4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe
Size

715KB
MD5

9f097dabc838e75a9c4216ec60b6c460
SHA1

7f6cafc761e2a237138a429fcb1648b16fa3df84
SHA256

4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a
SHA512

814ecd5231908cd8b6588b19b774f03e04b7fabc4f7204c10e9e0d1dbdf4f24a9a4a01480ddc64f86b9cc435531bb2cd6fd657e2a8bff84a9267582b27105aaf
SSDEEP

3072:htwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFiWy:buj8NDF3OR9/Qe2Hdklrn4K3eP7y

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 14 IoCs

pid	Process
2412	casino_extensions.exe
1856	Casino_ext.exe
4576	casino_extensions.exe
2400	Casino_ext.exe
1936	LiveMessageCenter.exe
4380	casino_extensions.exe
5068	Casino_ext.exe
4404	casino_extensions.exe
1152	Casino_ext.exe
5032	casino_extensions.exe
5112	Casino_ext.exe
4888	LiveMessageCenter.exe
32	casino_extensions.exe
2968	Casino_ext.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1856	Casino_ext.exe
1856	Casino_ext.exe
2400	Casino_ext.exe
2400	Casino_ext.exe
1936	LiveMessageCenter.exe
1936	LiveMessageCenter.exe
5068	Casino_ext.exe
5068	Casino_ext.exe
1152	Casino_ext.exe
1152	Casino_ext.exe
5112	Casino_ext.exe
5112	Casino_ext.exe
4888	LiveMessageCenter.exe
4888	LiveMessageCenter.exe
2968	Casino_ext.exe
2968	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4008	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4496	4008	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe	85
PID 4008 wrote to memory of 4496	4008	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe	85
PID 4008 wrote to memory of 4496	4008	4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe	85
PID 4496 wrote to memory of 2412	4496	casino_extensions.exe	86
PID 4496 wrote to memory of 2412	4496	casino_extensions.exe	86
PID 4496 wrote to memory of 2412	4496	casino_extensions.exe	86
PID 2412 wrote to memory of 1856	2412	casino_extensions.exe	87
PID 2412 wrote to memory of 1856	2412	casino_extensions.exe	87
PID 2412 wrote to memory of 1856	2412	casino_extensions.exe	87
PID 1856 wrote to memory of 4004	1856	Casino_ext.exe	88
PID 1856 wrote to memory of 4004	1856	Casino_ext.exe	88
PID 1856 wrote to memory of 4004	1856	Casino_ext.exe	88
PID 4004 wrote to memory of 4576	4004	casino_extensions.exe	89
PID 4004 wrote to memory of 4576	4004	casino_extensions.exe	89
PID 4004 wrote to memory of 4576	4004	casino_extensions.exe	89
PID 4576 wrote to memory of 2400	4576	casino_extensions.exe	90
PID 4576 wrote to memory of 2400	4576	casino_extensions.exe	90
PID 4576 wrote to memory of 2400	4576	casino_extensions.exe	90
PID 2400 wrote to memory of 2036	2400	Casino_ext.exe	91
PID 2400 wrote to memory of 2036	2400	Casino_ext.exe	91
PID 2400 wrote to memory of 2036	2400	Casino_ext.exe	91
PID 2036 wrote to memory of 1936	2036	casino_extensions.exe	92
PID 2036 wrote to memory of 1936	2036	casino_extensions.exe	92
PID 2036 wrote to memory of 1936	2036	casino_extensions.exe	92
PID 1936 wrote to memory of 3372	1936	LiveMessageCenter.exe	93
PID 1936 wrote to memory of 3372	1936	LiveMessageCenter.exe	93
PID 1936 wrote to memory of 3372	1936	LiveMessageCenter.exe	93
PID 3372 wrote to memory of 4380	3372	casino_extensions.exe	94
PID 3372 wrote to memory of 4380	3372	casino_extensions.exe	94
PID 3372 wrote to memory of 4380	3372	casino_extensions.exe	94
PID 4380 wrote to memory of 5068	4380	casino_extensions.exe	95
PID 4380 wrote to memory of 5068	4380	casino_extensions.exe	95
PID 4380 wrote to memory of 5068	4380	casino_extensions.exe	95
PID 5068 wrote to memory of 4484	5068	Casino_ext.exe	96
PID 5068 wrote to memory of 4484	5068	Casino_ext.exe	96
PID 5068 wrote to memory of 4484	5068	Casino_ext.exe	96
PID 4484 wrote to memory of 4404	4484	casino_extensions.exe	97
PID 4484 wrote to memory of 4404	4484	casino_extensions.exe	97
PID 4484 wrote to memory of 4404	4484	casino_extensions.exe	97
PID 4404 wrote to memory of 1152	4404	casino_extensions.exe	98
PID 4404 wrote to memory of 1152	4404	casino_extensions.exe	98
PID 4404 wrote to memory of 1152	4404	casino_extensions.exe	98
PID 1152 wrote to memory of 1668	1152	Casino_ext.exe	99
PID 1152 wrote to memory of 1668	1152	Casino_ext.exe	99
PID 1152 wrote to memory of 1668	1152	Casino_ext.exe	99
PID 1668 wrote to memory of 5032	1668	casino_extensions.exe	100
PID 1668 wrote to memory of 5032	1668	casino_extensions.exe	100
PID 1668 wrote to memory of 5032	1668	casino_extensions.exe	100
PID 5032 wrote to memory of 5112	5032	casino_extensions.exe	101
PID 5032 wrote to memory of 5112	5032	casino_extensions.exe	101
PID 5032 wrote to memory of 5112	5032	casino_extensions.exe	101
PID 5112 wrote to memory of 740	5112	Casino_ext.exe	102
PID 5112 wrote to memory of 740	5112	Casino_ext.exe	102
PID 5112 wrote to memory of 740	5112	Casino_ext.exe	102
PID 740 wrote to memory of 4888	740	casino_extensions.exe	103
PID 740 wrote to memory of 4888	740	casino_extensions.exe	103
PID 740 wrote to memory of 4888	740	casino_extensions.exe	103
PID 4888 wrote to memory of 3936	4888	LiveMessageCenter.exe	104
PID 4888 wrote to memory of 3936	4888	LiveMessageCenter.exe	104
PID 4888 wrote to memory of 3936	4888	LiveMessageCenter.exe	104
PID 3936 wrote to memory of 32	3936	casino_extensions.exe	105
PID 3936 wrote to memory of 32	3936	casino_extensions.exe	105
PID 3936 wrote to memory of 32	3936	casino_extensions.exe	105
PID 32 wrote to memory of 2968	32	casino_extensions.exe	107

C:\Users\Admin\AppData\Local\Temp\4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4569a24b84e5073b606155a941f936a3f4922b4bfc43417237c1631db978845a_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        19⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        21⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        24⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        25⤵
        
        PID:4136

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
732KB

MD5
36c86eaaff14be83edd92bf76f6a7feb

SHA1
c87d6ecff4019a826f45cd534ab964503774fa39

SHA256
35914665956dc26efaa120246ad12c0074152c54abf352a506b82f49bc16e1bd

SHA512
560bc20db5dabde26cb3f069a1c89a699e16e26d262512a9d0b5408e3edde9839061313bbda88ef7ec653fa210ecb50e5746a7e69b469d491cbba50a09d7c528

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
732KB

MD5
9e551f61849088a2849aba79a6117d32

SHA1
2b547f7991affeaea428fffa47d85941e106d126

SHA256
933bddbf927be88e4f15ae50988f4aa5685813b34f66859bb55bac027280a787

SHA512
82001509ea9b5b378db9c4d86e3a500ad31b5a9a638beb1d72c78bda1cfd8dc77c784068a76bfd52f477d947083fa8047fdf0a777dcd20176bac4ef9c71a69c3

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
730KB

MD5
2c1fbf8cff8f09e8334a4063609a7d67

SHA1
2499c6a615d630b0914b6e03527aa84d1b404880

SHA256
26c9c13594ccdb2d36fb6174577bf1c84f3985f34a23b5b5b7c4904f5f9f4d58

SHA512
a83624e64102bd0535f905d3432d8833093ed894b0788fdb1f410b6f6bdcdf476344db26feb9023dc0479eb3b6557271862a07e2cff7b3f707cc055be6c7bae0

Download Submit
memory/2412-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4008-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download