97e49428abea66da2c2c87ba20cc0132d9819f8a2f1c04b55f2b80feb672a282

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe
Size

612KB
MD5

1e8d3e4527337b1079854db4847b25a0
SHA1

5819d724665d0e8bff2f23492e8c8759c6960350
SHA256

97e49428abea66da2c2c87ba20cc0132d9819f8a2f1c04b55f2b80feb672a282
SHA512

09b3bc58cfa9d64a8678708dab150eded476968c8171f72444d1d7f1840aadb86a455c3a7456bafd35e8c1e43130b46822a319ab14ef27c989ef26f503a07c46
SSDEEP

3072:stwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMqle7xa2i1hrxFpKUWZ24:8uj8NDF3OR9/Qe2HdJ8RAbrycK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 16 IoCs

pid	Process
4308	casino_extensions.exe
3468	Casino_ext.exe
228	casino_extensions.exe
468	Casino_ext.exe
4536	casino_extensions.exe
3132	Casino_ext.exe
1596	casino_extensions.exe
3396	Casino_ext.exe
2452	casino_extensions.exe
3124	Casino_ext.exe
4900	LiveMessageCenter.exe
3240	casino_extensions.exe
2168	Casino_ext.exe
3288	casino_extensions.exe
5116	Casino_ext.exe
3280	LiveMessageCenter.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3468	Casino_ext.exe
3468	Casino_ext.exe
468	Casino_ext.exe
468	Casino_ext.exe
3132	Casino_ext.exe
3132	Casino_ext.exe
3396	Casino_ext.exe
3396	Casino_ext.exe
3124	Casino_ext.exe
3124	Casino_ext.exe
4900	LiveMessageCenter.exe
4900	LiveMessageCenter.exe
2168	Casino_ext.exe
2168	Casino_ext.exe
5116	Casino_ext.exe
5116	Casino_ext.exe
3280	LiveMessageCenter.exe
3280	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2680	1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4844	2680	1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe	83
PID 2680 wrote to memory of 4844	2680	1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe	83
PID 2680 wrote to memory of 4844	2680	1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe	83
PID 4844 wrote to memory of 4308	4844	casino_extensions.exe	84
PID 4844 wrote to memory of 4308	4844	casino_extensions.exe	84
PID 4844 wrote to memory of 4308	4844	casino_extensions.exe	84
PID 4308 wrote to memory of 3468	4308	casino_extensions.exe	85
PID 4308 wrote to memory of 3468	4308	casino_extensions.exe	85
PID 4308 wrote to memory of 3468	4308	casino_extensions.exe	85
PID 3468 wrote to memory of 3508	3468	Casino_ext.exe	86
PID 3468 wrote to memory of 3508	3468	Casino_ext.exe	86
PID 3468 wrote to memory of 3508	3468	Casino_ext.exe	86
PID 3508 wrote to memory of 228	3508	casino_extensions.exe	87
PID 3508 wrote to memory of 228	3508	casino_extensions.exe	87
PID 3508 wrote to memory of 228	3508	casino_extensions.exe	87
PID 228 wrote to memory of 468	228	casino_extensions.exe	88
PID 228 wrote to memory of 468	228	casino_extensions.exe	88
PID 228 wrote to memory of 468	228	casino_extensions.exe	88
PID 468 wrote to memory of 4136	468	Casino_ext.exe	89
PID 468 wrote to memory of 4136	468	Casino_ext.exe	89
PID 468 wrote to memory of 4136	468	Casino_ext.exe	89
PID 4136 wrote to memory of 4536	4136	casino_extensions.exe	90
PID 4136 wrote to memory of 4536	4136	casino_extensions.exe	90
PID 4136 wrote to memory of 4536	4136	casino_extensions.exe	90
PID 4536 wrote to memory of 3132	4536	casino_extensions.exe	91
PID 4536 wrote to memory of 3132	4536	casino_extensions.exe	91
PID 4536 wrote to memory of 3132	4536	casino_extensions.exe	91
PID 3132 wrote to memory of 1388	3132	Casino_ext.exe	92
PID 3132 wrote to memory of 1388	3132	Casino_ext.exe	92
PID 3132 wrote to memory of 1388	3132	Casino_ext.exe	92
PID 1388 wrote to memory of 1596	1388	casino_extensions.exe	93
PID 1388 wrote to memory of 1596	1388	casino_extensions.exe	93
PID 1388 wrote to memory of 1596	1388	casino_extensions.exe	93
PID 1596 wrote to memory of 3396	1596	casino_extensions.exe	94
PID 1596 wrote to memory of 3396	1596	casino_extensions.exe	94
PID 1596 wrote to memory of 3396	1596	casino_extensions.exe	94
PID 3396 wrote to memory of 3408	3396	Casino_ext.exe	95
PID 3396 wrote to memory of 3408	3396	Casino_ext.exe	95
PID 3396 wrote to memory of 3408	3396	Casino_ext.exe	95
PID 3408 wrote to memory of 2452	3408	casino_extensions.exe	96
PID 3408 wrote to memory of 2452	3408	casino_extensions.exe	96
PID 3408 wrote to memory of 2452	3408	casino_extensions.exe	96
PID 2452 wrote to memory of 3124	2452	casino_extensions.exe	97
PID 2452 wrote to memory of 3124	2452	casino_extensions.exe	97
PID 2452 wrote to memory of 3124	2452	casino_extensions.exe	97
PID 3124 wrote to memory of 1660	3124	Casino_ext.exe	98
PID 3124 wrote to memory of 1660	3124	Casino_ext.exe	98
PID 3124 wrote to memory of 1660	3124	Casino_ext.exe	98
PID 1660 wrote to memory of 4900	1660	casino_extensions.exe	99
PID 1660 wrote to memory of 4900	1660	casino_extensions.exe	99
PID 1660 wrote to memory of 4900	1660	casino_extensions.exe	99
PID 4900 wrote to memory of 4624	4900	LiveMessageCenter.exe	100
PID 4900 wrote to memory of 4624	4900	LiveMessageCenter.exe	100
PID 4900 wrote to memory of 4624	4900	LiveMessageCenter.exe	100
PID 4624 wrote to memory of 3240	4624	casino_extensions.exe	101
PID 4624 wrote to memory of 3240	4624	casino_extensions.exe	101
PID 4624 wrote to memory of 3240	4624	casino_extensions.exe	101
PID 3240 wrote to memory of 2168	3240	casino_extensions.exe	102
PID 3240 wrote to memory of 2168	3240	casino_extensions.exe	102
PID 3240 wrote to memory of 2168	3240	casino_extensions.exe	102
PID 2168 wrote to memory of 1824	2168	Casino_ext.exe	103
PID 2168 wrote to memory of 1824	2168	Casino_ext.exe	103
PID 2168 wrote to memory of 1824	2168	Casino_ext.exe	103
PID 1824 wrote to memory of 3288	1824	casino_extensions.exe	104

