cbf039a8a55b60f2a4bc438dc67484c348b8c964f0d34872cec13647a266c8d0

Analysis

max time kernel
140s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 00:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6ac02dc01aa97839aa3a6f6919bcb190_NeikiAnalytics.exe
Size

488KB
MD5

6ac02dc01aa97839aa3a6f6919bcb190
SHA1

9c26bee47900e760cacfc132f5d67e097161d58e
SHA256

cbf039a8a55b60f2a4bc438dc67484c348b8c964f0d34872cec13647a266c8d0
SHA512

a6fc730adf4ef0cd70a4b0af12cbe914b3b7861bbd70b78dd8a52ad569fa5428aba71881a39d698583ff34bcb4210a394e75ec62aafc2508e45cf59f6c3c7752
SSDEEP

3072:itwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwK42i1ZKEJAl9ur:Wuj8NDF3OR9/Qe2HdJfwK4DdW9s

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
2512	casino_extensions.exe
3248	Casino_ext.exe
1484	casino_extensions.exe
3884	Casino_ext.exe
736	casino_extensions.exe
4476	Casino_ext.exe
4424	LiveMessageCenter.exe
4332	casino_extensions.exe
1496	Casino_ext.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3248	Casino_ext.exe
3248	Casino_ext.exe
3884	Casino_ext.exe
3884	Casino_ext.exe
4476	Casino_ext.exe
4476	Casino_ext.exe
4424	LiveMessageCenter.exe
4424	LiveMessageCenter.exe
1496	Casino_ext.exe
1496	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4844	6ac02dc01aa97839aa3a6f6919bcb190_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 212	4844	6ac02dc01aa97839aa3a6f6919bcb190_NeikiAnalytics.exe	90
PID 4844 wrote to memory of 212	4844	6ac02dc01aa97839aa3a6f6919bcb190_NeikiAnalytics.exe	90
PID 4844 wrote to memory of 212	4844	6ac02dc01aa97839aa3a6f6919bcb190_NeikiAnalytics.exe	90
PID 212 wrote to memory of 2512	212	casino_extensions.exe	91
PID 212 wrote to memory of 2512	212	casino_extensions.exe	91
PID 212 wrote to memory of 2512	212	casino_extensions.exe	91
PID 2512 wrote to memory of 3248	2512	casino_extensions.exe	92
PID 2512 wrote to memory of 3248	2512	casino_extensions.exe	92
PID 2512 wrote to memory of 3248	2512	casino_extensions.exe	92
PID 3248 wrote to memory of 2860	3248	Casino_ext.exe	93
PID 3248 wrote to memory of 2860	3248	Casino_ext.exe	93
PID 3248 wrote to memory of 2860	3248	Casino_ext.exe	93
PID 2860 wrote to memory of 1484	2860	casino_extensions.exe	94
PID 2860 wrote to memory of 1484	2860	casino_extensions.exe	94
PID 2860 wrote to memory of 1484	2860	casino_extensions.exe	94
PID 1484 wrote to memory of 3884	1484	casino_extensions.exe	95
PID 1484 wrote to memory of 3884	1484	casino_extensions.exe	95
PID 1484 wrote to memory of 3884	1484	casino_extensions.exe	95
PID 3884 wrote to memory of 3216	3884	Casino_ext.exe	96
PID 3884 wrote to memory of 3216	3884	Casino_ext.exe	96
PID 3884 wrote to memory of 3216	3884	Casino_ext.exe	96
PID 3216 wrote to memory of 736	3216	casino_extensions.exe	97
PID 3216 wrote to memory of 736	3216	casino_extensions.exe	97
PID 3216 wrote to memory of 736	3216	casino_extensions.exe	97
PID 736 wrote to memory of 4476	736	casino_extensions.exe	98
PID 736 wrote to memory of 4476	736	casino_extensions.exe	98
PID 736 wrote to memory of 4476	736	casino_extensions.exe	98
PID 4476 wrote to memory of 872	4476	Casino_ext.exe	100
PID 4476 wrote to memory of 872	4476	Casino_ext.exe	100
PID 4476 wrote to memory of 872	4476	Casino_ext.exe	100
PID 872 wrote to memory of 4424	872	casino_extensions.exe	101
PID 872 wrote to memory of 4424	872	casino_extensions.exe	101
PID 872 wrote to memory of 4424	872	casino_extensions.exe	101
PID 4424 wrote to memory of 2264	4424	LiveMessageCenter.exe	102
PID 4424 wrote to memory of 2264	4424	LiveMessageCenter.exe	102
PID 4424 wrote to memory of 2264	4424	LiveMessageCenter.exe	102
PID 2264 wrote to memory of 4332	2264	casino_extensions.exe	103
PID 2264 wrote to memory of 4332	2264	casino_extensions.exe	103
PID 2264 wrote to memory of 4332	2264	casino_extensions.exe	103
PID 4332 wrote to memory of 1496	4332	casino_extensions.exe	104
PID 4332 wrote to memory of 1496	4332	casino_extensions.exe	104
PID 4332 wrote to memory of 1496	4332	casino_extensions.exe	104
PID 1496 wrote to memory of 672	1496	Casino_ext.exe	105
PID 1496 wrote to memory of 672	1496	Casino_ext.exe	105
PID 1496 wrote to memory of 672	1496	Casino_ext.exe	105
PID 672 wrote to memory of 3748	672	casino_extensions.exe	106
PID 672 wrote to memory of 3748	672	casino_extensions.exe	106
PID 672 wrote to memory of 3748	672	casino_extensions.exe	106

C:\Users\Admin\AppData\Local\Temp\6ac02dc01aa97839aa3a6f6919bcb190_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6ac02dc01aa97839aa3a6f6919bcb190_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3248
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        17⤵
        
        PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
1⤵
PID:3192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
489KB

MD5
82a601153e9163b8736751c098c8c864

SHA1
0c844fa3f674d6c11ca9230bd5c1255bba423cac

SHA256
20fecc63fb14c10f201c647b7f09cbf922a67c2f8738a2d90fb3e8e4a47ad76d

SHA512
ed5d04de34a38d3cadba18180f41ca1a011a652370ebdc3e6b472a8fa5f80e596ed4893a7fe7e217bada5d1f7638206ae43dd171c72743311fd9367d75c8d3bb

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
503KB

MD5
c8aa51996460263bc3259e5cda327872

SHA1
d07b9056414d027ced8056c9988aa685ae66ee21

SHA256
c0cabb1948102daa28d744def84c0e540577c0f37d7caf38ffbcd9c454508c51

SHA512
43f126fa467182a82e8a56996ac5df214a736892c15554718840a40bfa327362e8dbab8fda52b230a1c7d5208ea2c10fbc08cf62a10b7a6c6351561f690dd1d7

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
492KB

MD5
608a0b7ee155d0fc5a6478c29c4bb199

SHA1
52ae4b47eadea842c5d03d0fdf518bf498e11f6a

SHA256
a7a3e83c2fbe3d6d9d2c27259b9355b833bb1f97b64a9290b29769c266f70148

SHA512
9c63bc83141ba97fe887ac9f15c09687c414866d63546b8f0a4b406b8874cb33501c825ec7ed7f9309dc8f28cc261c2dec85df8bc61f4bcf04aedaf6d69a6d00

Download Submit
memory/2512-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4844-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download