a5151fc2db6d2fd6f3841aaba385ada07f0a78b334c1962d478c2e275f00a848

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3690a43b7b495f7843c067f9fb9754e0_NeikiAnalytics.exe
Size

1.0MB
MD5

3690a43b7b495f7843c067f9fb9754e0
SHA1

383136c8ef111923c914a35f87365ec7813d0688
SHA256

a5151fc2db6d2fd6f3841aaba385ada07f0a78b334c1962d478c2e275f00a848
SHA512

fb208a36eb5ea1257d4e6451564fa5428817824d04b9456c53da9bca8a69f4f8eaa7fb5e91ee17e85fff4b0f942d0f9e44e4b819c300e8315601942ecb18a13c
SSDEEP

6144:Auj8NDF3OR9/Qe2HdklrSqjzQtJo3FCyvY:rOF3ORK3d9QzQtJo3FCaY

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2528	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
2892	casino_extensions.exe
2524	Casino_ext.exe
2680	casino_extensions.exe
2548	Casino_ext.exe
1744	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
1800	casino_extensions.exe
1800	casino_extensions.exe
2620	casino_extensions.exe
2620	casino_extensions.exe
2912	casino_extensions.exe
2912	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2524	Casino_ext.exe
2548	Casino_ext.exe
1744	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1992	3690a43b7b495f7843c067f9fb9754e0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1800	1992	3690a43b7b495f7843c067f9fb9754e0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 1800	1992	3690a43b7b495f7843c067f9fb9754e0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 1800	1992	3690a43b7b495f7843c067f9fb9754e0_NeikiAnalytics.exe	28
PID 1992 wrote to memory of 1800	1992	3690a43b7b495f7843c067f9fb9754e0_NeikiAnalytics.exe	28
PID 1800 wrote to memory of 2892	1800	casino_extensions.exe	29
PID 1800 wrote to memory of 2892	1800	casino_extensions.exe	29
PID 1800 wrote to memory of 2892	1800	casino_extensions.exe	29
PID 1800 wrote to memory of 2892	1800	casino_extensions.exe	29
PID 2892 wrote to memory of 2524	2892	casino_extensions.exe	30
PID 2892 wrote to memory of 2524	2892	casino_extensions.exe	30
PID 2892 wrote to memory of 2524	2892	casino_extensions.exe	30
PID 2892 wrote to memory of 2524	2892	casino_extensions.exe	30
PID 2524 wrote to memory of 2620	2524	Casino_ext.exe	31
PID 2524 wrote to memory of 2620	2524	Casino_ext.exe	31
PID 2524 wrote to memory of 2620	2524	Casino_ext.exe	31
PID 2524 wrote to memory of 2620	2524	Casino_ext.exe	31
PID 2620 wrote to memory of 2680	2620	casino_extensions.exe	32
PID 2620 wrote to memory of 2680	2620	casino_extensions.exe	32
PID 2620 wrote to memory of 2680	2620	casino_extensions.exe	32
PID 2620 wrote to memory of 2680	2620	casino_extensions.exe	32
PID 2680 wrote to memory of 2548	2680	casino_extensions.exe	33
PID 2680 wrote to memory of 2548	2680	casino_extensions.exe	33
PID 2680 wrote to memory of 2548	2680	casino_extensions.exe	33
PID 2680 wrote to memory of 2548	2680	casino_extensions.exe	33
PID 2548 wrote to memory of 2912	2548	Casino_ext.exe	34
PID 2548 wrote to memory of 2912	2548	Casino_ext.exe	34
PID 2548 wrote to memory of 2912	2548	Casino_ext.exe	34
PID 2548 wrote to memory of 2912	2548	Casino_ext.exe	34
PID 2912 wrote to memory of 1744	2912	casino_extensions.exe	35
PID 2912 wrote to memory of 1744	2912	casino_extensions.exe	35
PID 2912 wrote to memory of 1744	2912	casino_extensions.exe	35
PID 2912 wrote to memory of 1744	2912	casino_extensions.exe	35
PID 1744 wrote to memory of 2596	1744	LiveMessageCenter.exe	36
PID 1744 wrote to memory of 2596	1744	LiveMessageCenter.exe	36
PID 1744 wrote to memory of 2596	1744	LiveMessageCenter.exe	36
PID 1744 wrote to memory of 2596	1744	LiveMessageCenter.exe	36
PID 2596 wrote to memory of 2528	2596	casino_extensions.exe	37
PID 2596 wrote to memory of 2528	2596	casino_extensions.exe	37
PID 2596 wrote to memory of 2528	2596	casino_extensions.exe	37
PID 2596 wrote to memory of 2528	2596	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\3690a43b7b495f7843c067f9fb9754e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3690a43b7b495f7843c067f9fb9754e0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
1.0MB

MD5
3e96cbf97c345b8f670b6a9782d7eff5

SHA1
88bcb47f15eb69c9a3284b9b6b57fe682830feef

SHA256
95ca4a9deb445083a4883ad9d9aefadd38bb8a4169af41683dd3958412a5ed7a

SHA512
57d1cfea228acd31d52914efa4bc9d15507a54304acc115d2c3f498ab35692c767a4bd8d2d8e2e08575615e3283653da7cb1c629979b05c8b8b01e39456a291a

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
1.0MB

MD5
a12cf0b8cdb529690fc37f981ac51524

SHA1
327b6c06c17d1e3d66c3384aa19297a5737fc8d6

SHA256
0101d2fec12cb650e34f98929106de7ea26d1b234564dc7ffd448656b02a1e80

SHA512
d4014cd2adab78e9fe8c90a84e82660b8623fde0807d0fe4e4a769eff7449937e7e9f1aa248d29dc57756e06d726775ea7ac8c4f24f14c10bd98fa9bb891b44a

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
1.0MB

MD5
9a191260d13ebeef9a2ea98bb0090234

SHA1
a4fc90e5732cf278dce9f1d057e47a9e7c084408

SHA256
d404be3e4c528d37560f62dc03aa598298a6d4d548fa5d09787406c56f6ecf2d

SHA512
2f891d788839c9db8d80a326b90a6a6db820cf1f9ac6553d6ee3ad3239149b66f8edcf70d291ec76e52b68e63166a966510c2214b7545cab937c713c89e0f2c5

Download Submit
memory/1992-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2892-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download