C:\Users\Admin\AppData\Local\Temp\1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1e8d3e4527337b1079854db4847b25a0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3508
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        14⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        16⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        17⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        19⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        22⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3288
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        24⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5116
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        25⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3280
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        27⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        28⤵
        
        PID:752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
616KB

MD5
1670d70b4040288c96bd818cb540ca2b

SHA1
87028f2f1db171016b01c574b5bd284fdc63c9e0

SHA256
3e9a247c0221c9fb9876e2bb1610132bdc158a06b3c716ae7ac7385a21349a7f

SHA512
cdacd7a2a9890831b09bfa6253700c3fdf422e51ab10f75af056ee5ac28840d35acce4373489bccd181c93f0c15d64fb20871fbfa8d6830734adac919e318db8

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
616KB

MD5
6af756a21b3c874174de2795c520b988

SHA1
2f23298d7513c5dae99f52e191a15dfcdedb8cd1

SHA256
5a82391de1a63b91cb71cbb11ecffd8912687db8834221e461e555cb108106a4

SHA512
d3ecab6b12e40c71cf214962b954bec78cf3f79e560ced7f1571291686a88d194a98d456ed186372748ad1630ed830b1de8bdee3aafc04d459dae40beeb85e7a

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
619KB

MD5
1fef853e4ab70a63fbf291e06e6d3d49

SHA1
402eebba7aeb35a0d5f77020e3c6ea01f10f9fab

SHA256
1bb19d2f99ce06e62b948580ea7688e6a0a94ab0eb2261e859f4da8344075069

SHA512
01934f71c599131c108e21a94dbbe0963641d2311a9543b8150a17cc34564f70f1abed1661e4bb3af426df3e6c527d8e169250ff8bf025d11f53f4348f83085b

Download Submit
memory/2680-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4308-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download