446e66276f6eddc97464bcc616504fd22affd151ac28d3d2a9aa05e041da2c41

General

Target

62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe
Size

752KB
MD5

62d82374f22f9beb1e2352c7c9741180
SHA1

5a3440000135b9d161809bf5a9d7c73c0ad27066
SHA256

446e66276f6eddc97464bcc616504fd22affd151ac28d3d2a9aa05e041da2c41
SHA512

f869c872577feef4ea1c202874395fb1100bd3661bc4252b9133bb9e7c3eb419afe6dc7c1d472f5aae32f2828e80a859615c1c9b31332ebd5d5c2ed653b1a6d7
SSDEEP

3072:JtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFiWH:Tuj8NDF3OR9/Qe2Hdklrn4K3eP7H

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 10 IoCs

Processes:

casino_extensions.exeCasino_ext.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.execasino_extensions.exeCasino_ext.exe

pid	process
3140	casino_extensions.exe
4744	Casino_ext.exe
2148	casino_extensions.exe
4656	Casino_ext.exe
4496	LiveMessageCenter.exe
4420	casino_extensions.exe
380	Casino_ext.exe
4592	LiveMessageCenter.exe
4684	casino_extensions.exe
4776	Casino_ext.exe

Drops file in System32 directory 13 IoCs

Processes:

casino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 11 IoCs

Processes:

casino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.exeLiveMessageCenter.execasino_extensions.exeCasino_ext.exeLiveMessageCenter.exeCasino_ext.exeCasino_ext.execasino_extensions.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

Casino_ext.exeCasino_ext.exeLiveMessageCenter.exeCasino_ext.exeLiveMessageCenter.exeCasino_ext.exe

pid	process
4744	Casino_ext.exe
4744	Casino_ext.exe
4656	Casino_ext.exe
4656	Casino_ext.exe
4496	LiveMessageCenter.exe
4496	LiveMessageCenter.exe
380	Casino_ext.exe
380	Casino_ext.exe
4592	LiveMessageCenter.exe
4592	LiveMessageCenter.exe
4776	Casino_ext.exe
4776	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe

pid process

1476 62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe

pid	process
1476	62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.exeLiveMessageCenter.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.exeLiveMessageCenter.execasino_extensions.execasino_extensions.exeCasino_ext.execasino_extensions.exe

description	pid	process	target process
PID 1476 wrote to memory of 1972	1476	62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe	casino_extensions.exe
PID 1476 wrote to memory of 1972	1476	62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe	casino_extensions.exe
PID 1476 wrote to memory of 1972	1476	62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe	casino_extensions.exe
PID 1972 wrote to memory of 3140	1972	casino_extensions.exe	casino_extensions.exe
PID 1972 wrote to memory of 3140	1972	casino_extensions.exe	casino_extensions.exe
PID 1972 wrote to memory of 3140	1972	casino_extensions.exe	casino_extensions.exe
PID 3140 wrote to memory of 4744	3140	casino_extensions.exe	Casino_ext.exe
PID 3140 wrote to memory of 4744	3140	casino_extensions.exe	Casino_ext.exe
PID 3140 wrote to memory of 4744	3140	casino_extensions.exe	Casino_ext.exe
PID 4744 wrote to memory of 2192	4744	Casino_ext.exe	casino_extensions.exe
PID 4744 wrote to memory of 2192	4744	Casino_ext.exe	casino_extensions.exe
PID 4744 wrote to memory of 2192	4744	Casino_ext.exe	casino_extensions.exe
PID 2192 wrote to memory of 2148	2192	casino_extensions.exe	casino_extensions.exe
PID 2192 wrote to memory of 2148	2192	casino_extensions.exe	casino_extensions.exe
PID 2192 wrote to memory of 2148	2192	casino_extensions.exe	casino_extensions.exe
PID 2148 wrote to memory of 4656	2148	casino_extensions.exe	Casino_ext.exe
PID 2148 wrote to memory of 4656	2148	casino_extensions.exe	Casino_ext.exe
PID 2148 wrote to memory of 4656	2148	casino_extensions.exe	Casino_ext.exe
PID 4656 wrote to memory of 1236	4656	Casino_ext.exe	casino_extensions.exe
PID 4656 wrote to memory of 1236	4656	Casino_ext.exe	casino_extensions.exe
PID 4656 wrote to memory of 1236	4656	Casino_ext.exe	casino_extensions.exe
PID 1236 wrote to memory of 4496	1236	casino_extensions.exe	LiveMessageCenter.exe
PID 1236 wrote to memory of 4496	1236	casino_extensions.exe	LiveMessageCenter.exe
PID 1236 wrote to memory of 4496	1236	casino_extensions.exe	LiveMessageCenter.exe
PID 4496 wrote to memory of 680	4496	LiveMessageCenter.exe	casino_extensions.exe
PID 4496 wrote to memory of 680	4496	LiveMessageCenter.exe	casino_extensions.exe
PID 4496 wrote to memory of 680	4496	LiveMessageCenter.exe	casino_extensions.exe
PID 680 wrote to memory of 4420	680	casino_extensions.exe	casino_extensions.exe
PID 680 wrote to memory of 4420	680	casino_extensions.exe	casino_extensions.exe
PID 680 wrote to memory of 4420	680	casino_extensions.exe	casino_extensions.exe
PID 4420 wrote to memory of 380	4420	casino_extensions.exe	Casino_ext.exe
PID 4420 wrote to memory of 380	4420	casino_extensions.exe	Casino_ext.exe
PID 4420 wrote to memory of 380	4420	casino_extensions.exe	Casino_ext.exe
PID 380 wrote to memory of 2644	380	Casino_ext.exe	casino_extensions.exe
PID 380 wrote to memory of 2644	380	Casino_ext.exe	casino_extensions.exe
PID 380 wrote to memory of 2644	380	Casino_ext.exe	casino_extensions.exe
PID 2644 wrote to memory of 4592	2644	casino_extensions.exe	LiveMessageCenter.exe
PID 2644 wrote to memory of 4592	2644	casino_extensions.exe	LiveMessageCenter.exe
PID 2644 wrote to memory of 4592	2644	casino_extensions.exe	LiveMessageCenter.exe
PID 4592 wrote to memory of 1704	4592	LiveMessageCenter.exe	casino_extensions.exe
PID 4592 wrote to memory of 1704	4592	LiveMessageCenter.exe	casino_extensions.exe
PID 4592 wrote to memory of 1704	4592	LiveMessageCenter.exe	casino_extensions.exe
PID 1704 wrote to memory of 4684	1704	casino_extensions.exe	casino_extensions.exe
PID 1704 wrote to memory of 4684	1704	casino_extensions.exe	casino_extensions.exe
PID 1704 wrote to memory of 4684	1704	casino_extensions.exe	casino_extensions.exe
PID 4684 wrote to memory of 4776	4684	casino_extensions.exe	Casino_ext.exe
PID 4684 wrote to memory of 4776	4684	casino_extensions.exe	Casino_ext.exe
PID 4684 wrote to memory of 4776	4684	casino_extensions.exe	Casino_ext.exe
PID 4776 wrote to memory of 2040	4776	Casino_ext.exe	casino_extensions.exe
PID 4776 wrote to memory of 2040	4776	Casino_ext.exe	casino_extensions.exe
PID 4776 wrote to memory of 2040	4776	Casino_ext.exe	casino_extensions.exe
PID 2040 wrote to memory of 5004	2040	casino_extensions.exe	cmd.exe
PID 2040 wrote to memory of 5004	2040	casino_extensions.exe	cmd.exe
PID 2040 wrote to memory of 5004	2040	casino_extensions.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\62d82374f22f9beb1e2352c7c9741180_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4744
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        15⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        16⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        18⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        19⤵
        
        PID:5004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\Casino_ext.exe

Filesize
756KB

MD5
566ad5b44c84f9789600357e89d00ad8

SHA1
97c18c791e4229bca849db542fb40182de3e4f9d

SHA256
ea518e6d8d8842c7e6c55a9dee127e3268f1e40f589479fda2ff591c2b07c135

SHA512
81553f34eba333a763492097cb4273610070893668152813f045e046a6b80d346b30dd473124354a60f21962acdbe7b04d42ad96d0d56695245acab0600fb307

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
762KB

MD5
a50361df1d8bb5ef6412d107173281d3

SHA1
03962f676f03c6639c4a0cc658d40ba07d6dbd09

SHA256
af5155c9b70c187441a03a8e2012cf673def43f638e0c3e7aaec41b654ab3c8a

SHA512
f6a9691f61d96c469579ef10727b62cc69e6a2030adddaa7d35e80e31923663e36105333724f238ac5b9706e760a71d096c58906e3069fd9df4927c09d1cbb37

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
758KB

MD5
bab499fd16449ea1a6808786333199b4

SHA1
a1b23d8f73d396cce1f4cf32975d0a0ae472ccfc

SHA256
ca388650c27233e957adb707a3129bcaf30b9119313d149005fb5a92aa7304c6

SHA512
33fefd31b839b000a93f3da174cc96956425fdd444b20cd303e8c419ef9554be2b477161229ba02474d7832601b180c9210710e8af3441b1d2aef0dd729aee04

Download Submit
memory/1476-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3140-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads