7c89669aba4170887366bdfcd2481a09114a583fd6e183f4398735cde3176096

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be4b4729a0c3c59b6d447eecd810f690_NeikiAnalytics.exe
Size

862KB
MD5

be4b4729a0c3c59b6d447eecd810f690
SHA1

7f69fa51da4015a790ed1abf05918aad49ae9ea8
SHA256

7c89669aba4170887366bdfcd2481a09114a583fd6e183f4398735cde3176096
SHA512

4e90570e2343db1d628d2d4e1ce2abafd6e755422978b4eab5a70d27936da4a1ea8e2ebe5eb1bc02811519397174bcb05017e349bf400dcd3bdec6b4cd062bf8
SSDEEP

6144:Tuj8NDF3OR9/Qe2HdklrSqjzQtJnjqno2k29eL8:yOF3ORK3d9QzQtJnjqno2k29R

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
3872	casino_extensions.exe
3908	Casino_ext.exe
2904	casino_extensions.exe
3624	Casino_ext.exe
4884	casino_extensions.exe
2040	Casino_ext.exe
2136	LiveMessageCenter.exe
528	casino_extensions.exe
2804	Casino_ext.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3908	Casino_ext.exe
3908	Casino_ext.exe
3624	Casino_ext.exe
3624	Casino_ext.exe
2040	Casino_ext.exe
2040	Casino_ext.exe
2136	LiveMessageCenter.exe
2136	LiveMessageCenter.exe
2804	Casino_ext.exe
2804	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
232	be4b4729a0c3c59b6d447eecd810f690_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 4976	232	be4b4729a0c3c59b6d447eecd810f690_NeikiAnalytics.exe	83
PID 232 wrote to memory of 4976	232	be4b4729a0c3c59b6d447eecd810f690_NeikiAnalytics.exe	83
PID 232 wrote to memory of 4976	232	be4b4729a0c3c59b6d447eecd810f690_NeikiAnalytics.exe	83
PID 4976 wrote to memory of 3872	4976	casino_extensions.exe	84
PID 4976 wrote to memory of 3872	4976	casino_extensions.exe	84
PID 4976 wrote to memory of 3872	4976	casino_extensions.exe	84
PID 3872 wrote to memory of 3908	3872	casino_extensions.exe	85
PID 3872 wrote to memory of 3908	3872	casino_extensions.exe	85
PID 3872 wrote to memory of 3908	3872	casino_extensions.exe	85
PID 3908 wrote to memory of 3748	3908	Casino_ext.exe	86
PID 3908 wrote to memory of 3748	3908	Casino_ext.exe	86
PID 3908 wrote to memory of 3748	3908	Casino_ext.exe	86
PID 3748 wrote to memory of 2904	3748	casino_extensions.exe	87
PID 3748 wrote to memory of 2904	3748	casino_extensions.exe	87
PID 3748 wrote to memory of 2904	3748	casino_extensions.exe	87
PID 2904 wrote to memory of 3624	2904	casino_extensions.exe	88
PID 2904 wrote to memory of 3624	2904	casino_extensions.exe	88
PID 2904 wrote to memory of 3624	2904	casino_extensions.exe	88
PID 3624 wrote to memory of 1504	3624	Casino_ext.exe	89
PID 3624 wrote to memory of 1504	3624	Casino_ext.exe	89
PID 3624 wrote to memory of 1504	3624	Casino_ext.exe	89
PID 1504 wrote to memory of 4884	1504	casino_extensions.exe	90
PID 1504 wrote to memory of 4884	1504	casino_extensions.exe	90
PID 1504 wrote to memory of 4884	1504	casino_extensions.exe	90
PID 4884 wrote to memory of 2040	4884	casino_extensions.exe	91
PID 4884 wrote to memory of 2040	4884	casino_extensions.exe	91
PID 4884 wrote to memory of 2040	4884	casino_extensions.exe	91
PID 2040 wrote to memory of 1908	2040	Casino_ext.exe	92
PID 2040 wrote to memory of 1908	2040	Casino_ext.exe	92
PID 2040 wrote to memory of 1908	2040	Casino_ext.exe	92
PID 1908 wrote to memory of 2136	1908	casino_extensions.exe	94
PID 1908 wrote to memory of 2136	1908	casino_extensions.exe	94
PID 1908 wrote to memory of 2136	1908	casino_extensions.exe	94
PID 2136 wrote to memory of 1988	2136	LiveMessageCenter.exe	95
PID 2136 wrote to memory of 1988	2136	LiveMessageCenter.exe	95
PID 2136 wrote to memory of 1988	2136	LiveMessageCenter.exe	95
PID 1988 wrote to memory of 528	1988	casino_extensions.exe	96
PID 1988 wrote to memory of 528	1988	casino_extensions.exe	96
PID 1988 wrote to memory of 528	1988	casino_extensions.exe	96
PID 528 wrote to memory of 2804	528	casino_extensions.exe	97
PID 528 wrote to memory of 2804	528	casino_extensions.exe	97
PID 528 wrote to memory of 2804	528	casino_extensions.exe	97
PID 2804 wrote to memory of 1404	2804	Casino_ext.exe	99
PID 2804 wrote to memory of 1404	2804	Casino_ext.exe	99
PID 2804 wrote to memory of 1404	2804	Casino_ext.exe	99
PID 1404 wrote to memory of 1132	1404	casino_extensions.exe	100
PID 1404 wrote to memory of 1132	1404	casino_extensions.exe	100
PID 1404 wrote to memory of 1132	1404	casino_extensions.exe	100

C:\Users\Admin\AppData\Local\Temp\be4b4729a0c3c59b6d447eecd810f690_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\be4b4729a0c3c59b6d447eecd810f690_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:232
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        17⤵
        
        PID:1132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
871KB

MD5
871cb2ac6800abc17e018c1c3a3ec157

SHA1
6d743ecfca642400e5209668d58a71e5dab8e99b

SHA256
9a4671e1ebd8e4018784e5df79b5ad6a530fe296721a56d40b272c9aa7b32179

SHA512
a1608e14ccc5c8640ed83fa4c46c33a9c1299e94a105569dd2883af01b713db4726339c75b5739ff3ea9e70f4450b3e45d6f06af7ccbde5b16f57b31cf8d3ad1

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
876KB

MD5
54056c44bbb28cb87364f41f6fd04555

SHA1
773b5b4cde2498d386a4c59227f7e15cc06d9e14

SHA256
1b9cdcfdf125ba2ff8c1f0db4870613b5eacd69410594e04caeab0e2bf6f71f0

SHA512
b44f357d2c6d28075f9c64cc19fec30e3c018bca9761da1bb39dd5b49820f0b52d1eca5a00547cd00946a3af6773bc2b1430f46fbc27d22fb0d5c8aaf8fb4e4d

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
876KB

MD5
84ea7bb0c537cc6b097aa6473a4d0643

SHA1
5b1508149e7647728e02cc2736cec37b7549f475

SHA256
9b5eee221e60a18c2a4f361bba510e8bebca84ab159c93d29e65695367414dcf

SHA512
2be546fa61888ed8734aaf89573e6fd1749f85438b18e2aad74b7ed9caf7deb6cf6cf2ed536748460df19ebe005b68df8bd569fd90f1065b5719d83c81bd9867

Download Submit
memory/232-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3872-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download