6d3442dbf3d7f69f21f281f1ca03e6e6734852a6992cc63473eca9a1f3df7a8f

Analysis

max time kernel
142s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8afc49c1b5df3480df7d4dbda2cbf6a0_NeikiAnalytics.exe
Size

434KB
MD5

8afc49c1b5df3480df7d4dbda2cbf6a0
SHA1

d843da0a5de444ed0c839a23db0487ae233dc2f1
SHA256

6d3442dbf3d7f69f21f281f1ca03e6e6734852a6992cc63473eca9a1f3df7a8f
SHA512

061c5631296d1ad91a49965f624aa64f86a22c4b13408c05f9b628a7ca2dc758671c8ef6a93fb17fad536298f2e25b40c49c4760c2d2c6bacf430ae00ebc1a45
SSDEEP

3072:XtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQ0HHGNAKs+1Wywe:duj8NDF3OR9/Qe2HdklrePKZ1Wy7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2128	casino_extensions.exe
4984	Casino_ext.exe
3208	casino_extensions.exe
1700	Casino_ext.exe
2280	LiveMessageCenter.exe
1724	casino_extensions.exe
1480	Casino_ext.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4984	Casino_ext.exe
4984	Casino_ext.exe
1700	Casino_ext.exe
1700	Casino_ext.exe
2280	LiveMessageCenter.exe
2280	LiveMessageCenter.exe
1480	Casino_ext.exe
1480	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1836	8afc49c1b5df3480df7d4dbda2cbf6a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 3492	1836	8afc49c1b5df3480df7d4dbda2cbf6a0_NeikiAnalytics.exe	82
PID 1836 wrote to memory of 3492	1836	8afc49c1b5df3480df7d4dbda2cbf6a0_NeikiAnalytics.exe	82
PID 1836 wrote to memory of 3492	1836	8afc49c1b5df3480df7d4dbda2cbf6a0_NeikiAnalytics.exe	82
PID 3492 wrote to memory of 2128	3492	casino_extensions.exe	83
PID 3492 wrote to memory of 2128	3492	casino_extensions.exe	83
PID 3492 wrote to memory of 2128	3492	casino_extensions.exe	83
PID 2128 wrote to memory of 4984	2128	casino_extensions.exe	84
PID 2128 wrote to memory of 4984	2128	casino_extensions.exe	84
PID 2128 wrote to memory of 4984	2128	casino_extensions.exe	84
PID 4984 wrote to memory of 3000	4984	Casino_ext.exe	85
PID 4984 wrote to memory of 3000	4984	Casino_ext.exe	85
PID 4984 wrote to memory of 3000	4984	Casino_ext.exe	85
PID 3000 wrote to memory of 3208	3000	casino_extensions.exe	86
PID 3000 wrote to memory of 3208	3000	casino_extensions.exe	86
PID 3000 wrote to memory of 3208	3000	casino_extensions.exe	86
PID 3208 wrote to memory of 1700	3208	casino_extensions.exe	87
PID 3208 wrote to memory of 1700	3208	casino_extensions.exe	87
PID 3208 wrote to memory of 1700	3208	casino_extensions.exe	87
PID 1700 wrote to memory of 4040	1700	Casino_ext.exe	88
PID 1700 wrote to memory of 4040	1700	Casino_ext.exe	88
PID 1700 wrote to memory of 4040	1700	Casino_ext.exe	88
PID 4040 wrote to memory of 2280	4040	casino_extensions.exe	89
PID 4040 wrote to memory of 2280	4040	casino_extensions.exe	89
PID 4040 wrote to memory of 2280	4040	casino_extensions.exe	89
PID 2280 wrote to memory of 3308	2280	LiveMessageCenter.exe	90
PID 2280 wrote to memory of 3308	2280	LiveMessageCenter.exe	90
PID 2280 wrote to memory of 3308	2280	LiveMessageCenter.exe	90
PID 3308 wrote to memory of 1724	3308	casino_extensions.exe	91
PID 3308 wrote to memory of 1724	3308	casino_extensions.exe	91
PID 3308 wrote to memory of 1724	3308	casino_extensions.exe	91
PID 1724 wrote to memory of 1480	1724	casino_extensions.exe	92
PID 1724 wrote to memory of 1480	1724	casino_extensions.exe	92
PID 1724 wrote to memory of 1480	1724	casino_extensions.exe	92
PID 1480 wrote to memory of 684	1480	Casino_ext.exe	93
PID 1480 wrote to memory of 684	1480	Casino_ext.exe	93
PID 1480 wrote to memory of 684	1480	Casino_ext.exe	93
PID 684 wrote to memory of 1528	684	casino_extensions.exe	94
PID 684 wrote to memory of 1528	684	casino_extensions.exe	94
PID 684 wrote to memory of 1528	684	casino_extensions.exe	94

C:\Users\Admin\AppData\Local\Temp\8afc49c1b5df3480df7d4dbda2cbf6a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8afc49c1b5df3480df7d4dbda2cbf6a0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4984
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        14⤵
        
        PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
451KB

MD5
579c0148bcc16017cacd98eebab031bf

SHA1
1faefbbe49b391acd77124295b8624de3660277d

SHA256
977704e46a5b5e7e6f4a6cd2583dff81d8402b3487d9a1c86e71150f08842cc7

SHA512
1262bf3d797f904c2cde16230291bda050d7e7332c5d08f079d75224d42592d9961e53bbbce4ed021041370425b2ba5da05885d483e12541201fada4fe782084

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
447KB

MD5
7aa62a229c09ef9159d1a2f2c2fced4a

SHA1
f9533c3bdb20039540910b6cb6c75f83d338022b

SHA256
2c4a75af85fbabe6f32a8e3e65b582f3406a273fe63877acec83c7ca262ab8c7

SHA512
caef2b2b4d8ac2a1856e65f6efa35ce6089b448da94359884f4e04254eac48d0060dcdec84adbe3a95dfe9eb16815ad1a2c674690d660bbf4e9b58df260f9393

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
443KB

MD5
dfac2f5cddd8f8039aa8ba7fff4fd635

SHA1
ff66f4d2d9082ac8caff3e69805943ae794390e0

SHA256
7ea2bff5d84b8ce71c61370bc1dbad6f1c40a7cac2ea2e2c3b3b0a6f986597b7

SHA512
e2d681288c00d3044d44598a994407b15b06e2342a5d1cb4259fbe5dd3e44aab9b697eb5075547d24d4254e8053f8cfb7701f1c6e6a672d139eb5ec5a9146cb7

Download Submit
memory/1836-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2128-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download