a452141e96a6e4a90abd0b4d707c5f010b7aa60fa8f5e98b76c46d8729a29a9c

General

Target

40cd53ed7af58191301097db66022f50_NeikiAnalytics.exe
Size

483KB
MD5

40cd53ed7af58191301097db66022f50
SHA1

f1da83bfd52ce74a02854683bbda2637d229b069
SHA256

a452141e96a6e4a90abd0b4d707c5f010b7aa60fa8f5e98b76c46d8729a29a9c
SHA512

76505843ef39b02282d5f0719efd2ef2f5ffb8ec0fac22ea89862ec9388c3fef552609187a11623f9fb68dda6f28e46944bb3681533d0652f5f4ff617585e805
SSDEEP

3072:TtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQuoYKN6LS12is8J:5uj8NDF3OR9/Qe2HdklruoYk6LWPJ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 52 IoCs

Processes:

casino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.execasino_extensions.exeCasino_ext.exe

pid	process
3752	casino_extensions.exe
3644	Casino_ext.exe
1056	casino_extensions.exe
4264	Casino_ext.exe
4684	casino_extensions.exe
628	Casino_ext.exe
4292	casino_extensions.exe
2064	Casino_ext.exe
3736	casino_extensions.exe
3712	Casino_ext.exe
4576	casino_extensions.exe
2516	Casino_ext.exe
4016	casino_extensions.exe
456	Casino_ext.exe
4336	casino_extensions.exe
3260	Casino_ext.exe
1956	LiveMessageCenter.exe
2564	casino_extensions.exe
4388	Casino_ext.exe
432	casino_extensions.exe
4432	Casino_ext.exe
4484	casino_extensions.exe
1964	Casino_ext.exe
4804	casino_extensions.exe
5044	Casino_ext.exe
5080	casino_extensions.exe
556	Casino_ext.exe
3276	casino_extensions.exe
3544	Casino_ext.exe
1516	casino_extensions.exe
4040	Casino_ext.exe
5040	casino_extensions.exe
3604	Casino_ext.exe
3244	casino_extensions.exe
4596	Casino_ext.exe
5100	casino_extensions.exe
1288	Casino_ext.exe
2376	casino_extensions.exe
3744	Casino_ext.exe
5048	casino_extensions.exe
4116	Casino_ext.exe
1200	casino_extensions.exe
752	Casino_ext.exe
4672	casino_extensions.exe
3056	Casino_ext.exe
4636	casino_extensions.exe
212	Casino_ext.exe
4272	casino_extensions.exe
1524	Casino_ext.exe
1820	LiveMessageCenter.exe
4064	casino_extensions.exe
2060	Casino_ext.exe

Drops file in System32 directory 34 IoCs

Processes:

casino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 53 IoCs

Processes:

casino_extensions.exeCasino_ext.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.exeCasino_ext.execasino_extensions.exeLiveMessageCenter.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.exeCasino_ext.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.exeCasino_ext.execasino_extensions.exeCasino_ext.exeCasino_ext.execasino_extensions.exeCasino_ext.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.exeCasino_ext.execasino_extensions.exeCasino_ext.exeCasino_ext.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.execasino_extensions.exeLiveMessageCenter.execasino_extensions.execasino_extensions.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

Casino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeLiveMessageCenter.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeCasino_ext.exeLiveMessageCenter.exeCasino_ext.exe

pid	process
3644	Casino_ext.exe
3644	Casino_ext.exe
4264	Casino_ext.exe
4264	Casino_ext.exe
628	Casino_ext.exe
628	Casino_ext.exe
2064	Casino_ext.exe
2064	Casino_ext.exe
3712	Casino_ext.exe
3712	Casino_ext.exe
2516	Casino_ext.exe
2516	Casino_ext.exe
456	Casino_ext.exe
456	Casino_ext.exe
3260	Casino_ext.exe
3260	Casino_ext.exe
1956	LiveMessageCenter.exe
1956	LiveMessageCenter.exe
4388	Casino_ext.exe
4388	Casino_ext.exe
4432	Casino_ext.exe
4432	Casino_ext.exe
1964	Casino_ext.exe
1964	Casino_ext.exe
5044	Casino_ext.exe
5044	Casino_ext.exe
556	Casino_ext.exe
556	Casino_ext.exe
3544	Casino_ext.exe
3544	Casino_ext.exe
4040	Casino_ext.exe
4040	Casino_ext.exe
3604	Casino_ext.exe
3604	Casino_ext.exe
4596	Casino_ext.exe
4596	Casino_ext.exe
1288	Casino_ext.exe
1288	Casino_ext.exe
3744	Casino_ext.exe
3744	Casino_ext.exe
4116	Casino_ext.exe
4116	Casino_ext.exe
752	Casino_ext.exe
752	Casino_ext.exe
3056	Casino_ext.exe
3056	Casino_ext.exe
212	Casino_ext.exe
212	Casino_ext.exe
1524	Casino_ext.exe
1524	Casino_ext.exe
1820	LiveMessageCenter.exe
1820	LiveMessageCenter.exe
2060	Casino_ext.exe
2060	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

40cd53ed7af58191301097db66022f50_NeikiAnalytics.exe

pid process

4752 40cd53ed7af58191301097db66022f50_NeikiAnalytics.exe

pid	process
4752	40cd53ed7af58191301097db66022f50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

40cd53ed7af58191301097db66022f50_NeikiAnalytics.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.exe

description	pid	process	target process
PID 4752 wrote to memory of 3040	4752	40cd53ed7af58191301097db66022f50_NeikiAnalytics.exe	casino_extensions.exe
PID 4752 wrote to memory of 3040	4752	40cd53ed7af58191301097db66022f50_NeikiAnalytics.exe	casino_extensions.exe
PID 4752 wrote to memory of 3040	4752	40cd53ed7af58191301097db66022f50_NeikiAnalytics.exe	casino_extensions.exe
PID 3040 wrote to memory of 3752	3040	casino_extensions.exe	casino_extensions.exe
PID 3040 wrote to memory of 3752	3040	casino_extensions.exe	casino_extensions.exe
PID 3040 wrote to memory of 3752	3040	casino_extensions.exe	casino_extensions.exe
PID 3752 wrote to memory of 3644	3752	casino_extensions.exe	Casino_ext.exe
PID 3752 wrote to memory of 3644	3752	casino_extensions.exe	Casino_ext.exe
PID 3752 wrote to memory of 3644	3752	casino_extensions.exe	Casino_ext.exe
PID 3644 wrote to memory of 1416	3644	Casino_ext.exe	casino_extensions.exe
PID 3644 wrote to memory of 1416	3644	Casino_ext.exe	casino_extensions.exe
PID 3644 wrote to memory of 1416	3644	Casino_ext.exe	casino_extensions.exe
PID 1416 wrote to memory of 1056	1416	casino_extensions.exe	casino_extensions.exe
PID 1416 wrote to memory of 1056	1416	casino_extensions.exe	casino_extensions.exe
PID 1416 wrote to memory of 1056	1416	casino_extensions.exe	casino_extensions.exe
PID 1056 wrote to memory of 4264	1056	casino_extensions.exe	Casino_ext.exe
PID 1056 wrote to memory of 4264	1056	casino_extensions.exe	Casino_ext.exe
PID 1056 wrote to memory of 4264	1056	casino_extensions.exe	Casino_ext.exe
PID 4264 wrote to memory of 3920	4264	Casino_ext.exe	casino_extensions.exe
PID 4264 wrote to memory of 3920	4264	Casino_ext.exe	casino_extensions.exe
PID 4264 wrote to memory of 3920	4264	Casino_ext.exe	casino_extensions.exe
PID 3920 wrote to memory of 4684	3920	casino_extensions.exe	casino_extensions.exe
PID 3920 wrote to memory of 4684	3920	casino_extensions.exe	casino_extensions.exe
PID 3920 wrote to memory of 4684	3920	casino_extensions.exe	casino_extensions.exe
PID 4684 wrote to memory of 628	4684	casino_extensions.exe	Casino_ext.exe
PID 4684 wrote to memory of 628	4684	casino_extensions.exe	Casino_ext.exe
PID 4684 wrote to memory of 628	4684	casino_extensions.exe	Casino_ext.exe
PID 628 wrote to memory of 1192	628	Casino_ext.exe	casino_extensions.exe
PID 628 wrote to memory of 1192	628	Casino_ext.exe	casino_extensions.exe
PID 628 wrote to memory of 1192	628	Casino_ext.exe	casino_extensions.exe
PID 1192 wrote to memory of 4292	1192	casino_extensions.exe	casino_extensions.exe
PID 1192 wrote to memory of 4292	1192	casino_extensions.exe	casino_extensions.exe
PID 1192 wrote to memory of 4292	1192	casino_extensions.exe	casino_extensions.exe
PID 4292 wrote to memory of 2064	4292	casino_extensions.exe	Casino_ext.exe
PID 4292 wrote to memory of 2064	4292	casino_extensions.exe	Casino_ext.exe
PID 4292 wrote to memory of 2064	4292	casino_extensions.exe	Casino_ext.exe
PID 2064 wrote to memory of 3400	2064	Casino_ext.exe	casino_extensions.exe
PID 2064 wrote to memory of 3400	2064	Casino_ext.exe	casino_extensions.exe
PID 2064 wrote to memory of 3400	2064	Casino_ext.exe	casino_extensions.exe
PID 3400 wrote to memory of 3736	3400	casino_extensions.exe	casino_extensions.exe
PID 3400 wrote to memory of 3736	3400	casino_extensions.exe	casino_extensions.exe
PID 3400 wrote to memory of 3736	3400	casino_extensions.exe	casino_extensions.exe
PID 3736 wrote to memory of 3712	3736	casino_extensions.exe	Casino_ext.exe
PID 3736 wrote to memory of 3712	3736	casino_extensions.exe	Casino_ext.exe
PID 3736 wrote to memory of 3712	3736	casino_extensions.exe	Casino_ext.exe
PID 3712 wrote to memory of 1540	3712	Casino_ext.exe	casino_extensions.exe
PID 3712 wrote to memory of 1540	3712	Casino_ext.exe	casino_extensions.exe
PID 3712 wrote to memory of 1540	3712	Casino_ext.exe	casino_extensions.exe
PID 1540 wrote to memory of 4576	1540	casino_extensions.exe	casino_extensions.exe
PID 1540 wrote to memory of 4576	1540	casino_extensions.exe	casino_extensions.exe
PID 1540 wrote to memory of 4576	1540	casino_extensions.exe	casino_extensions.exe
PID 4576 wrote to memory of 2516	4576	casino_extensions.exe	Casino_ext.exe
PID 4576 wrote to memory of 2516	4576	casino_extensions.exe	Casino_ext.exe
PID 4576 wrote to memory of 2516	4576	casino_extensions.exe	Casino_ext.exe
PID 2516 wrote to memory of 4332	2516	Casino_ext.exe	casino_extensions.exe
PID 2516 wrote to memory of 4332	2516	Casino_ext.exe	casino_extensions.exe
PID 2516 wrote to memory of 4332	2516	Casino_ext.exe	casino_extensions.exe
PID 4332 wrote to memory of 4016	4332	casino_extensions.exe	casino_extensions.exe
PID 4332 wrote to memory of 4016	4332	casino_extensions.exe	casino_extensions.exe
PID 4332 wrote to memory of 4016	4332	casino_extensions.exe	casino_extensions.exe
PID 4016 wrote to memory of 456	4016	casino_extensions.exe	Casino_ext.exe
PID 4016 wrote to memory of 456	4016	casino_extensions.exe	Casino_ext.exe
PID 4016 wrote to memory of 456	4016	casino_extensions.exe	Casino_ext.exe
PID 456 wrote to memory of 536	456	Casino_ext.exe	casino_extensions.exe

C:\Users\Admin\AppData\Local\Temp\40cd53ed7af58191301097db66022f50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\40cd53ed7af58191301097db66022f50_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3752
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3644
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1416
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        13⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        14⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        16⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        17⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        19⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        20⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        22⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        23⤵
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        24⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4336
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3260
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        26⤵
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        27⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        28⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        29⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2564
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        30⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4388
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        31⤵
        Drops file in System32 directory
        
        PID:1400
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        32⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:432
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        33⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4432
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        34⤵
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        35⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4484
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        36⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        37⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        38⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4804
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        39⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5044
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        40⤵
        Drops file in System32 directory
        
        PID:4592
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        41⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5080
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        42⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        43⤵
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        44⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3276
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        45⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3544
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        46⤵
        Drops file in System32 directory
        
        PID:1332
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        47⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1516
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        48⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4040
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        49⤵
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        50⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5040
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        51⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3604
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        52⤵
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        53⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:3244
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        54⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        55⤵
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        56⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5100
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        57⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        58⤵
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        59⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2376
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        60⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3744
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        61⤵
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        62⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:5048
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        63⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4116
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        64⤵
        Drops file in System32 directory
        
        PID:3716
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        65⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1200
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        66⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        67⤵
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        68⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4672
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        69⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3056
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        70⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        71⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4636
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        72⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:212
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        73⤵
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        74⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4272
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        75⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        76⤵
        Drops file in System32 directory
        
        PID:3820
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        77⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        79⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4064
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        80⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2060
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        81⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        82⤵
        
        PID:4664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
489KB

MD5
33f2692d236c02cf520dcb879c083782

SHA1
1b8651c9e79cf260e0afe59a7b1c7931a443426b

SHA256
d0d201afbd61d7fb9d74bb41badbeddca049b2a29cd36ac0bb5c158fd35315a9

SHA512
95a9af801d667658e10eaa7d4e7c6d7acb4a74066e6d5cff962d75a68fd7e06809053fc059974371476ddb9aafed5e94555c6fbd4a0c6e0f3e3a4ab01f2d34ce

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
495KB

MD5
0ebe496fe30231c7e5db8e13366b5253

SHA1
6fea133ad1a3ba082682e23bf5ba1fd6390d5c91

SHA256
13ca543eb69a6eaca1572214c29632e8a838a07909cb19054aa72943f939fd18

SHA512
23fdf275a9a61e64a6b384d4cee5e93a8811742ed4b15c46c19cc5ed3bdf2025ad5abbbb4f74f06e90960494dc99354e2e1d52a742a4884f46bb93dd0419605b

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
492KB

MD5
9b12b0c2ed1e7a626ad7aeae6de415f4

SHA1
9308eb53837d93e05e6f8cbe737462ddf91019d7

SHA256
09e59604f0aa5ce81c2f31dcef8d477e7d70e6815795b79d2592dc01fd4c7e26

SHA512
778e40310ed88d0d5da4c50eff3f6bd7038c25a3f97532e76afeee8c77e07e4b84388eb3abf95ca86f7b682383c99467dc645c63e251abd9083f8767db1b19c5

Download Submit
memory/3752-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4752-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads