7a4e8cc3405fb1167404a9f2ad0a46f34e0fee2f73ccae1a4fc85d8e2ee09ad0

Analysis

max time kernel
136s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b45267390724b4669440f46af1a91150_NeikiAnalytics.exe
Size

591KB
MD5

b45267390724b4669440f46af1a91150
SHA1

44fdb42ac30f77785e43a2fc901c6327f0106acb
SHA256

7a4e8cc3405fb1167404a9f2ad0a46f34e0fee2f73ccae1a4fc85d8e2ee09ad0
SHA512

0552291098e52ecae7d6d2674ef56b0007dce3c553a2e8de452b25801de9896fbb6e27bd8cd04ef6d2ccf45bf6c563110b5265aa08bce4de3d93acf36bb252d6
SSDEEP

3072:HtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwK42i1ZKEJAl9uy:tuj8NDF3OR9/Qe2HdJfwK4DdW9J

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
4596	casino_extensions.exe
2708	Casino_ext.exe
1216	casino_extensions.exe
1316	Casino_ext.exe
4324	LiveMessageCenter.exe
3620	casino_extensions.exe
64	Casino_ext.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2708	Casino_ext.exe
2708	Casino_ext.exe
1316	Casino_ext.exe
1316	Casino_ext.exe
4324	LiveMessageCenter.exe
4324	LiveMessageCenter.exe
64	Casino_ext.exe
64	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4920	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 1796	4920	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	83
PID 4920 wrote to memory of 1796	4920	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	83
PID 4920 wrote to memory of 1796	4920	b45267390724b4669440f46af1a91150_NeikiAnalytics.exe	83
PID 1796 wrote to memory of 4596	1796	casino_extensions.exe	84
PID 1796 wrote to memory of 4596	1796	casino_extensions.exe	84
PID 1796 wrote to memory of 4596	1796	casino_extensions.exe	84
PID 4596 wrote to memory of 2708	4596	casino_extensions.exe	85
PID 4596 wrote to memory of 2708	4596	casino_extensions.exe	85
PID 4596 wrote to memory of 2708	4596	casino_extensions.exe	85
PID 2708 wrote to memory of 2880	2708	Casino_ext.exe	86
PID 2708 wrote to memory of 2880	2708	Casino_ext.exe	86
PID 2708 wrote to memory of 2880	2708	Casino_ext.exe	86
PID 2880 wrote to memory of 1216	2880	casino_extensions.exe	87
PID 2880 wrote to memory of 1216	2880	casino_extensions.exe	87
PID 2880 wrote to memory of 1216	2880	casino_extensions.exe	87
PID 1216 wrote to memory of 1316	1216	casino_extensions.exe	88
PID 1216 wrote to memory of 1316	1216	casino_extensions.exe	88
PID 1216 wrote to memory of 1316	1216	casino_extensions.exe	88
PID 1316 wrote to memory of 2616	1316	Casino_ext.exe	89
PID 1316 wrote to memory of 2616	1316	Casino_ext.exe	89
PID 1316 wrote to memory of 2616	1316	Casino_ext.exe	89
PID 2616 wrote to memory of 4324	2616	casino_extensions.exe	90
PID 2616 wrote to memory of 4324	2616	casino_extensions.exe	90
PID 2616 wrote to memory of 4324	2616	casino_extensions.exe	90
PID 4324 wrote to memory of 600	4324	LiveMessageCenter.exe	91
PID 4324 wrote to memory of 600	4324	LiveMessageCenter.exe	91
PID 4324 wrote to memory of 600	4324	LiveMessageCenter.exe	91
PID 600 wrote to memory of 3620	600	casino_extensions.exe	92
PID 600 wrote to memory of 3620	600	casino_extensions.exe	92
PID 600 wrote to memory of 3620	600	casino_extensions.exe	92
PID 3620 wrote to memory of 64	3620	casino_extensions.exe	93
PID 3620 wrote to memory of 64	3620	casino_extensions.exe	93
PID 3620 wrote to memory of 64	3620	casino_extensions.exe	93
PID 64 wrote to memory of 2184	64	Casino_ext.exe	94
PID 64 wrote to memory of 2184	64	Casino_ext.exe	94
PID 64 wrote to memory of 2184	64	Casino_ext.exe	94
PID 2184 wrote to memory of 840	2184	casino_extensions.exe	95
PID 2184 wrote to memory of 840	2184	casino_extensions.exe	95
PID 2184 wrote to memory of 840	2184	casino_extensions.exe	95

C:\Users\Admin\AppData\Local\Temp\b45267390724b4669440f46af1a91150_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b45267390724b4669440f46af1a91150_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:600
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        14⤵
        
        PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\Casino_ext.exe

Filesize
607KB

MD5
4f8d69d9d73e6daff5c7a1a68045733d

SHA1
ef0f896641d2297571e41d14735f5dc7639404b7

SHA256
095e5da4831d6df5a65981ebafa744b04d14c88e7a9c5ec648df08e2eb2a205f

SHA512
3a4f66aee9c74dfcbff621db7cc74ea8a05f1b8693cc9e3a9189dd31a331658e9731b3501f9c0a6fce9fac97a08fbd7afca821523492a1a7d343f46a339e135d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
595KB

MD5
7d2938901a4436c0f4ba8f0cf33d979e

SHA1
455d06a20e719d8f91ed6cf1d544127800b836c0

SHA256
ab89ea1d431a704f274250ffd253b68300c752a2e4ac9e7b77a1bf533435f268

SHA512
fd7fc67852e8def01d34f6d278d96e77e34c05bf849d3a91b5f31b94c63f0fff5217390913a1781dd54eb8838570e4c41ae471255927410e28a8eeb36a2e209f

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
604KB

MD5
254791470186688e97aeb35d574b7463

SHA1
682fc7ba8024733008d4a153f0dd1560e19ab65d

SHA256
359baa4e1495f5dfc167c85779546fc5c486e81a312bbf5991350a819dab2b23

SHA512
70d401c30b486b6d336d05817c1d03fd2a4911c29095d26a5fe234ca4522077c29d21863e00b74f39c616968604377ec1180ad70d5b6624c82f4f8be06ec7ea2

Download Submit
memory/4596-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4920-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download