8b1d3639bce3f9a6be2ec89608f1034b2dd5a1dec6344e09a8b4687d62e578cf

General

Target

9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe
Size

989KB
MD5

9063353f82d2cc5065aa7d0363131600
SHA1

a9fe4986bf58647fd7f808accf1a6c18ecdb9455
SHA256

8b1d3639bce3f9a6be2ec89608f1034b2dd5a1dec6344e09a8b4687d62e578cf
SHA512

f86011ed2a75eefbafa0bd17a3ec4c3cbda2090d353f63ec490c8b4a82b426f8edfd8db19b3dd670c5d90003c9572d470e65e04f51a174bb2d170480fdf54738
SSDEEP

3072:ItwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMykw+imi5wxx4Vao2i1d7:Yuj8NDF3OR9/Qe2HdJ8pS4ofWdii6QrW

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2668	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1160	casino_extensions.exe
2304	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
908	casino_extensions.exe
908	casino_extensions.exe
2756	casino_extensions.exe
2756	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2304	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3056	9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 908	3056	9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 908	3056	9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 908	3056	9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 908	3056	9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe	28
PID 908 wrote to memory of 1160	908	casino_extensions.exe	29
PID 908 wrote to memory of 1160	908	casino_extensions.exe	29
PID 908 wrote to memory of 1160	908	casino_extensions.exe	29
PID 908 wrote to memory of 1160	908	casino_extensions.exe	29
PID 1160 wrote to memory of 2756	1160	casino_extensions.exe	30
PID 1160 wrote to memory of 2756	1160	casino_extensions.exe	30
PID 1160 wrote to memory of 2756	1160	casino_extensions.exe	30
PID 1160 wrote to memory of 2756	1160	casino_extensions.exe	30
PID 2756 wrote to memory of 2304	2756	casino_extensions.exe	31
PID 2756 wrote to memory of 2304	2756	casino_extensions.exe	31
PID 2756 wrote to memory of 2304	2756	casino_extensions.exe	31
PID 2756 wrote to memory of 2304	2756	casino_extensions.exe	31
PID 2304 wrote to memory of 2572	2304	LiveMessageCenter.exe	32
PID 2304 wrote to memory of 2572	2304	LiveMessageCenter.exe	32
PID 2304 wrote to memory of 2572	2304	LiveMessageCenter.exe	32
PID 2304 wrote to memory of 2572	2304	LiveMessageCenter.exe	32
PID 2572 wrote to memory of 2668	2572	casino_extensions.exe	33
PID 2572 wrote to memory of 2668	2572	casino_extensions.exe	33
PID 2572 wrote to memory of 2668	2572	casino_extensions.exe	33
PID 2572 wrote to memory of 2668	2572	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1160
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
1000KB

MD5
bd134af879902fa1db390b6197670c81

SHA1
41b2b8f9af5c090fa956916a69951e6108ebadb2

SHA256
3b60d3ff71ed58351d76fcc3b34089145da17fb6b3feb4be519d7d3e22876f97

SHA512
958aa8377efd88192a4fb0376ff0f4d0e687eb3c44154d0b7a38f27bd5f27a9fd3f252fbb669650563063a4e30e50e9150e889c9afb35685b5fc67a06afa2110

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
997KB

MD5
01a2cb5f80dd0aea845e6bb500f390e6

SHA1
f06969736036f1ba683e7900ead31d00085e37a8

SHA256
109ae34f86176e72772a1ab0c0e112f582118af4fd0ebec61714421d0fc349f8

SHA512
fa19024ee7e4b95c48a6701d4c914050df55ca8938578be9fcbf72ffe4804a4f932469c7c1f66104645cb102a311564e883a56e1411454871228b8df109a432a

Download Submit
memory/3056-20-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing