446e66276f6eddc97464bcc616504fd22affd151ac28d3d2a9aa05e041da2c41

General

Target

62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe
Size

752KB
MD5

62d82374f22f9beb1e2352c7c9741180
SHA1

5a3440000135b9d161809bf5a9d7c73c0ad27066
SHA256

446e66276f6eddc97464bcc616504fd22affd151ac28d3d2a9aa05e041da2c41
SHA512

f869c872577feef4ea1c202874395fb1100bd3661bc4252b9133bb9e7c3eb419afe6dc7c1d472f5aae32f2828e80a859615c1c9b31332ebd5d5c2ed653b1a6d7
SSDEEP

3072:JtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFiWH:Tuj8NDF3OR9/Qe2Hdklrn4K3eP7H

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2952 cmd.exe
Executes dropped EXE 5 IoCs

Processes:

casino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.exe

pid process

2592 casino_extensions.exe
1936 Casino_ext.exe
2644 casino_extensions.exe
2564 Casino_ext.exe
2636 LiveMessageCenter.exe

pid	process
2952	cmd.exe

pid	process
2592	casino_extensions.exe
1936	Casino_ext.exe
2644	casino_extensions.exe
2564	Casino_ext.exe
2636	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

Processes:

casino_extensions.execasino_extensions.execasino_extensions.exe

pid	process
2488	casino_extensions.exe
2488	casino_extensions.exe
2536	casino_extensions.exe
2536	casino_extensions.exe
2540	casino_extensions.exe
2540	casino_extensions.exe

Drops file in System32 directory 9 IoCs

Processes:

casino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

Processes:

Casino_ext.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.execasino_extensions.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Casino_ext.exeCasino_ext.exeLiveMessageCenter.exe

pid process

1936 Casino_ext.exe
2564 Casino_ext.exe
2636 LiveMessageCenter.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe

pid process

2020 62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe

pid	process
1936	Casino_ext.exe
2564	Casino_ext.exe
2636	LiveMessageCenter.exe

pid	process
2020	62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.exeLiveMessageCenter.execasino_extensions.exe

description	pid	process	target process
PID 2020 wrote to memory of 2488	2020	62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe	casino_extensions.exe
PID 2020 wrote to memory of 2488	2020	62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe	casino_extensions.exe
PID 2020 wrote to memory of 2488	2020	62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe	casino_extensions.exe
PID 2020 wrote to memory of 2488	2020	62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe	casino_extensions.exe
PID 2488 wrote to memory of 2592	2488	casino_extensions.exe	casino_extensions.exe
PID 2488 wrote to memory of 2592	2488	casino_extensions.exe	casino_extensions.exe
PID 2488 wrote to memory of 2592	2488	casino_extensions.exe	casino_extensions.exe
PID 2488 wrote to memory of 2592	2488	casino_extensions.exe	casino_extensions.exe
PID 2592 wrote to memory of 1936	2592	casino_extensions.exe	Casino_ext.exe
PID 2592 wrote to memory of 1936	2592	casino_extensions.exe	Casino_ext.exe
PID 2592 wrote to memory of 1936	2592	casino_extensions.exe	Casino_ext.exe
PID 2592 wrote to memory of 1936	2592	casino_extensions.exe	Casino_ext.exe
PID 1936 wrote to memory of 2536	1936	Casino_ext.exe	casino_extensions.exe
PID 1936 wrote to memory of 2536	1936	Casino_ext.exe	casino_extensions.exe
PID 1936 wrote to memory of 2536	1936	Casino_ext.exe	casino_extensions.exe
PID 1936 wrote to memory of 2536	1936	Casino_ext.exe	casino_extensions.exe
PID 2536 wrote to memory of 2644	2536	casino_extensions.exe	casino_extensions.exe
PID 2536 wrote to memory of 2644	2536	casino_extensions.exe	casino_extensions.exe
PID 2536 wrote to memory of 2644	2536	casino_extensions.exe	casino_extensions.exe
PID 2536 wrote to memory of 2644	2536	casino_extensions.exe	casino_extensions.exe
PID 2644 wrote to memory of 2564	2644	casino_extensions.exe	Casino_ext.exe
PID 2644 wrote to memory of 2564	2644	casino_extensions.exe	Casino_ext.exe
PID 2644 wrote to memory of 2564	2644	casino_extensions.exe	Casino_ext.exe
PID 2644 wrote to memory of 2564	2644	casino_extensions.exe	Casino_ext.exe
PID 2564 wrote to memory of 2540	2564	Casino_ext.exe	casino_extensions.exe
PID 2564 wrote to memory of 2540	2564	Casino_ext.exe	casino_extensions.exe
PID 2564 wrote to memory of 2540	2564	Casino_ext.exe	casino_extensions.exe
PID 2564 wrote to memory of 2540	2564	Casino_ext.exe	casino_extensions.exe
PID 2540 wrote to memory of 2636	2540	casino_extensions.exe	LiveMessageCenter.exe
PID 2540 wrote to memory of 2636	2540	casino_extensions.exe	LiveMessageCenter.exe
PID 2540 wrote to memory of 2636	2540	casino_extensions.exe	LiveMessageCenter.exe
PID 2540 wrote to memory of 2636	2540	casino_extensions.exe	LiveMessageCenter.exe
PID 2636 wrote to memory of 2580	2636	LiveMessageCenter.exe	casino_extensions.exe
PID 2636 wrote to memory of 2580	2636	LiveMessageCenter.exe	casino_extensions.exe
PID 2636 wrote to memory of 2580	2636	LiveMessageCenter.exe	casino_extensions.exe
PID 2636 wrote to memory of 2580	2636	LiveMessageCenter.exe	casino_extensions.exe
PID 2580 wrote to memory of 2952	2580	casino_extensions.exe	cmd.exe
PID 2580 wrote to memory of 2952	2580	casino_extensions.exe	cmd.exe
PID 2580 wrote to memory of 2952	2580	casino_extensions.exe	cmd.exe
PID 2580 wrote to memory of 2952	2580	casino_extensions.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1936
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
754KB

MD5
9fc7e75af82e1b3eba212f08b1b086c1

SHA1
fcf31be969f3ccdfbd7ca7c75a5f71ff4d8116e4

SHA256
7af6410e71014be95c8da1d91290ba7753a5d9c681f83163ef4aa027274bf8e7

SHA512
11719ba1e5e04748ad881f8faab0348e5040b3b2bcb1071409a4fb88d29bfd29d5f9e74bf65a628c48ca38ff4fd35ded8898fa57fe57002acd2fce368f0a268f

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
757KB

MD5
3916201ded86b6336d5d6bbba5bea0c3

SHA1
78927dc394b24de74a247f6d8394d5e2b4f70615

SHA256
e04df5baf8e4487832bea047a9f24f2dc7a54173cccd1ed64b0056c2c3e623e1

SHA512
7dce6d127509b5b299f0fd438fca279ec68d1b0d97f715d219bcb7bd2e9c188c328fded9688ac8d45957e7ca46109b5b6712593c80c4017957fc5ab5b9920232

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
757KB

MD5
a1edb4c65689c82619b19236d222ad7e

SHA1
518d1d88f56caa5b75e7e6cdbd8cf460b69be220

SHA256
65495f7c11327093a770af86480c4dec1e9bccb8d5feb619d76b76301ba4459c

SHA512
0b7a8f62485f703e33bc6e1baf067f1763fc740ca4d4d60552621776f22726e6eb488873f578ba63ab1f5c46d59bfc873db0b4b9071a60372c5393daea5ab5ee

Download Submit
memory/2020-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2592-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads