a9e8ccea363dd27d8e18a22633cc4479f44e64dbeacdd2c50bd6857863afbcee

General

Target

33afceea16abf10bf02e620e84976e40_NeikiAnalytics.exe
Size

513KB
MD5

33afceea16abf10bf02e620e84976e40
SHA1

a931091f0b15894c749e0b4894b1fcd61273ba56
SHA256

a9e8ccea363dd27d8e18a22633cc4479f44e64dbeacdd2c50bd6857863afbcee
SHA512

4faf69d3cc88e307ddb8d659b6e030f89b05268fcc8717e8b4496e007976804ed9457f4b0e8857be2248457cdd4d9ab5079333097026a365980033282e6a4d6c
SSDEEP

6144:/uj8NDF3OR9/Qe2HdJ8RAfnsV1YYi6qFXQw/X:2OF3ORK3d7fnsV1Ti6qFXQw/X

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4744	casino_extensions.exe
4632	Casino_ext.exe
692	LiveMessageCenter.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4632	Casino_ext.exe
4632	Casino_ext.exe
692	LiveMessageCenter.exe
692	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4524	33afceea16abf10bf02e620e84976e40_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 1284	4524	33afceea16abf10bf02e620e84976e40_NeikiAnalytics.exe	83
PID 4524 wrote to memory of 1284	4524	33afceea16abf10bf02e620e84976e40_NeikiAnalytics.exe	83
PID 4524 wrote to memory of 1284	4524	33afceea16abf10bf02e620e84976e40_NeikiAnalytics.exe	83
PID 1284 wrote to memory of 4744	1284	casino_extensions.exe	84
PID 1284 wrote to memory of 4744	1284	casino_extensions.exe	84
PID 1284 wrote to memory of 4744	1284	casino_extensions.exe	84
PID 4744 wrote to memory of 4632	4744	casino_extensions.exe	85
PID 4744 wrote to memory of 4632	4744	casino_extensions.exe	85
PID 4744 wrote to memory of 4632	4744	casino_extensions.exe	85
PID 4632 wrote to memory of 3924	4632	Casino_ext.exe	86
PID 4632 wrote to memory of 3924	4632	Casino_ext.exe	86
PID 4632 wrote to memory of 3924	4632	Casino_ext.exe	86
PID 3924 wrote to memory of 692	3924	casino_extensions.exe	87
PID 3924 wrote to memory of 692	3924	casino_extensions.exe	87
PID 3924 wrote to memory of 692	3924	casino_extensions.exe	87
PID 692 wrote to memory of 1548	692	LiveMessageCenter.exe	88
PID 692 wrote to memory of 1548	692	LiveMessageCenter.exe	88
PID 692 wrote to memory of 1548	692	LiveMessageCenter.exe	88
PID 1548 wrote to memory of 1260	1548	casino_extensions.exe	89
PID 1548 wrote to memory of 1260	1548	casino_extensions.exe	89
PID 1548 wrote to memory of 1260	1548	casino_extensions.exe	89

C:\Users\Admin\AppData\Local\Temp\33afceea16abf10bf02e620e84976e40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\33afceea16abf10bf02e620e84976e40_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3924
      - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        7⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        8⤵
        
        PID:1260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
526KB

MD5
14ba94654c44d771f5dd47712e6318bc

SHA1
c3616a21abf914ba958a00050e644604cdfaa3a1

SHA256
96c4c76086c942b8b090ff47b297288cb2aee34c774b700cc1e98539191c54e9

SHA512
9424d2b977b85818536e58597e4d5c23262dfe6332794fc3cdf7ca1371860a7e9e41eefb8c485c6ad4002193231c784593935f89d2d7609bc78a168052515a58

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
527KB

MD5
047857b80a9163802e40103c761dc7d5

SHA1
63a344f198c0cd174ac135ec355b97fcb508d817

SHA256
df902abacc80aae3750352da118a26a067700a3dc2104721361e51af311289b2

SHA512
f1a98de77d5ad14b0dd8e97c98111e32cf1143c9ee0a6662f9ad14011bc233335079d3ad27c6bb90efbd301b0c5c224503dea5923920d60e139ee07650b59a96

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
520KB

MD5
112f939d73511f8d2f8a71ea1e5bea3f

SHA1
09e8b043726f74fd53c3a5fe711172b5c5123589

SHA256
c7a07e513d8d8f168f02e4784adb6a7bc0c1cf58c86f48a5b934ef9d5b59a4e8

SHA512
a80fbbc0d582241d140e531e9500580204233e627c9e7bbfa446777d1e7914cfb9082127193d02b3f7345832626157174ec33ccdd20c8fd76d5223053849a332

Download Submit
memory/4524-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4744-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing