97e49428abea66da2c2c87ba20cc0132d9819f8a2f1c04b55f2b80feb672a282

General

Target

1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe
Size

612KB
MD5

1e8d3e4527337b1079854db4847b25a0
SHA1

5819d724665d0e8bff2f23492e8c8759c6960350
SHA256

97e49428abea66da2c2c87ba20cc0132d9819f8a2f1c04b55f2b80feb672a282
SHA512

09b3bc58cfa9d64a8678708dab150eded476968c8171f72444d1d7f1840aadb86a455c3a7456bafd35e8c1e43130b46822a319ab14ef27c989ef26f503a07c46
SSDEEP

3072:stwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMqle7xa2i1hrxFpKUWZ24:8uj8NDF3OR9/Qe2HdJ8RAbrycK

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
764	casino_extensions.exe
2260	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
2976	casino_extensions.exe
2976	casino_extensions.exe
2760	casino_extensions.exe
2760	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2260	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2956	1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2976	2956	1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 2976	2956	1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 2976	2956	1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe	28
PID 2956 wrote to memory of 2976	2956	1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe	28
PID 2976 wrote to memory of 764	2976	casino_extensions.exe	29
PID 2976 wrote to memory of 764	2976	casino_extensions.exe	29
PID 2976 wrote to memory of 764	2976	casino_extensions.exe	29
PID 2976 wrote to memory of 764	2976	casino_extensions.exe	29
PID 764 wrote to memory of 2760	764	casino_extensions.exe	30
PID 764 wrote to memory of 2760	764	casino_extensions.exe	30
PID 764 wrote to memory of 2760	764	casino_extensions.exe	30
PID 764 wrote to memory of 2760	764	casino_extensions.exe	30
PID 2760 wrote to memory of 2260	2760	casino_extensions.exe	31
PID 2760 wrote to memory of 2260	2760	casino_extensions.exe	31
PID 2760 wrote to memory of 2260	2760	casino_extensions.exe	31
PID 2760 wrote to memory of 2260	2760	casino_extensions.exe	31
PID 2260 wrote to memory of 2640	2260	LiveMessageCenter.exe	32
PID 2260 wrote to memory of 2640	2260	LiveMessageCenter.exe	32
PID 2260 wrote to memory of 2640	2260	LiveMessageCenter.exe	32
PID 2260 wrote to memory of 2640	2260	LiveMessageCenter.exe	32
PID 2640 wrote to memory of 2592	2640	casino_extensions.exe	33
PID 2640 wrote to memory of 2592	2640	casino_extensions.exe	33
PID 2640 wrote to memory of 2592	2640	casino_extensions.exe	33
PID 2640 wrote to memory of 2592	2640	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:2592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
624KB

MD5
e1c1e20869910e84d3211954f130e531

SHA1
1ee0d62da144775b9ee0830e040091906b224747

SHA256
fb71d881f3f4092f34524c4cdda70ff04edcbc4262c9d575dd225ca9d380b04d

SHA512
e94baa3b11b79109c9e4a94c7b9aede3095489b3fe42b953e48e7e021fbaedcbc3a3dbe9c4c4dc081f41410b35c15b3dbb3ee3c52e1f2df7a13744c97aba342f

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
620KB

MD5
aa37c7bfd70e287cbe8434f8037e8ccf

SHA1
bd8434839698955b3398c045dadafbc7b0978baf

SHA256
51ffd38ca5b3d58d4a5e287c2c1453de92cbbb241ec4d54717c51c577faa2f72

SHA512
e559c44c9b71800ed3337c3852ac88b4077b9be9ccb74f85acd16f2a6eb450634134d8f9d502bff2ebd6e6abd68e87a95ff4b11cf06473f1e7c7fa129a7217e9

Download Submit
memory/2760-22-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2956-21-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2976-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing