36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe
Size

623KB
MD5

0e3032eb8d5e9402786852acea00c450
SHA1

b39591df4b70a4a69c2647e50f1196e5c2e2ac89
SHA256

36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d
SHA512

38f8abb9f4ad97a5b75d3a54a62c7a4805e99ee3ebb0caebf97cfe5b178fb5efe783b5464d43175339eb4f500de47bc0d54702427270963e11ba707d504449cb
SSDEEP

3072:vtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQuoYKN6LSSe9o6Y:luj8NDF3OR9/Qe2HdklruoYk6LReM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
1012	casino_extensions.exe
3232	Casino_ext.exe
4372	casino_extensions.exe
528	Casino_ext.exe
2276	LiveMessageCenter.exe
4292	casino_extensions.exe
4236	Casino_ext.exe
5760	casino_extensions.exe
3140	Casino_ext.exe
5452	LiveMessageCenter.exe
1332	casino_extensions.exe
884	Casino_ext.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3232	Casino_ext.exe
3232	Casino_ext.exe
528	Casino_ext.exe
528	Casino_ext.exe
2276	LiveMessageCenter.exe
2276	LiveMessageCenter.exe
4236	Casino_ext.exe
4236	Casino_ext.exe
3140	Casino_ext.exe
3140	Casino_ext.exe
5452	LiveMessageCenter.exe
5452	LiveMessageCenter.exe
884	Casino_ext.exe
884	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5244	36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 5244 wrote to memory of 4576	5244	36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe	82
PID 5244 wrote to memory of 4576	5244	36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe	82
PID 5244 wrote to memory of 4576	5244	36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe	82
PID 4576 wrote to memory of 1012	4576	casino_extensions.exe	83
PID 4576 wrote to memory of 1012	4576	casino_extensions.exe	83
PID 4576 wrote to memory of 1012	4576	casino_extensions.exe	83
PID 1012 wrote to memory of 3232	1012	casino_extensions.exe	84
PID 1012 wrote to memory of 3232	1012	casino_extensions.exe	84
PID 1012 wrote to memory of 3232	1012	casino_extensions.exe	84
PID 3232 wrote to memory of 3180	3232	Casino_ext.exe	85
PID 3232 wrote to memory of 3180	3232	Casino_ext.exe	85
PID 3232 wrote to memory of 3180	3232	Casino_ext.exe	85
PID 3180 wrote to memory of 4372	3180	casino_extensions.exe	86
PID 3180 wrote to memory of 4372	3180	casino_extensions.exe	86
PID 3180 wrote to memory of 4372	3180	casino_extensions.exe	86
PID 4372 wrote to memory of 528	4372	casino_extensions.exe	87
PID 4372 wrote to memory of 528	4372	casino_extensions.exe	87
PID 4372 wrote to memory of 528	4372	casino_extensions.exe	87
PID 528 wrote to memory of 3128	528	Casino_ext.exe	88
PID 528 wrote to memory of 3128	528	Casino_ext.exe	88
PID 528 wrote to memory of 3128	528	Casino_ext.exe	88
PID 3128 wrote to memory of 2276	3128	casino_extensions.exe	89
PID 3128 wrote to memory of 2276	3128	casino_extensions.exe	89
PID 3128 wrote to memory of 2276	3128	casino_extensions.exe	89
PID 2276 wrote to memory of 1308	2276	LiveMessageCenter.exe	90
PID 2276 wrote to memory of 1308	2276	LiveMessageCenter.exe	90
PID 2276 wrote to memory of 1308	2276	LiveMessageCenter.exe	90
PID 1308 wrote to memory of 4292	1308	casino_extensions.exe	91
PID 1308 wrote to memory of 4292	1308	casino_extensions.exe	91
PID 1308 wrote to memory of 4292	1308	casino_extensions.exe	91
PID 4292 wrote to memory of 4236	4292	casino_extensions.exe	92
PID 4292 wrote to memory of 4236	4292	casino_extensions.exe	92
PID 4292 wrote to memory of 4236	4292	casino_extensions.exe	92
PID 4236 wrote to memory of 1496	4236	Casino_ext.exe	93
PID 4236 wrote to memory of 1496	4236	Casino_ext.exe	93
PID 4236 wrote to memory of 1496	4236	Casino_ext.exe	93
PID 1496 wrote to memory of 5760	1496	casino_extensions.exe	94
PID 1496 wrote to memory of 5760	1496	casino_extensions.exe	94
PID 1496 wrote to memory of 5760	1496	casino_extensions.exe	94
PID 5760 wrote to memory of 3140	5760	casino_extensions.exe	95
PID 5760 wrote to memory of 3140	5760	casino_extensions.exe	95
PID 5760 wrote to memory of 3140	5760	casino_extensions.exe	95
PID 3140 wrote to memory of 2164	3140	Casino_ext.exe	96
PID 3140 wrote to memory of 2164	3140	Casino_ext.exe	96
PID 3140 wrote to memory of 2164	3140	Casino_ext.exe	96
PID 2164 wrote to memory of 5452	2164	casino_extensions.exe	97
PID 2164 wrote to memory of 5452	2164	casino_extensions.exe	97
PID 2164 wrote to memory of 5452	2164	casino_extensions.exe	97
PID 5452 wrote to memory of 5012	5452	LiveMessageCenter.exe	98
PID 5452 wrote to memory of 5012	5452	LiveMessageCenter.exe	98
PID 5452 wrote to memory of 5012	5452	LiveMessageCenter.exe	98
PID 5012 wrote to memory of 1332	5012	casino_extensions.exe	99
PID 5012 wrote to memory of 1332	5012	casino_extensions.exe	99
PID 5012 wrote to memory of 1332	5012	casino_extensions.exe	99
PID 1332 wrote to memory of 884	1332	casino_extensions.exe	100
PID 1332 wrote to memory of 884	1332	casino_extensions.exe	100
PID 1332 wrote to memory of 884	1332	casino_extensions.exe	100
PID 884 wrote to memory of 4216	884	Casino_ext.exe	101
PID 884 wrote to memory of 4216	884	Casino_ext.exe	101
PID 884 wrote to memory of 4216	884	Casino_ext.exe	101
PID 4216 wrote to memory of 68	4216	casino_extensions.exe	102
PID 4216 wrote to memory of 68	4216	casino_extensions.exe	102
PID 4216 wrote to memory of 68	4216	casino_extensions.exe	102

