7a4e8cc3405fb1167404a9f2ad0a46f34e0fee2f73ccae1a4fc85d8e2ee09ad0

General

Target

b45267390724b4669440f46af1a91150_NeikiAnalytics.exe
Size

591KB
MD5

b45267390724b4669440f46af1a91150
SHA1

44fdb42ac30f77785e43a2fc901c6327f0106acb
SHA256

7a4e8cc3405fb1167404a9f2ad0a46f34e0fee2f73ccae1a4fc85d8e2ee09ad0
SHA512

0552291098e52ecae7d6d2674ef56b0007dce3c553a2e8de452b25801de9896fbb6e27bd8cd04ef6d2ccf45bf6c563110b5265aa08bce4de3d93acf36bb252d6
SSDEEP

3072:HtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwK42i1ZKEJAl9uy:tuj8NDF3OR9/Qe2HdJfwK4DdW9J

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	Casino_ext.exe

Executes dropped EXE 4 IoCs

pid	Process
1912	casino_extensions.exe
2116	Casino_ext.exe
848	casino_extensions.exe
2816	Casino_ext.exe

Loads dropped DLL 4 IoCs

pid	Process
2180	casino_extensions.exe
2180	casino_extensions.exe
1772	casino_extensions.exe
1772	casino_extensions.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2116	Casino_ext.exe
2816	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1548	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2180	1548	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	28
PID 1548 wrote to memory of 2180	1548	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	28
PID 1548 wrote to memory of 2180	1548	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	28
PID 1548 wrote to memory of 2180	1548	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	28
PID 2180 wrote to memory of 1912	2180	casino_extensions.exe	29
PID 2180 wrote to memory of 1912	2180	casino_extensions.exe	29
PID 2180 wrote to memory of 1912	2180	casino_extensions.exe	29
PID 2180 wrote to memory of 1912	2180	casino_extensions.exe	29
PID 1912 wrote to memory of 2116	1912	casino_extensions.exe	30
PID 1912 wrote to memory of 2116	1912	casino_extensions.exe	30
PID 1912 wrote to memory of 2116	1912	casino_extensions.exe	30
PID 1912 wrote to memory of 2116	1912	casino_extensions.exe	30
PID 2116 wrote to memory of 1772	2116	Casino_ext.exe	31
PID 2116 wrote to memory of 1772	2116	Casino_ext.exe	31
PID 2116 wrote to memory of 1772	2116	Casino_ext.exe	31
PID 2116 wrote to memory of 1772	2116	Casino_ext.exe	31
PID 1772 wrote to memory of 848	1772	casino_extensions.exe	32
PID 1772 wrote to memory of 848	1772	casino_extensions.exe	32
PID 1772 wrote to memory of 848	1772	casino_extensions.exe	32
PID 1772 wrote to memory of 848	1772	casino_extensions.exe	32
PID 848 wrote to memory of 2816	848	casino_extensions.exe	33
PID 848 wrote to memory of 2816	848	casino_extensions.exe	33
PID 848 wrote to memory of 2816	848	casino_extensions.exe	33
PID 848 wrote to memory of 2816	848	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\b45267390724b4669440f46af1a91150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b45267390724b4669440f46af1a91150_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Deletes itself
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\casino_extensions.exe

Filesize
600KB

MD5
b4cb77638b0bc6623a72f6cb513b14c3

SHA1
43a5838cbf7a36eaeecfd6e1753ce3e31fa80972

SHA256
8e04a097d63a3088e3f604c5df2170e2280f6daa429293b49f5d7bd2e4348cc5

SHA512
e3d70c603671d1da47c976d31540ed63e3c648e1e709b13c59e0a93dc119d8d299c94cfcc726291d6efffc8474116f9b8b28a92dc2abed3c769b8a4468202a66

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
608KB

MD5
73284688ef4744469c487a86a0a9b590

SHA1
ed274697106424fd80916e5a80632b50e165e8fb

SHA256
1e9affb997995f615246ea0440ebce834dc6c468ebd6d65348acf810e85bb4f8

SHA512
74042be0d049052432e228bfb89a631097898b8795e6d7c923c7b116ab902c017b299f2f142678a60bb5523291dd6aa148c5ecf1e721cd4e82dcf3bea4be4fe7

Download Submit
memory/1548-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1912-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing