42c5c71d164d0c6e3bbbe2df31e33088e0295dd231eb0611531e179d396b1f2d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-06-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe
Size

485KB
MD5

8f2b15fbdc45e2d26c67730a7ea5ffa0
SHA1

86e98dd86d8154cf7af9c3afce7cd043479c55d6
SHA256

42c5c71d164d0c6e3bbbe2df31e33088e0295dd231eb0611531e179d396b1f2d
SHA512

51dbfce2810a7b583659118edca25fd037e16a1b0547914e0fcbc8daced06a1c2e778d674c7fe1900684a25f8d78e98b818e474625cadcc52990a2ca05df06f9
SSDEEP

3072:OtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQuoYKN6LSSe9CGqJ:yuj8NDF3OR9/Qe2HdklruoYk6LReM

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2476	cmd.exe

Executes dropped EXE 5 IoCs

pid	Process
1648	casino_extensions.exe
1624	Casino_ext.exe
2532	casino_extensions.exe
2780	Casino_ext.exe
2776	LiveMessageCenter.exe

Loads dropped DLL 6 IoCs

pid	Process
1508	casino_extensions.exe
1508	casino_extensions.exe
3000	casino_extensions.exe
3000	casino_extensions.exe
2540	casino_extensions.exe
2540	casino_extensions.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1624	Casino_ext.exe
2780	Casino_ext.exe
2776	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1948	8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1508	1948	8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 1508	1948	8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 1508	1948	8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe	28
PID 1948 wrote to memory of 1508	1948	8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe	28
PID 1508 wrote to memory of 1648	1508	casino_extensions.exe	29
PID 1508 wrote to memory of 1648	1508	casino_extensions.exe	29
PID 1508 wrote to memory of 1648	1508	casino_extensions.exe	29
PID 1508 wrote to memory of 1648	1508	casino_extensions.exe	29
PID 1648 wrote to memory of 1624	1648	casino_extensions.exe	30
PID 1648 wrote to memory of 1624	1648	casino_extensions.exe	30
PID 1648 wrote to memory of 1624	1648	casino_extensions.exe	30
PID 1648 wrote to memory of 1624	1648	casino_extensions.exe	30
PID 1624 wrote to memory of 3000	1624	Casino_ext.exe	31
PID 1624 wrote to memory of 3000	1624	Casino_ext.exe	31
PID 1624 wrote to memory of 3000	1624	Casino_ext.exe	31
PID 1624 wrote to memory of 3000	1624	Casino_ext.exe	31
PID 3000 wrote to memory of 2532	3000	casino_extensions.exe	32
PID 3000 wrote to memory of 2532	3000	casino_extensions.exe	32
PID 3000 wrote to memory of 2532	3000	casino_extensions.exe	32
PID 3000 wrote to memory of 2532	3000	casino_extensions.exe	32
PID 2532 wrote to memory of 2780	2532	casino_extensions.exe	33
PID 2532 wrote to memory of 2780	2532	casino_extensions.exe	33
PID 2532 wrote to memory of 2780	2532	casino_extensions.exe	33
PID 2532 wrote to memory of 2780	2532	casino_extensions.exe	33
PID 2780 wrote to memory of 2540	2780	Casino_ext.exe	34
PID 2780 wrote to memory of 2540	2780	Casino_ext.exe	34
PID 2780 wrote to memory of 2540	2780	Casino_ext.exe	34
PID 2780 wrote to memory of 2540	2780	Casino_ext.exe	34
PID 2540 wrote to memory of 2776	2540	casino_extensions.exe	35
PID 2540 wrote to memory of 2776	2540	casino_extensions.exe	35
PID 2540 wrote to memory of 2776	2540	casino_extensions.exe	35
PID 2540 wrote to memory of 2776	2540	casino_extensions.exe	35
PID 2776 wrote to memory of 2772	2776	LiveMessageCenter.exe	36
PID 2776 wrote to memory of 2772	2776	LiveMessageCenter.exe	36
PID 2776 wrote to memory of 2772	2776	LiveMessageCenter.exe	36
PID 2776 wrote to memory of 2772	2776	LiveMessageCenter.exe	36
PID 2772 wrote to memory of 2476	2772	casino_extensions.exe	37
PID 2772 wrote to memory of 2476	2772	casino_extensions.exe	37
PID 2772 wrote to memory of 2476	2772	casino_extensions.exe	37
PID 2772 wrote to memory of 2476	2772	casino_extensions.exe	37

C:\Users\Admin\AppData\Local\Temp\8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1624
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        10⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c $$2028~1.BAT
        11⤵
        Deletes itself
        
        PID:2476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
493KB

MD5
01b050bfb6ae07c65769d9537378ea49

SHA1
5ef4050b19064e4782c1291fd086454c723400c7

SHA256
79a3b63d0e13b57a4d9a61657440c75326e716d40abcb558eccdda05a1e8092a

SHA512
5f3fc9877bf4360e1d2bb73f73b7d329b184aa5babc253e08ee343962a8e2a4886e9444a7fbc46a114c4d88664f6d7f4c54e4855ecadfe77cec542eb574f3be6

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
494KB

MD5
bd183e5ab2d9557b5fa61665188d6175

SHA1
9ae95afeb77ceaf54271d2cd88e2de51bcd4d9b4

SHA256
56e7dd47a507b1349f39f1fc01a0e6729dc7e5f35e96f77c1643185a1f632879

SHA512
15cbe19b980df191428b729b7e5f0cd1d2ff1cdd6454bf3262feeabf5bbede205d203ffd69f3cd6842e06f2c19bcb8b1dcb81e387ae7768addcc45507cfae7d7

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
491KB

MD5
9910712a7aa43d77d1cd6f139c52a684

SHA1
e2b2bd17ff8d1ba26f49e4df6a72766b9d3c82ce

SHA256
f2a81e15ae24ba34d6ab98087a33738d95ece9d752df02a41d9573b239110fd7

SHA512
4836594730d2ac5ce19815bf05041db5079222d4cbadcf3c49616be356c2285519e2e034a630a5a8dfeb4dd18fe3e37d0cc44b57eab85280deb140a5286b63c2

Download Submit
memory/1648-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1948-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download