8b20f28e4bdf3619ef6748601a2

SHA256
1de2edd3b7885124d23d608e5a2de71c3965217919bc46bcb067cd53ff46333b

SHA512
25b0bacdff6a5feb16e306942d3127a3d4be77a70344ba940068cad3003de9d2f0768712aa397b607fbcc7c01a4c39733b8658425c74a62a78a71c7cc897b601

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
896KB

MD5
7b9a62a91cd8befd6a2d464531422c07

SHA1
e01ff518cac10513fb760f1b188db5b8aaa96162

SHA256
5cac1f0dac3300696dcd9a340e8b012eeb8ee00039ac61cec9c50e463e497d89

SHA512
b5d8b67269c71b6972f742d509c06ae120e4213eb3ae5f15cd489cc248f258e60c299da5aecb810bf3c07567f82d351d06c63500643f4297c86631eff015a757

Download Submit
memory/812-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2208-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download