C:\Users\Admin\AppData\Local\Temp\36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\36ee18c553e3463dff8c087c93ee54ef8b1b3f5e8408358ff8abef6adec73e8d_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5244
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5760
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5452
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        18⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        21⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        22⤵
        
        PID:68

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
634KB

MD5
cda4429ec7a369750b96cc513c3c5185

SHA1
c0d6bb16fd6e77ec3128294ba2129612e9694292

SHA256
45c9545baee6af9723ef0758c55545db6b0030c3638371a269b62f2ac17d59d4

SHA512
8560a81e91b917f6304ef3cbbdab5a4db0f98b5d450c34e5f8c221d948363593a6b67801f0ca5df6d242309ad749b084d0853e8e41961e154e6ff5ffad661984

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
640KB

MD5
77246bf3af3ad54f9c8f61adbd613e39

SHA1
0bc9cb7c965f38719341609281a9c8dbf2c347d2

SHA256
d445b601e76dec1652a634441f2e5b6369e70a245e4382ea2d70ac91f3b389cb

SHA512
d1cd699651ba3dbdb2abaaca918b33f014c64319b5a3735e89053835d527252ad0177fb5446c2b79d06cadd78b2f112465b08ffbbb3aef332fd59751d05b06dd

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
634KB

MD5
15c1e4e8c2c1dd77061951ae4945d05a

SHA1
f5a67bb5e091f53f88014b4c45913497b66603e8

SHA256
6eaa974586394c803670983a0eb9f8e7f432d84090e8e6f9bc4ce28395b1944a

SHA512
2e5072e9c83280f9c680929fd875463ecd1bfee696f03e18a39cf4e54d6c1fc79b4a28a842873ff832af4899867f06bd2e8392b37854ae746da4fedfb54e4455

Download Submit
memory/1012-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5244-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download