4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a

General

Target

4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe
Size

715KB
MD5

9f097dabc838e75a9c4216ec60b6c460
SHA1

7f6cafc761e2a237138a429fcb1648b16fa3df84
SHA256

4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a
SHA512

814ecd5231908cd8b6588b19b774f03e04b7fabc4f7204c10e9e0d1dbdf4f24a9a4a01480ddc64f86b9cc435531bb2cd6fd657e2a8bff84a9267582b27105aaf
SSDEEP

3072:htwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFiWy:buj8NDF3OR9/Qe2Hdklrn4K3eP7y

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2944	casino_extensions.exe
2876	LiveMessageCenter.exe

Loads dropped DLL 4 IoCs

pid	Process
1952	casino_extensions.exe
1952	casino_extensions.exe
3056	casino_extensions.exe
3056	casino_extensions.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2876	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2924	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 1952	2924	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1952	2924	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1952	2924	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 1952	2924	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe	28
PID 1952 wrote to memory of 2944	1952	casino_extensions.exe	29
PID 1952 wrote to memory of 2944	1952	casino_extensions.exe	29
PID 1952 wrote to memory of 2944	1952	casino_extensions.exe	29
PID 1952 wrote to memory of 2944	1952	casino_extensions.exe	29
PID 2944 wrote to memory of 3056	2944	casino_extensions.exe	30
PID 2944 wrote to memory of 3056	2944	casino_extensions.exe	30
PID 2944 wrote to memory of 3056	2944	casino_extensions.exe	30
PID 2944 wrote to memory of 3056	2944	casino_extensions.exe	30
PID 3056 wrote to memory of 2876	3056	casino_extensions.exe	31
PID 3056 wrote to memory of 2876	3056	casino_extensions.exe	31
PID 3056 wrote to memory of 2876	3056	casino_extensions.exe	31
PID 3056 wrote to memory of 2876	3056	casino_extensions.exe	31
PID 2876 wrote to memory of 2188	2876	LiveMessageCenter.exe	32
PID 2876 wrote to memory of 2188	2876	LiveMessageCenter.exe	32
PID 2876 wrote to memory of 2188	2876	LiveMessageCenter.exe	32
PID 2876 wrote to memory of 2188	2876	LiveMessageCenter.exe	32
PID 2188 wrote to memory of 2640	2188	casino_extensions.exe	33
PID 2188 wrote to memory of 2640	2188	casino_extensions.exe	33
PID 2188 wrote to memory of 2640	2188	casino_extensions.exe	33
PID 2188 wrote to memory of 2640	2188	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
      "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
      4⤵
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2876
      - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        6⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        7⤵
        Deletes itself
        
        PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
731KB

MD5
246550511e601389ce5000d562a957fe

SHA1
df1db08ecdaca5a69069742999bf30a9f3753522

SHA256
04d4ba453366c43dea687cd3b674c7077e0e92151af0de3e49957e3b5b439b4d

SHA512
0ec76820f3e7b80c236bced8fbeeec91d41d800307665aa5ca19d0cbb5407e43acf607c77872a898bee2e80537646cb9752dcba713013de49d4bc3d335daa68a

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
724KB

MD5
36bb56c5b54bd1e09439fbd371d98e52

SHA1
db3bfda311344e095a6dc45c9c7db831f5cc3577

SHA256
a25e02c80358f15f1414e022ae8b6ea07505fc6983b62238509163e074b110e8

SHA512
fd6ff2a8614027b38b756af1e7494d010ecb604c030ac943abc3a365a6101c5dd0e414cbb6bc9fe6fa2b02931442e097178236a4e1eb6a9095c3d55be96a35fb

Download Submit
memory/2924-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing