29b911e4f366d3ce03857b91cf5f3743b7671957a8d0e05b096e18c9925aee9f

General

Target

8bf16c6e5947a8725b12ad6b51b751f0_NeikiAnalytics.exe
Size

1.1MB
MD5

8bf16c6e5947a8725b12ad6b51b751f0
SHA1

3415aa2210e831cd3552e9bb7bd0aa35efb87cde
SHA256

29b911e4f366d3ce03857b91cf5f3743b7671957a8d0e05b096e18c9925aee9f
SHA512

2629c6979dc0c793f203708a9da34aa822f556a9c4a0b4b86566f7732b3b0cad61f321b7aee2261a8ba523f105ab22516b299975e1908a99cffe6faddffb1172
SSDEEP

3072:qtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQS0Tm2TdLz2i1qt2i1k:Ouj8NDF3OR9/Qe2HdklrSqjzQtJo3FCk

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2676	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1744	casino_extensions.exe
2908	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
856	casino_extensions.exe
856	casino_extensions.exe
3052	casino_extensions.exe
3052	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2908	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2140	8bf16c6e5947a8725b12ad6b51b751f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 856	2140	8bf16c6e5947a8725b12ad6b51b751f0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 856	2140	8bf16c6e5947a8725b12ad6b51b751f0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 856	2140	8bf16c6e5947a8725b12ad6b51b751f0_NeikiAnalytics.exe	28
PID 2140 wrote to memory of 856	2140	8bf16c6e5947a8725b12ad6b51b751f0_NeikiAnalytics.exe	28
PID 856 wrote to memory of 1744	856	casino_extensions.exe	29
PID 856 wrote to memory of 1744	856	casino_extensions.exe	29
PID 856 wrote to memory of 1744	856	casino_extensions.exe	29
PID 856 wrote to memory of 1744	856	casino_extensions.exe	29
PID 1744 wrote to memory of 3052	1744	casino_extensions.exe	30
PID 1744 wrote to memory of 3052	1744	casino_extensions.exe	30
PID 1744 wrote to memory of 3052	1744	casino_extensions.exe	30
PID 1744 wrote to memory of 3052	1744	casino_extensions.exe	30
PID 3052 wrote to memory of 2908	3052	casino_extensions.exe	31
PID 3052 wrote to memory of 2908	3052	casino_extensions.exe	31
PID 3052 wrote to memory of 2908	3052	casino_extensions.exe	31
PID 3052 wrote to memory of 2908	3052	casino_extensions.exe	31
PID 2908 wrote to memory of 3040	2908	LiveMessageCenter.exe	32
PID 2908 wrote to memory of 3040	2908	LiveMessageCenter.exe	32
PID 2908 wrote to memory of 3040	2908	LiveMessageCenter.exe	32
PID 2908 wrote to memory of 3040	2908	LiveMessageCenter.exe	32
PID 3040 wrote to memory of 2676	3040	casino_extensions.exe	33
PID 3040 wrote to memory of 2676	3040	casino_extensions.exe	33
PID 3040 wrote to memory of 2676	3040	casino_extensions.exe	33
PID 3040 wrote to memory of 2676	3040	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\8bf16c6e5947a8725b12ad6b51b751f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8bf16c6e5947a8725b12ad6b51b751f0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:2676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
1.1MB

MD5
97acd8e8b5e95fde625f99827d9169f7

SHA1
4c11996fd4f314c904baf452af529b5e8c56febb

SHA256
d08d17e95b7789942117c10b51dcfa578c902be104c0d07d7b0b36d5092c0ac3

SHA512
cf165d00c2a8cfaf158c0ffcd36cbc6969bc6f01601bbe3b9250b7c10f46994214642e084a250f552a0b2cae1e9a167a500ce1f8437b3fa82b2bd34e51b5f926

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
1.1MB

MD5
6ec817aebda1ae4c12203a6693c8dc2f

SHA1
b3c41f4f949c2e362cc94b524cd4d3748a175980

SHA256
64045d90940796e948aaf21b0ca29b26dd48e613f805a2703396daadf9d00924

SHA512
9ab519da89856b9369b13affff8bda32d8ac67b50a86a7945187c537f81feb2ce99334d51069e2abf907d9c62ad8d044c19702ada6e7be4a77b8e0726771d86d

Download Submit
memory/2140-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing