42c5c71d164d0c6e3bbbe2df31e33088e0295dd231eb0611531e179d396b1f2d

General

Target

8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe
Size

485KB
MD5

8f2b15fbdc45e2d26c67730a7ea5ffa0
SHA1

86e98dd86d8154cf7af9c3afce7cd043479c55d6
SHA256

42c5c71d164d0c6e3bbbe2df31e33088e0295dd231eb0611531e179d396b1f2d
SHA512

51dbfce2810a7b583659118edca25fd037e16a1b0547914e0fcbc8daced06a1c2e778d674c7fe1900684a25f8d78e98b818e474625cadcc52990a2ca05df06f9
SSDEEP

3072:OtwizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQuoYKN6LSSe9CGqJ:yuj8NDF3OR9/Qe2HdklruoYk6LReM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4164	casino_extensions.exe
684	Casino_ext.exe
2448	LiveMessageCenter.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
684	Casino_ext.exe
684	Casino_ext.exe
2448	LiveMessageCenter.exe
2448	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5000	8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4528	5000	8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe	81
PID 5000 wrote to memory of 4528	5000	8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe	81
PID 5000 wrote to memory of 4528	5000	8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe	81
PID 4528 wrote to memory of 4164	4528	casino_extensions.exe	82
PID 4528 wrote to memory of 4164	4528	casino_extensions.exe	82
PID 4528 wrote to memory of 4164	4528	casino_extensions.exe	82
PID 4164 wrote to memory of 684	4164	casino_extensions.exe	83
PID 4164 wrote to memory of 684	4164	casino_extensions.exe	83
PID 4164 wrote to memory of 684	4164	casino_extensions.exe	83
PID 684 wrote to memory of 1372	684	Casino_ext.exe	84
PID 684 wrote to memory of 1372	684	Casino_ext.exe	84
PID 684 wrote to memory of 1372	684	Casino_ext.exe	84
PID 1372 wrote to memory of 2448	1372	casino_extensions.exe	86
PID 1372 wrote to memory of 2448	1372	casino_extensions.exe	86
PID 1372 wrote to memory of 2448	1372	casino_extensions.exe	86
PID 2448 wrote to memory of 4476	2448	LiveMessageCenter.exe	87
PID 2448 wrote to memory of 4476	2448	LiveMessageCenter.exe	87
PID 2448 wrote to memory of 4476	2448	LiveMessageCenter.exe	87
PID 4476 wrote to memory of 2440	4476	casino_extensions.exe	88
PID 4476 wrote to memory of 2440	4476	casino_extensions.exe	88
PID 4476 wrote to memory of 2440	4476	casino_extensions.exe	88

C:\Users\Admin\AppData\Local\Temp\8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8f2b15fbdc45e2d26c67730a7ea5ffa0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:684
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        7⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        8⤵
        
        PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
488KB

MD5
cd6b6fc7bea4837a616919eb50a8713e

SHA1
3a91edba9b4364c1ec4660e47f7bdc62f5358cee

SHA256
98b79678505b59a016284eaf93ea92422a3b7305b01d9eeca3299a1227f1ef2a

SHA512
a8f6ea8d674ceceade720c37d23204432eb978bbd2e2f7dfe6add215e9fc21318e4ee313dbddb4c462c193044e35084db967695f4ddd08c6a1aa9c3ae207868b

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
493KB

MD5
0a74d5729757e332fa08e20cb0c7e863

SHA1
0bb92b7bfa48224e2b9f0c582a539b45dc3a458e

SHA256
b7fa239e2e27dc9235a45bce8618150984361bb10d92cc1d0767381958d3973a

SHA512
7f359a362ff7817d81904b22537927c03da66e7bb1347eaf7103ec3ce03ea580acf8700596bec4b017389836b11c49d7de133f82271cb789bd69f265c4f22ec7

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
492KB

MD5
d16cb486a23e486a9cf211de46131d4b

SHA1
538489e9570f4f0c9128d8e6fc19f1efb7cd352e

SHA256
b0fe72fc0e72b0ed9f1850569a3df56abd58fae3da6dea6038972df5aab3d9fe

SHA512
ed6792deb71d996656dc5dd1fccd3f49b9c4c3d47641b399a05d1be4f5a094b31e84cfe5539f090a9440cdb216210761eef8cc435e7d304f71eacbdc5b77a6af

Download Submit
memory/4164-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5000-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing