55f48df014f6c742df584bede31aacd0060407874ce2190e967838dbfaea4d72

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cccca339acfa9dd18429e7785f955a0_NeikiAnalytics.exe
Size

630KB
MD5

3cccca339acfa9dd18429e7785f955a0
SHA1

7939c8ceec1047034c87805181fd811bca4937e6
SHA256

55f48df014f6c742df584bede31aacd0060407874ce2190e967838dbfaea4d72
SHA512

183eec32622a0412349f5f35079d2a64cfae31c6fdfa7c4303654434d1ac99449a9037a8de956ac28a4bda598bb97f19aa8abb36140e36eec6d8a133d8b41050
SSDEEP

3072:etwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOylqwvwK42i1ZKEJAl9uH4:iuj8NDF3OR9/Qe2HdJfwK4DdW9Y4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
5048	casino_extensions.exe
3696	Casino_ext.exe
3980	casino_extensions.exe
2612	Casino_ext.exe
408	casino_extensions.exe
4316	Casino_ext.exe
1924	LiveMessageCenter.exe
3700	casino_extensions.exe
3852	Casino_ext.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3696	Casino_ext.exe
3696	Casino_ext.exe
2612	Casino_ext.exe
2612	Casino_ext.exe
4316	Casino_ext.exe
4316	Casino_ext.exe
1924	LiveMessageCenter.exe
1924	LiveMessageCenter.exe
3852	Casino_ext.exe
3852	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2284	3cccca339acfa9dd18429e7785f955a0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 5032	2284	3cccca339acfa9dd18429e7785f955a0_NeikiAnalytics.exe	82
PID 2284 wrote to memory of 5032	2284	3cccca339acfa9dd18429e7785f955a0_NeikiAnalytics.exe	82
PID 2284 wrote to memory of 5032	2284	3cccca339acfa9dd18429e7785f955a0_NeikiAnalytics.exe	82
PID 5032 wrote to memory of 5048	5032	casino_extensions.exe	83
PID 5032 wrote to memory of 5048	5032	casino_extensions.exe	83
PID 5032 wrote to memory of 5048	5032	casino_extensions.exe	83
PID 5048 wrote to memory of 3696	5048	casino_extensions.exe	84
PID 5048 wrote to memory of 3696	5048	casino_extensions.exe	84
PID 5048 wrote to memory of 3696	5048	casino_extensions.exe	84
PID 3696 wrote to memory of 4952	3696	Casino_ext.exe	85
PID 3696 wrote to memory of 4952	3696	Casino_ext.exe	85
PID 3696 wrote to memory of 4952	3696	Casino_ext.exe	85
PID 4952 wrote to memory of 3980	4952	casino_extensions.exe	86
PID 4952 wrote to memory of 3980	4952	casino_extensions.exe	86
PID 4952 wrote to memory of 3980	4952	casino_extensions.exe	86
PID 3980 wrote to memory of 2612	3980	casino_extensions.exe	87
PID 3980 wrote to memory of 2612	3980	casino_extensions.exe	87
PID 3980 wrote to memory of 2612	3980	casino_extensions.exe	87
PID 2612 wrote to memory of 3380	2612	Casino_ext.exe	88
PID 2612 wrote to memory of 3380	2612	Casino_ext.exe	88
PID 2612 wrote to memory of 3380	2612	Casino_ext.exe	88
PID 3380 wrote to memory of 408	3380	casino_extensions.exe	89
PID 3380 wrote to memory of 408	3380	casino_extensions.exe	89
PID 3380 wrote to memory of 408	3380	casino_extensions.exe	89
PID 408 wrote to memory of 4316	408	casino_extensions.exe	90
PID 408 wrote to memory of 4316	408	casino_extensions.exe	90
PID 408 wrote to memory of 4316	408	casino_extensions.exe	90
PID 4316 wrote to memory of 4572	4316	Casino_ext.exe	91
PID 4316 wrote to memory of 4572	4316	Casino_ext.exe	91
PID 4316 wrote to memory of 4572	4316	Casino_ext.exe	91
PID 4572 wrote to memory of 1924	4572	casino_extensions.exe	92
PID 4572 wrote to memory of 1924	4572	casino_extensions.exe	92
PID 4572 wrote to memory of 1924	4572	casino_extensions.exe	92
PID 1924 wrote to memory of 1076	1924	LiveMessageCenter.exe	93
PID 1924 wrote to memory of 1076	1924	LiveMessageCenter.exe	93
PID 1924 wrote to memory of 1076	1924	LiveMessageCenter.exe	93
PID 1076 wrote to memory of 3700	1076	casino_extensions.exe	94
PID 1076 wrote to memory of 3700	1076	casino_extensions.exe	94
PID 1076 wrote to memory of 3700	1076	casino_extensions.exe	94
PID 3700 wrote to memory of 3852	3700	casino_extensions.exe	95
PID 3700 wrote to memory of 3852	3700	casino_extensions.exe	95
PID 3700 wrote to memory of 3852	3700	casino_extensions.exe	95
PID 3852 wrote to memory of 5108	3852	Casino_ext.exe	96
PID 3852 wrote to memory of 5108	3852	Casino_ext.exe	96
PID 3852 wrote to memory of 5108	3852	Casino_ext.exe	96
PID 5108 wrote to memory of 1952	5108	casino_extensions.exe	97
PID 5108 wrote to memory of 1952	5108	casino_extensions.exe	97
PID 5108 wrote to memory of 1952	5108	casino_extensions.exe	97

C:\Users\Admin\AppData\Local\Temp\3cccca339acfa9dd18429e7785f955a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3cccca339acfa9dd18429e7785f955a0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5032
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        17⤵
        
        PID:1952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
644KB

MD5
60322b479134bf5ab8d0b23b52369176

SHA1
d8c46cb7db87144de7efbdab86d1f7fc264a2b86

SHA256
b6daae63945d1bd22ccd4e27aa10c001a826d1b04eff1c0e16c49151ce62ab96

SHA512
9434c6e5e914b9ae714828b05bb4dffd6b3a6d931479bd155767e404b5d316d0272ecc2deac3e8f83f81774944d0064d4fe58a8a82cde4cabf69803dffc992d0

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
637KB

MD5
1d5018bbef6693d3a2111a75f38dc442

SHA1
09732f26a09b1cb877c95bf5ac1f5fd234a4eb1a

SHA256
bbe9ac24039a5b511bf7d793a56f4274cef0a1419f455e0532156b12a6c48ab8

SHA512
262308d1f327dc185af8ae04d3324afb97e2d23ef5918ea373bd208936c95716d49a25c84716b01cbc9194d684373be4c443f4176667c1cdd1b0c179163eaeef

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
635KB

MD5
f9bac1a07f0a8f47cf9846e43dc7bfc4

SHA1
0d2b27ff60430c436a56cc77d47f025ee0345247

SHA256
38a7bbe0ae53c75816354e3fe4da494fa23536e3c5b521fbd1db353357ac7794

SHA512
a2a328645a95ab6f2f0be31d19403dc88d474fea44c55cd4bf3ed0959c6173dff04a4f7875728d8dc9c11bf5161fd250bbc0484bd9f7188c1d03b24394d6c0ce

Download Submit
memory/2284-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5048-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download