110d66ac27bf0850a3e52ebbfcf96552511c3ae7ec448bed475b9019d2ed0106

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ad67dc9c7f36df0cb301b0f964b82f0_NeikiAnalytics.exe
Size

638KB
MD5

2ad67dc9c7f36df0cb301b0f964b82f0
SHA1

56be15a19a33dffce78adbe2288bc824a65a18f4
SHA256

110d66ac27bf0850a3e52ebbfcf96552511c3ae7ec448bed475b9019d2ed0106
SHA512

ad476cbfda682bfbd917c8b8721d9567c1a5d11bc6aba63c009754d4ef5919fb6fec9a8951c4512fd5eb637a6a0c11ded8a53fa1e45ec0905691e4ed11efc5f9
SSDEEP

3072:itwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQS0Tm2TdwnN0gUydt2K:Wuj8NDF3OR9/Qe2HdklrSqZghdtT

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2832	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2468	casino_extensions.exe
2300	Casino_ext.exe
2384	casino_extensions.exe
2112	Casino_ext.exe
2720	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
2172	casino_extensions.exe
2172	casino_extensions.exe
2372	casino_extensions.exe
2372	casino_extensions.exe
2696	casino_extensions.exe
2696	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2300	Casino_ext.exe
2112	Casino_ext.exe
2720	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1596	2ad67dc9c7f36df0cb301b0f964b82f0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2172	1596	2ad67dc9c7f36df0cb301b0f964b82f0_NeikiAnalytics.exe	28
PID 1596 wrote to memory of 2172	1596	2ad67dc9c7f36df0cb301b0f964b82f0_NeikiAnalytics.exe	28
PID 1596 wrote to memory of 2172	1596	2ad67dc9c7f36df0cb301b0f964b82f0_NeikiAnalytics.exe	28
PID 1596 wrote to memory of 2172	1596	2ad67dc9c7f36df0cb301b0f964b82f0_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2468	2172	casino_extensions.exe	29
PID 2172 wrote to memory of 2468	2172	casino_extensions.exe	29
PID 2172 wrote to memory of 2468	2172	casino_extensions.exe	29
PID 2172 wrote to memory of 2468	2172	casino_extensions.exe	29
PID 2468 wrote to memory of 2300	2468	casino_extensions.exe	30
PID 2468 wrote to memory of 2300	2468	casino_extensions.exe	30
PID 2468 wrote to memory of 2300	2468	casino_extensions.exe	30
PID 2468 wrote to memory of 2300	2468	casino_extensions.exe	30
PID 2300 wrote to memory of 2372	2300	Casino_ext.exe	31
PID 2300 wrote to memory of 2372	2300	Casino_ext.exe	31
PID 2300 wrote to memory of 2372	2300	Casino_ext.exe	31
PID 2300 wrote to memory of 2372	2300	Casino_ext.exe	31
PID 2372 wrote to memory of 2384	2372	casino_extensions.exe	32
PID 2372 wrote to memory of 2384	2372	casino_extensions.exe	32
PID 2372 wrote to memory of 2384	2372	casino_extensions.exe	32
PID 2372 wrote to memory of 2384	2372	casino_extensions.exe	32
PID 2384 wrote to memory of 2112	2384	casino_extensions.exe	33
PID 2384 wrote to memory of 2112	2384	casino_extensions.exe	33
PID 2384 wrote to memory of 2112	2384	casino_extensions.exe	33
PID 2384 wrote to memory of 2112	2384	casino_extensions.exe	33
PID 2112 wrote to memory of 2696	2112	Casino_ext.exe	34
PID 2112 wrote to memory of 2696	2112	Casino_ext.exe	34
PID 2112 wrote to memory of 2696	2112	Casino_ext.exe	34
PID 2112 wrote to memory of 2696	2112	Casino_ext.exe	34
PID 2696 wrote to memory of 2720	2696	casino_extensions.exe	35
PID 2696 wrote to memory of 2720	2696	casino_extensions.exe	35
PID 2696 wrote to memory of 2720	2696	casino_extensions.exe	35
PID 2696 wrote to memory of 2720	2696	casino_extensions.exe	35
PID 2720 wrote to memory of 2636	2720	LiveMessageCenter.exe	36
PID 2720 wrote to memory of 2636	2720	LiveMessageCenter.exe	36
PID 2720 wrote to memory of 2636	2720	LiveMessageCenter.exe	36
PID 2720 wrote to memory of 2636	2720	LiveMessageCenter.exe	36
PID 2636 wrote to memory of 2832	2636	casino_extensions.exe	37
PID 2636 wrote to memory of 2832	2636	casino_extensions.exe	37
PID 2636 wrote to memory of 2832	2636	casino_extensions.exe	37
PID 2636 wrote to memory of 2832	2636	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\2ad67dc9c7f36df0cb301b0f964b82f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2ad67dc9c7f36df0cb301b0f964b82f0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
652KB

MD5
b338212ca646b6ddb98b98e5e357c1d0

SHA1
0656073e80244320290995f58d62f9426bbcd926

SHA256
81a7de19ea41df30a5c159f328654acd82c459a63be974599e7ea8b834878710

SHA512
c0360bcc100da5b0231dc41cb9cac22158d19500587045492f66f70d9547eb2f53fd9800670c3ef7562fe815bd7a887c107b932ea54b0b96b43008f8ea586cf5

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
648KB

MD5
f0e2125448be28772582e5ebb4922bd8

SHA1
81f93e1d5a6226186c444f8ae7e53368b5b7ecfd

SHA256
6c29993ca1ab9dc51969c9dba8f677e73df0a641dc352ed8ddde0efd3cc7205f

SHA512
57c29a63240edbf83e83a0f66125029ac965c10bece3cc71335026257927325ef5b12c85e91e3d2a479c960f409d0db020d44a47918525847af1937848316a31

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
639KB

MD5
296e8a274f859b78a412544d905e792f

SHA1
0f1a7e2e8d36d3183afeee62278bf4f900734e98

SHA256
25b0775355130e105cd75df2c56adb158ac7e2a4cb5d39ac508c66258836c6af

SHA512
88947017f6c2d40219c773dc7efdcbc42953631d944c247a3b520ee718979c1d0f68932e1ca76792d28b1164e30b61f53b66f474c52057c3a49648c2ecc172d5

Download Submit
memory/1596-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2468-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download