8b1d3639bce3f9a6be2ec89608f1034b2dd5a1dec6344e09a8b4687d62e578cf

Analysis

max time kernel
140s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 02:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe
Size

989KB
MD5

9063353f82d2cc5065aa7d0363131600
SHA1

a9fe4986bf58647fd7f808accf1a6c18ecdb9455
SHA256

8b1d3639bce3f9a6be2ec89608f1034b2dd5a1dec6344e09a8b4687d62e578cf
SHA512

f86011ed2a75eefbafa0bd17a3ec4c3cbda2090d353f63ec490c8b4a82b426f8edfd8db19b3dd670c5d90003c9572d470e65e04f51a174bb2d170480fdf54738
SSDEEP

3072:ItwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwMykw+imi5wxx4Vao2i1d7:Yuj8NDF3OR9/Qe2HdJ8pS4ofWdii6QrW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2284	casino_extensions.exe
1060	Casino_ext.exe
428	casino_extensions.exe
4856	Casino_ext.exe
3404	LiveMessageCenter.exe
3952	casino_extensions.exe
4944	Casino_ext.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1060	Casino_ext.exe
1060	Casino_ext.exe
4856	Casino_ext.exe
4856	Casino_ext.exe
3404	LiveMessageCenter.exe
3404	LiveMessageCenter.exe
4944	Casino_ext.exe
4944	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3020	9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 1844	3020	9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe	92
PID 3020 wrote to memory of 1844	3020	9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe	92
PID 3020 wrote to memory of 1844	3020	9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe	92
PID 1844 wrote to memory of 2284	1844	casino_extensions.exe	93
PID 1844 wrote to memory of 2284	1844	casino_extensions.exe	93
PID 1844 wrote to memory of 2284	1844	casino_extensions.exe	93
PID 2284 wrote to memory of 1060	2284	casino_extensions.exe	94
PID 2284 wrote to memory of 1060	2284	casino_extensions.exe	94
PID 2284 wrote to memory of 1060	2284	casino_extensions.exe	94
PID 1060 wrote to memory of 4200	1060	Casino_ext.exe	95
PID 1060 wrote to memory of 4200	1060	Casino_ext.exe	95
PID 1060 wrote to memory of 4200	1060	Casino_ext.exe	95
PID 4200 wrote to memory of 428	4200	casino_extensions.exe	96
PID 4200 wrote to memory of 428	4200	casino_extensions.exe	96
PID 4200 wrote to memory of 428	4200	casino_extensions.exe	96
PID 428 wrote to memory of 4856	428	casino_extensions.exe	97
PID 428 wrote to memory of 4856	428	casino_extensions.exe	97
PID 428 wrote to memory of 4856	428	casino_extensions.exe	97
PID 4856 wrote to memory of 4020	4856	Casino_ext.exe	98
PID 4856 wrote to memory of 4020	4856	Casino_ext.exe	98
PID 4856 wrote to memory of 4020	4856	Casino_ext.exe	98
PID 4020 wrote to memory of 3404	4020	casino_extensions.exe	99
PID 4020 wrote to memory of 3404	4020	casino_extensions.exe	99
PID 4020 wrote to memory of 3404	4020	casino_extensions.exe	99
PID 3404 wrote to memory of 2848	3404	LiveMessageCenter.exe	100
PID 3404 wrote to memory of 2848	3404	LiveMessageCenter.exe	100
PID 3404 wrote to memory of 2848	3404	LiveMessageCenter.exe	100
PID 2848 wrote to memory of 3952	2848	casino_extensions.exe	101
PID 2848 wrote to memory of 3952	2848	casino_extensions.exe	101
PID 2848 wrote to memory of 3952	2848	casino_extensions.exe	101
PID 3952 wrote to memory of 4944	3952	casino_extensions.exe	102
PID 3952 wrote to memory of 4944	3952	casino_extensions.exe	102
PID 3952 wrote to memory of 4944	3952	casino_extensions.exe	102
PID 4944 wrote to memory of 4832	4944	Casino_ext.exe	103
PID 4944 wrote to memory of 4832	4944	Casino_ext.exe	103
PID 4944 wrote to memory of 4832	4944	Casino_ext.exe	103
PID 4832 wrote to memory of 4764	4832	casino_extensions.exe	105
PID 4832 wrote to memory of 4764	4832	casino_extensions.exe	105
PID 4832 wrote to memory of 4764	4832	casino_extensions.exe	105

C:\Users\Admin\AppData\Local\Temp\9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9063353f82d2cc5065aa7d0363131600_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        14⤵
        
        PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3644,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
1⤵
PID:1444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
997KB

MD5
ccf3bae1959fccaccc866222c9d30d9f

SHA1
07a1403edd8b16011e90be6ad4f080195e9ad453

SHA256
33d2e5b468c04b6fd575720f83f43471999e71daa768ed48859900647de04000

SHA512
e6c48ad4fbb78c91c811d82a9c98c7310af3d98300ecdb787745b6f962114ec28eb487fc80672543547cf23c3d1e03111cfca95d8ccd68b77dd49146e4eead94

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
1004KB

MD5
2733d53b99fcfd7b9827874429f8bcff

SHA1
723d30640da61f2db29e0c795a873767704bf8f7

SHA256
8c8268e1559620b7163879bda4731cf5c286bcd994b2e6fc35a512752de2686a

SHA512
d14ec4edfeb11a345dfc939043f21e600345c4df1851fa443279505fec6ff7ff9b275020874c7a87125392655975e2df56fd7322053f5963da75869fa6e3eac0

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
990KB

MD5
8449412f74096c480e037c3da446055d

SHA1
2b6d73bb89613aad7a2423ba46351d44b4a5abdb

SHA256
dc0bef0583ab049692988ba4e450f3ed2b53a546ce10a3a922117506da4fe374

SHA512
31edf6930b97dfd8dee6d83a0419772dd044e7a401b87aa2ff473c0cf64a92be59453f68e39a0df9ebeb5fd80172c280a51ea1ca949cadbd25b2dd8b4cf8c3f9

Download Submit
memory/2284-8-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3020-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download