115d7055afbfa3cd5fcbef559fafb6bb4be68853fce2858331d158630f25f823

General

Target

9b78adad59c45eb1c89d81125001eed0_NeikiAnalytics.exe
Size

928KB
MD5

9b78adad59c45eb1c89d81125001eed0
SHA1

87fad15c99c4ee7645f30a062e7e4e390ce19eb4
SHA256

115d7055afbfa3cd5fcbef559fafb6bb4be68853fce2858331d158630f25f823
SHA512

0ca9b53f1fb5ee70e826d7177b07fe71af2a135819d8e0692ec421f1f798d4f25f13ba53bace87b0fb86ca3f4a113b2fe2bd68933b66940b6d647b38e1ec4898
SSDEEP

6144:Ouj8NDF3OR9/Qe2HdklrSqjzQtJnjqno2k29eLn4:xOF3ORK3d9QzQtJnjqno2k29F

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1360	casino_extensions.exe
2652	Casino_ext.exe
1556	LiveMessageCenter.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2652	Casino_ext.exe
2652	Casino_ext.exe
1556	LiveMessageCenter.exe
1556	LiveMessageCenter.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5052	9b78adad59c45eb1c89d81125001eed0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2024	5052	9b78adad59c45eb1c89d81125001eed0_NeikiAnalytics.exe	82
PID 5052 wrote to memory of 2024	5052	9b78adad59c45eb1c89d81125001eed0_NeikiAnalytics.exe	82
PID 5052 wrote to memory of 2024	5052	9b78adad59c45eb1c89d81125001eed0_NeikiAnalytics.exe	82
PID 2024 wrote to memory of 1360	2024	casino_extensions.exe	83
PID 2024 wrote to memory of 1360	2024	casino_extensions.exe	83
PID 2024 wrote to memory of 1360	2024	casino_extensions.exe	83
PID 1360 wrote to memory of 2652	1360	casino_extensions.exe	84
PID 1360 wrote to memory of 2652	1360	casino_extensions.exe	84
PID 1360 wrote to memory of 2652	1360	casino_extensions.exe	84
PID 2652 wrote to memory of 4496	2652	Casino_ext.exe	85
PID 2652 wrote to memory of 4496	2652	Casino_ext.exe	85
PID 2652 wrote to memory of 4496	2652	Casino_ext.exe	85
PID 4496 wrote to memory of 1556	4496	casino_extensions.exe	86
PID 4496 wrote to memory of 1556	4496	casino_extensions.exe	86
PID 4496 wrote to memory of 1556	4496	casino_extensions.exe	86
PID 1556 wrote to memory of 208	1556	LiveMessageCenter.exe	87
PID 1556 wrote to memory of 208	1556	LiveMessageCenter.exe	87
PID 1556 wrote to memory of 208	1556	LiveMessageCenter.exe	87
PID 208 wrote to memory of 2368	208	casino_extensions.exe	88
PID 208 wrote to memory of 2368	208	casino_extensions.exe	88
PID 208 wrote to memory of 2368	208	casino_extensions.exe	88

C:\Users\Admin\AppData\Local\Temp\9b78adad59c45eb1c89d81125001eed0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9b78adad59c45eb1c89d81125001eed0_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        7⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        8⤵
        
        PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
940KB

MD5
f75245decbe95fc0e335064a1fdba158

SHA1
398db427782d9ac189c77ff23492bcd99ba44c7c

SHA256
0c1b9159f3b24bc818e82d003dbeef5e2f768ce1f9402f58ad8be90470d846e8

SHA512
9b7562f53191f92faddeb7d9e295a75633acd7f1edcb4537cb9ef706627c6afd51b455b8922b2664f31ac2a16f7634595c46c6e9f26484939986f1358c0781cf

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
945KB

MD5
6399cc3c84586aa196e8c6ddfeae2988

SHA1
4ed61c14bb634f4cd622fe9b8d91a290032cc8cf

SHA256
0c18fcb51940cc0558395f96818f7ab70a76be16d4041ecdcfc513de64a78a3c

SHA512
611f0b99f95f871c94698b0eb0c202dbee3dfd13c889b0dadf75882b95db1cf0477d46a46739ae5130d7185e5a76722461821d8efe66d403c647f9d95611d264

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
940KB

MD5
f18298675c3dfaa3f9200bfadd8fc8ad

SHA1
beff6728ef941f769da33365a972c4ea850f2cab

SHA256
99a8dcf812bfb10ebfaa4b166188762eaa5a498faec7b24f9221410fef4dde8e

SHA512
ef92f9a9c7253516ceb8d8c2c6fb063f8720911a2efcc191b498a6f5d45b191b1f55a8b74fe4dc496a3f65681d842af6083891de2fb6b524fef662cb074ffcd4

Download Submit
memory/1360-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/5052-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing